Created
May 14, 2015 18:49
-
-
Save matgou/90aa12082eb9037a9a70 to your computer and use it in GitHub Desktop.
Firewall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ### BEGIN INIT INFO | |
| # Provides: firewall | |
| # Required-Start: $remote_fs $syslog | |
| # Required-Stop: $remote_fs $syslog | |
| # Default-Start: 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| # Short-Description: firewall init script | |
| # Description: An init script for Graphite's carbon-cache daemon. | |
| ### END INIT INFO | |
| # configure /etc/network/interfaces | |
| # | |
| # modification du 07/11/2014 - Eric Bourderau : | |
| # - ajout du port 8080 dans "TCP_SERVICES" | |
| # - limitation de la source aux adresses privées | |
| # | |
| NAME="firewall" | |
| DESC="Firewall" | |
| IPT=/sbin/iptables | |
| TCP_SERVICES="ssh" | |
| UDP_SERVICES="" | |
| nat_enable=no # enable nat yes/no | |
| ping_enable=yes # enable ping yes/no | |
| WAN_VLAN="eth0" | |
| MYNET="46.105.237.64/28" | |
| rule_dir=/etc/firewall/ | |
| # NAT internal IPs to external IPs | |
| # Load all rules | |
| load_rules() { | |
| echo -n "Starting $DESC: " | |
| ##### flush ##### | |
| $IPT -F | |
| $IPT -X | |
| # enable NAT | |
| if [ "$nat_enable" = "yes" ]; then | |
| $IPT -A POSTROUTING -t nat -o $WAN_VLAN -j MASQUERADE | |
| fi | |
| ##### statefull #### | |
| $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ##### Policy ##### | |
| # Drop everything defaut | |
| $IPT -P INPUT DROP | |
| $IPT -P FORWARD DROP | |
| #### INPUT #### | |
| # Enable loopback | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| $IPT -A OUTPUT -o lo -j ACCEPT | |
| # whitlist my networkd | |
| $IPT -A INPUT -p tcp -m state --state NEW -s $MYNET -j ACCEPT | |
| $IPT -A INPUT -p udp -m state --state NEW -s $MYNET -j ACCEPT | |
| # Open TCP services input | |
| for x in $TCP_SERVICES | |
| do | |
| $IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT | |
| done | |
| # Open UDP services input | |
| for x in $UDP_SERVICES | |
| do | |
| $IPT -A INPUT -p udp --dport ${x} -m state --state NEW -j ACCEPT | |
| done | |
| # Enable Ping | |
| if [ "$ping_enable" = "yes" ]; then | |
| $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| fi | |
| # Log all invalid paket | |
| $IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning | |
| echo $NAME | |
| /etc/init.d/fail2ban restart | |
| } | |
| # Clean all tables | |
| flush_rules() { | |
| echo -n "Stopping $DESC: " | |
| # on flush tout et on repasse en politique ouverte | |
| $IPT -F INPUT | |
| $IPT -P INPUT ACCEPT | |
| $IPT -F OUTPUT | |
| $IPT -P OUTPUT ACCEPT | |
| $IPT -F FORWARD | |
| $IPT -P FORWARD ACCEPT | |
| $IPT -t nat -F POSTROUTING | |
| echo "$NAME" | |
| } | |
| case "$1" in | |
| start) | |
| load_rules | |
| ;; | |
| stop) | |
| flush_rules | |
| ;; | |
| restart) | |
| flush_rules | |
| load_rules | |
| ;; | |
| *) | |
| echo "firewall.sh start|stop|restart" | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment