From a1e5c28c138fdc145be66e3db576243193804546 Mon Sep 17 00:00:00 2001 From: huyjaky Date: Mon, 25 Aug 2025 13:35:47 +0700 Subject: [PATCH] add scripts for server and client --- .../iptables_config/iptables_config_client.sh | 68 +++++++++++++++++ .../iptables_config/iptables_config_server.sh | 76 +++++++++++++++++++ README.md | 47 +----------- 3 files changed, 146 insertions(+), 45 deletions(-) create mode 100644 .config/iptables_config/iptables_config_client.sh create mode 100644 .config/iptables_config/iptables_config_server.sh diff --git a/.config/iptables_config/iptables_config_client.sh b/.config/iptables_config/iptables_config_client.sh new file mode 100644 index 0000000..263eb03 --- /dev/null +++ b/.config/iptables_config/iptables_config_client.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# IPv4/IPv6 Simple & Safe firewall ruleset using iptables/ip6tables +# Equivalent to the provided nftables configuration + +# Flush existing rules +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X + +ip6tables -F +ip6tables -X +ip6tables -t nat -F +ip6tables -t nat -X +ip6tables -t mangle -F +ip6tables -t mangle -X + +# Set default policies +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT + +ip6tables -P INPUT DROP +ip6tables -P FORWARD DROP +ip6tables -P OUTPUT ACCEPT + +# IPv4 Rules +# Allow established and related connections +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections" + +# Allow loopback traffic +iptables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback" + +# Allow ICMP +iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow icmp" + +# Allow SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "allow sshd" + +# Open port ranges (WARNING: open ports) +iptables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509" +iptables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519" + +# IPv6 Rules +# Allow established and related connections +ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections" + +# Allow loopback traffic +ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback" + +# Allow ICMPv6 +ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "allow icmp v6" + +# Allow SSH +ip6tables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd" + +# Open port ranges (WARNING: open ports) +ip6tables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509" +ip6tables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519" + +echo "Firewall rules applied successfully" +echo "Current iptables rules:" +iptables -L -n -v +echo "" +echo "Current ip6tables rules:" +ip6tables -L -n -v diff --git a/.config/iptables_config/iptables_config_server.sh b/.config/iptables_config/iptables_config_server.sh new file mode 100644 index 0000000..156d462 --- /dev/null +++ b/.config/iptables_config/iptables_config_server.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# IPv4/IPv6 Simple & Safe firewall ruleset using iptables/ip6tables +# Equivalent to the provided nftables configuration + +# Flush existing rules +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +ip6tables -F +ip6tables -X +ip6tables -t nat -F +ip6tables -t nat -X +ip6tables -t mangle -F +ip6tables -t mangle -X + +# Set default policies +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT +ip6tables -P INPUT DROP +ip6tables -P FORWARD DROP +ip6tables -P OUTPUT ACCEPT + +# IPv4 Rules +# Allow established and related connections +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections" + +# Allow loopback traffic +iptables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback" + +# Allow ICMP +iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow icmp" + +# Allow SSH +iptables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd" + +# Allow AdGuard Home +iptables -A INPUT -p tcp --dport 3000 -j ACCEPT -m comment --comment "allow adguard home" +iptables -A INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "allow adguard home" +iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "allow adguard home" + +# Open port ranges (WARNING: open ports) +iptables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509" +iptables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519" + +# IPv6 Rules +# Allow established and related connections +ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections" + +# Allow loopback traffic +ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback" + +# Allow ICMPv6 +ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "allow icmp v6" + +# Allow SSH (NOTE: Using port 23 instead of standard port 22) +ip6tables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd" + +# Allow AdGuard Home +ip6tables -A INPUT -p tcp --dport 3000 -j ACCEPT -m comment --comment "allow adguard home" +ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "allow adguard home" +ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "allow adguard home" + +# Open port ranges (WARNING: open ports) +ip6tables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509" +ip6tables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519" + +echo "Firewall rules applied successfully" +echo "Current iptables rules:" +iptables -L -n -v +echo "" +echo "Current ip6tables rules:" +ip6tables -L -n -v diff --git a/README.md b/README.md index bc9eb0d..4bdc8ce 100644 --- a/README.md +++ b/README.md @@ -50,48 +50,5 @@ sudo pacman -S lact ## Open port - --> This is depend on your method firewall u have --> file config on `/etc/nftables.conf` -```bash -#!/usr/bin/nft -f -# vim:set ts=2 sw=2 et: - -# IPv4/IPv6 Simple & Safe firewall ruleset. -# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. - -destroy table inet filter -table inet filter { - chain input { - type filter hook input priority filter - policy drop - - # ct state invalid drop comment "early drop of invalid connections" - ct state {established, related} accept comment "allow tracked connections" - iif lo accept comment "allow from loopback" - ip protocol icmp accept comment "allow icmp" - meta l4proto ipv6-icmp accept comment "allow icmp v6" - tcp dport ssh accept comment "allow sshd" - # pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited - - # WARNING: open port right here - tcp dport 8501-8509 accept - tcp dport 8511-8519 accept - tcp dport 8521-8529 accept - counter - } - chain forward { - type filter hook forward priority filter - policy drop - } -} -``` --> after config run command `sudo nft -f /etc/nftables.conf` - - - --> in my case, i have `nftables` -- `sudo nft -a list chain inet filter input` : list current port and rule was accepted -- `sudo nft add rule inet filter input tcp dport 8505 accept` : add open port (in case is 8505) -- `sudo nft add rule inet filter input tcp dport '{ 8501-8509 }' accept` : add open port range -- `sudo nft delete rule inet filter input handle 16` : if u use command `list chain` (first command) u will see a number for each rule to replace for a number 16 +- Make sure u have `iptables-nft` installed +- Run script `sudo bash ./.config/iptables_config.sh`