add scripts for server and client
This commit is contained in:
huyjaky
76
.config/iptables_config/iptables_config_server.sh
Normal file
76
.config/iptables_config/iptables_config_server.sh
Normal file
@@ -0,0 +1,76 @@
|
||||
#!/bin/bash
|
||||
# IPv4/IPv6 Simple & Safe firewall ruleset using iptables/ip6tables
|
||||
# Equivalent to the provided nftables configuration
|
||||
|
||||
# Flush existing rules
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
ip6tables -F
|
||||
ip6tables -X
|
||||
ip6tables -t nat -F
|
||||
ip6tables -t nat -X
|
||||
ip6tables -t mangle -F
|
||||
ip6tables -t mangle -X
|
||||
|
||||
# Set default policies
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT ACCEPT
|
||||
ip6tables -P INPUT DROP
|
||||
ip6tables -P FORWARD DROP
|
||||
ip6tables -P OUTPUT ACCEPT
|
||||
|
||||
# IPv4 Rules
|
||||
# Allow established and related connections
|
||||
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections"
|
||||
|
||||
# Allow loopback traffic
|
||||
iptables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback"
|
||||
|
||||
# Allow ICMP
|
||||
iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow icmp"
|
||||
|
||||
# Allow SSH
|
||||
iptables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd"
|
||||
|
||||
# Allow AdGuard Home
|
||||
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT -m comment --comment "allow adguard home"
|
||||
iptables -A INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "allow adguard home"
|
||||
iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "allow adguard home"
|
||||
|
||||
# Open port ranges (WARNING: open ports)
|
||||
iptables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509"
|
||||
iptables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519"
|
||||
|
||||
# IPv6 Rules
|
||||
# Allow established and related connections
|
||||
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections"
|
||||
|
||||
# Allow loopback traffic
|
||||
ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback"
|
||||
|
||||
# Allow ICMPv6
|
||||
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "allow icmp v6"
|
||||
|
||||
# Allow SSH (NOTE: Using port 23 instead of standard port 22)
|
||||
ip6tables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd"
|
||||
|
||||
# Allow AdGuard Home
|
||||
ip6tables -A INPUT -p tcp --dport 3000 -j ACCEPT -m comment --comment "allow adguard home"
|
||||
ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "allow adguard home"
|
||||
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "allow adguard home"
|
||||
|
||||
# Open port ranges (WARNING: open ports)
|
||||
ip6tables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509"
|
||||
ip6tables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519"
|
||||
|
||||
echo "Firewall rules applied successfully"
|
||||
echo "Current iptables rules:"
|
||||
iptables -L -n -v
|
||||
echo ""
|
||||
echo "Current ip6tables rules:"
|
||||
ip6tables -L -n -v
|
||||
Reference in New Issue
Block a user