#!/usr/bin/bash #*************************************************************************** # Copyright Ralf Senderek, Ireland 2014-2015. (http://senderek.ie) # # This file is part of the CRYPTO BONE # File : firewall # Version : 1.5 (external cryptobone) # License : BSD # Date : Wednesday, 1 March 2023 # Contact : Please send enquiries and bug-reports to innovation@senderek.ie # # Copyright (c) 2015-2023 # Ralf Senderek, Ireland. All rights reserved. (https://senderek.ie) # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by Ralf Senderek. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. ############################################################################## # My LAN IFACE=$(echo $(arp -n| sed -n '2p') | cut -f5 -d" ") ME="1.2.3.4" if /sbin/ifconfig $IFACE > /dev/null then ME=$(echo $(/sbin/ifconfig $IFACE | /usr/bin/grep "inet ") | /usr/bin/cut -f2 -d" ") fi ############################################################################### echo echo "FIREWALL-Script for EXTERNAL CRYPTO BONE version 1.5 - March 2023 at $ME" echo "Interface: $IFACE" echo ## DISABLE IP Forwarding ## /bin/echo 0 > /proc/sys/net/ipv4/ip_forward if test $# -eq 1 then case $1 in red) echo -n -e "\033[40;31;1mRED\033[0m" echo " Restrict the IP transport rigorously" # DEFAULT-POLICIES /sbin/iptables -P FORWARD DROP /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP # Clear all rules /sbin/iptables -F FORWARD /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT # allow all established and related connections /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # RULES FOR THE LAN # # allow ping /sbin/iptables -A INPUT -p ICMP -j ACCEPT /sbin/iptables -A OUTPUT -p ICMP -j ACCEPT # allow ssh (in-bound to port 22) /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # allow ssh (out-bound to port 22) /sbin/iptables -A INPUT -p tcp --sport 22 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # allow DNS /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # allow BOOTP /sbin/iptables -A INPUT -p udp --dport 67 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 67 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 68 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 68 -j ACCEPT # allow outgoing SMTP /sbin/iptables -A INPUT -p tcp --sport 25 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport 587 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT # allow POP3 /sbin/iptables -A INPUT -p tcp --sport 110 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport 995 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT # allow IMAP /sbin/iptables -A INPUT -p tcp --sport 143 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport 993 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT # allow NTP /sbin/iptables -A INPUT -p tcp --dport 123 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 123 -j ACCEPT ;; green) echo -e "\033[40;32;1mGREEN\033[0m" echo "Allow everything, shut down firewall protection completely." # DEFAULT-POLICIES /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT # Clear all rules /sbin/iptables -F FORWARD /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -A INPUT -p all -j LOG /sbin/iptables -A OUTPUT -p all -j LOG ;; "status") echo -e "\033[40;34;1mSTATUS:\033[0m" echo /sbin/iptables -L -v ;; *) echo "unknown option: $1" echo "\nusage : firewall [red | green | status]" esac else echo "usage : firewall [red | green | status]" fi ###############################################################