Created
February 6, 2022 20:35
-
-
Save dirtycajunrice/cef616d302e724db046c931d353532d5 to your computer and use it in GitHub Desktop.
Script to check iptables rules for outbound access when using ipfs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| RFC1918=('10.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16') | |
| IPTCHAINS=('OUTPUT') | |
| format () { echo -e "${1}${2}\033[0m"; } | |
| ask () { format '\033[1;34m' "$1"; } | |
| success () { format '\033[0;32m' "$1"; } | |
| warn () { format '\033[1;33m' "$1"; } | |
| danger () { format '\033[0;31m' "$1"; } | |
| if [[ $EUID -ne 0 ]]; then | |
| danger "This script must be run as root" 1>&2 | |
| exit 1 | |
| fi | |
| # Check if iptables-persistent is installed | |
| if ! command -v netfilter-persistent &> /dev/null; then | |
| warn "MISSING: iptables-persistent" | |
| ask "Install iptables-persistent?" | |
| select yn in "Yes" "No"; do | |
| case $yn in | |
| Yes) | |
| echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections ; | |
| success "INSTALLED: IPV4 autosave debconf selection" ; | |
| echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections ; | |
| success "INSTALLED: IPV6 autosave debconf selection" ; | |
| warn "INSTALLING: iptables-persistent" ; | |
| sudo apt-get update -qq > /dev/null && \ | |
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -qq iptables-persistent < /dev/null > /dev/null ; | |
| success "INSTALLED: iptables-persistent" ; | |
| break ;; | |
| No) | |
| danger "Exiting..." ; | |
| exit;; | |
| esac | |
| done | |
| else | |
| warn "SKIPPED: iptables-persistent is already installed" | |
| fi | |
| # Check if docker is installed | |
| if command -v docker &> /dev/null; then | |
| warn "INFO: docker is installed" | |
| ask "Do you want to check DROP rules for docker as well?" | |
| select yn in "Yes" "No"; do | |
| case $yn in | |
| Yes) | |
| IPTCHAINS+=('DOCKER-USER') ; | |
| success "ADDED: DOCKER-USER chain check" ; | |
| break ;; | |
| No) | |
| warn "SKIPPED: DOCKER-USER chain check" ; | |
| break ;; | |
| esac | |
| done | |
| else | |
| warn "SKIPPED: docker is not installed" | |
| fi | |
| ADDED=0 | |
| for subnet in "${RFC1918[@]}"; do | |
| for chain in "${IPTCHAINS[@]}"; do | |
| if sudo iptables -C "$chain" -d "$subnet" -j DROP &> /dev/null; then | |
| warn "SKIPPED: $subnet DROP already configured on $chain" | |
| else | |
| sudo iptables -I "$chain" -d "$subnet" -j DROP && \ | |
| success "ADDED: $subnet DROP on $chain" | |
| ((ADDED++)) | |
| fi | |
| done | |
| done | |
| if [[ $ADDED -gt 0 ]]; then | |
| sudo netfilter-persistent save &> /dev/null && \ | |
| success "SAVED: $ADDED rules" | |
| else | |
| warn "SKIPPED: 0 rules were missing" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment