|
|
|
|
@ -4,6 +4,8 @@ set -e
@@ -4,6 +4,8 @@ set -e
|
|
|
|
|
|
|
|
|
|
figlet "Mistborn: Configuring Firewall" |
|
|
|
|
|
|
|
|
|
source ./scripts/subinstallers/vars.sh |
|
|
|
|
|
|
|
|
|
echo "stop iptables wrappers" |
|
|
|
|
if [ "$DISTRO" == "ubuntu" ]; then |
|
|
|
|
# Disable UFW |
|
|
|
|
@ -11,12 +13,6 @@ if [ "$DISTRO" == "ubuntu" ]; then
@@ -11,12 +13,6 @@ if [ "$DISTRO" == "ubuntu" ]; then
|
|
|
|
|
sudo systemctl disable ufw || true |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
# default interface |
|
|
|
|
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') |
|
|
|
|
|
|
|
|
|
# real public interface |
|
|
|
|
riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') |
|
|
|
|
|
|
|
|
|
# resetting iptables |
|
|
|
|
sudo iptables -F |
|
|
|
|
sudo iptables -t nat -F |
|
|
|
|
@ -73,54 +69,3 @@ sudo iptables -t nat -I POSTROUTING -o $iface -j MASQUERADE
@@ -73,54 +69,3 @@ sudo iptables -t nat -I POSTROUTING -o $iface -j MASQUERADE
|
|
|
|
|
# sudo iptables -t nat -I POSTROUTING -o $riface -j MASQUERADE |
|
|
|
|
#fi |
|
|
|
|
|
|
|
|
|
# resetting ip6tables rules |
|
|
|
|
sudo ip6tables -F |
|
|
|
|
sudo ip6tables -t nat -F |
|
|
|
|
sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true |
|
|
|
|
|
|
|
|
|
# ip6tables: log and drop chain |
|
|
|
|
sudo ip6tables -N MISTBORN_LOG_DROP |
|
|
|
|
sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4 |
|
|
|
|
sudo ip6tables -A MISTBORN_LOG_DROP -j DROP |
|
|
|
|
|
|
|
|
|
# ip6tables |
|
|
|
|
echo "Setting ip6tables rules" |
|
|
|
|
sudo ip6tables -P INPUT ACCEPT |
|
|
|
|
sudo ip6tables -I INPUT -i lo -j ACCEPT |
|
|
|
|
sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|
|
|
|
sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP |
|
|
|
|
|
|
|
|
|
sudo ip6tables -P INPUT DROP |
|
|
|
|
sudo ip6tables -P FORWARD DROP |
|
|
|
|
sudo ip6tables -P OUTPUT ACCEPT |
|
|
|
|
|
|
|
|
|
# iptables-persistent |
|
|
|
|
if [ ! "$(dpkg-query -l iptables-persistent)" ]; then |
|
|
|
|
echo "Installing iptables-persistent" |
|
|
|
|
|
|
|
|
|
# answer variables |
|
|
|
|
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections |
|
|
|
|
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections |
|
|
|
|
|
|
|
|
|
# install |
|
|
|
|
sudo -E apt-get install -y iptables-persistent ipset |
|
|
|
|
else |
|
|
|
|
echo "Saving iptables rules" |
|
|
|
|
sudo bash -c "iptables-save > /etc/iptables/rules.v4" |
|
|
|
|
echo "Saving ip6tables rules" |
|
|
|
|
sudo bash -c "ip6tables-save > /etc/iptables/rules.v6" |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
# IP forwarding |
|
|
|
|
sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf |
|
|
|
|
|
|
|
|
|
# VM Overcommit Memory |
|
|
|
|
sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf |
|
|
|
|
|
|
|
|
|
# Force re-read of sysctl.conf |
|
|
|
|
sudo sysctl -p /etc/sysctl.conf |
|
|
|
|
|
|
|
|
|
# rsyslog to create /var/log/iptables.log |
|
|
|
|
sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/ |
|
|
|
|
sudo chown root:root /etc/rsyslog.d/15-iptables.conf |
|
|
|
|
sudo systemctl restart rsyslog |
|
|
|
|
|
Steven Foerster
5 years ago