add scripts for server and client
This commit is contained in:
huyjaky
68
.config/iptables_config/iptables_config_client.sh
Normal file
68
.config/iptables_config/iptables_config_client.sh
Normal file
@@ -0,0 +1,68 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# IPv4/IPv6 Simple & Safe firewall ruleset using iptables/ip6tables
|
||||||
|
# Equivalent to the provided nftables configuration
|
||||||
|
|
||||||
|
# Flush existing rules
|
||||||
|
iptables -F
|
||||||
|
iptables -X
|
||||||
|
iptables -t nat -F
|
||||||
|
iptables -t nat -X
|
||||||
|
iptables -t mangle -F
|
||||||
|
iptables -t mangle -X
|
||||||
|
|
||||||
|
ip6tables -F
|
||||||
|
ip6tables -X
|
||||||
|
ip6tables -t nat -F
|
||||||
|
ip6tables -t nat -X
|
||||||
|
ip6tables -t mangle -F
|
||||||
|
ip6tables -t mangle -X
|
||||||
|
|
||||||
|
# Set default policies
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
iptables -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
ip6tables -P INPUT DROP
|
||||||
|
ip6tables -P FORWARD DROP
|
||||||
|
ip6tables -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
# IPv4 Rules
|
||||||
|
# Allow established and related connections
|
||||||
|
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections"
|
||||||
|
|
||||||
|
# Allow loopback traffic
|
||||||
|
iptables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback"
|
||||||
|
|
||||||
|
# Allow ICMP
|
||||||
|
iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow icmp"
|
||||||
|
|
||||||
|
# Allow SSH
|
||||||
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "allow sshd"
|
||||||
|
|
||||||
|
# Open port ranges (WARNING: open ports)
|
||||||
|
iptables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509"
|
||||||
|
iptables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519"
|
||||||
|
|
||||||
|
# IPv6 Rules
|
||||||
|
# Allow established and related connections
|
||||||
|
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections"
|
||||||
|
|
||||||
|
# Allow loopback traffic
|
||||||
|
ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback"
|
||||||
|
|
||||||
|
# Allow ICMPv6
|
||||||
|
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "allow icmp v6"
|
||||||
|
|
||||||
|
# Allow SSH
|
||||||
|
ip6tables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd"
|
||||||
|
|
||||||
|
# Open port ranges (WARNING: open ports)
|
||||||
|
ip6tables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509"
|
||||||
|
ip6tables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519"
|
||||||
|
|
||||||
|
echo "Firewall rules applied successfully"
|
||||||
|
echo "Current iptables rules:"
|
||||||
|
iptables -L -n -v
|
||||||
|
echo ""
|
||||||
|
echo "Current ip6tables rules:"
|
||||||
|
ip6tables -L -n -v
|
||||||
76
.config/iptables_config/iptables_config_server.sh
Normal file
76
.config/iptables_config/iptables_config_server.sh
Normal file
@@ -0,0 +1,76 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# IPv4/IPv6 Simple & Safe firewall ruleset using iptables/ip6tables
|
||||||
|
# Equivalent to the provided nftables configuration
|
||||||
|
|
||||||
|
# Flush existing rules
|
||||||
|
iptables -F
|
||||||
|
iptables -X
|
||||||
|
iptables -t nat -F
|
||||||
|
iptables -t nat -X
|
||||||
|
iptables -t mangle -F
|
||||||
|
iptables -t mangle -X
|
||||||
|
ip6tables -F
|
||||||
|
ip6tables -X
|
||||||
|
ip6tables -t nat -F
|
||||||
|
ip6tables -t nat -X
|
||||||
|
ip6tables -t mangle -F
|
||||||
|
ip6tables -t mangle -X
|
||||||
|
|
||||||
|
# Set default policies
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
iptables -P OUTPUT ACCEPT
|
||||||
|
ip6tables -P INPUT DROP
|
||||||
|
ip6tables -P FORWARD DROP
|
||||||
|
ip6tables -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
# IPv4 Rules
|
||||||
|
# Allow established and related connections
|
||||||
|
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections"
|
||||||
|
|
||||||
|
# Allow loopback traffic
|
||||||
|
iptables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback"
|
||||||
|
|
||||||
|
# Allow ICMP
|
||||||
|
iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow icmp"
|
||||||
|
|
||||||
|
# Allow SSH
|
||||||
|
iptables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd"
|
||||||
|
|
||||||
|
# Allow AdGuard Home
|
||||||
|
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT -m comment --comment "allow adguard home"
|
||||||
|
iptables -A INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "allow adguard home"
|
||||||
|
iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "allow adguard home"
|
||||||
|
|
||||||
|
# Open port ranges (WARNING: open ports)
|
||||||
|
iptables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509"
|
||||||
|
iptables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519"
|
||||||
|
|
||||||
|
# IPv6 Rules
|
||||||
|
# Allow established and related connections
|
||||||
|
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "allow tracked connections"
|
||||||
|
|
||||||
|
# Allow loopback traffic
|
||||||
|
ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "allow from loopback"
|
||||||
|
|
||||||
|
# Allow ICMPv6
|
||||||
|
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "allow icmp v6"
|
||||||
|
|
||||||
|
# Allow SSH (NOTE: Using port 23 instead of standard port 22)
|
||||||
|
ip6tables -A INPUT -p tcp --dport 23 -j ACCEPT -m comment --comment "allow sshd"
|
||||||
|
|
||||||
|
# Allow AdGuard Home
|
||||||
|
ip6tables -A INPUT -p tcp --dport 3000 -j ACCEPT -m comment --comment "allow adguard home"
|
||||||
|
ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "allow adguard home"
|
||||||
|
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "allow adguard home"
|
||||||
|
|
||||||
|
# Open port ranges (WARNING: open ports)
|
||||||
|
ip6tables -A INPUT -p tcp --dport 8501:8509 -j ACCEPT -m comment --comment "open port range 8501-8509"
|
||||||
|
ip6tables -A INPUT -p tcp --dport 8511:8519 -j ACCEPT -m comment --comment "open port range 8511-8519"
|
||||||
|
|
||||||
|
echo "Firewall rules applied successfully"
|
||||||
|
echo "Current iptables rules:"
|
||||||
|
iptables -L -n -v
|
||||||
|
echo ""
|
||||||
|
echo "Current ip6tables rules:"
|
||||||
|
ip6tables -L -n -v
|
||||||
47
README.md
47
README.md
@@ -50,48 +50,5 @@ sudo pacman -S lact
|
|||||||
|
|
||||||
|
|
||||||
## Open port
|
## Open port
|
||||||
|
- Make sure u have `iptables-nft` installed
|
||||||
-> This is depend on your method firewall u have
|
- Run script `sudo bash ./.config/iptables_config.sh`
|
||||||
-> file config on `/etc/nftables.conf`
|
|
||||||
```bash
|
|
||||||
#!/usr/bin/nft -f
|
|
||||||
# vim:set ts=2 sw=2 et:
|
|
||||||
|
|
||||||
# IPv4/IPv6 Simple & Safe firewall ruleset.
|
|
||||||
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
|
|
||||||
|
|
||||||
destroy table inet filter
|
|
||||||
table inet filter {
|
|
||||||
chain input {
|
|
||||||
type filter hook input priority filter
|
|
||||||
policy drop
|
|
||||||
|
|
||||||
# ct state invalid drop comment "early drop of invalid connections"
|
|
||||||
ct state {established, related} accept comment "allow tracked connections"
|
|
||||||
iif lo accept comment "allow from loopback"
|
|
||||||
ip protocol icmp accept comment "allow icmp"
|
|
||||||
meta l4proto ipv6-icmp accept comment "allow icmp v6"
|
|
||||||
tcp dport ssh accept comment "allow sshd"
|
|
||||||
# pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
|
|
||||||
|
|
||||||
# WARNING: open port right here
|
|
||||||
tcp dport 8501-8509 accept
|
|
||||||
tcp dport 8511-8519 accept
|
|
||||||
tcp dport 8521-8529 accept
|
|
||||||
counter
|
|
||||||
}
|
|
||||||
chain forward {
|
|
||||||
type filter hook forward priority filter
|
|
||||||
policy drop
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
-> after config run command `sudo nft -f /etc/nftables.conf`
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
-> in my case, i have `nftables`
|
|
||||||
- `sudo nft -a list chain inet filter input` : list current port and rule was accepted
|
|
||||||
- `sudo nft add rule inet filter input tcp dport 8505 accept` : add open port (in case is 8505)
|
|
||||||
- `sudo nft add rule inet filter input tcp dport '{ 8501-8509 }' accept` : add open port range
|
|
||||||
- `sudo nft delete rule inet filter input handle 16` : if u use command `list chain` (first command) u will see a number for each rule to replace for a number 16
|
|
||||||
|
|||||||
Reference in New Issue
Block a user