From 0dcae10400630af503c8232bd0fd89b45c9614c7 Mon Sep 17 00:00:00 2001 From: Ataxya Date: Sun, 21 Nov 2021 16:44:06 +0100 Subject: [PATCH] Hello, i'm basicFW.sh, a script remade by @AtaxyaNetwork --- basicFW.sh | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100755 basicFW.sh diff --git a/basicFW.sh b/basicFW.sh new file mode 100755 index 0000000..2286bd8 --- /dev/null +++ b/basicFW.sh @@ -0,0 +1,157 @@ +#!/bin/bash +# +# Original script: firewall.sh - Copyright (c) 2019-2021 - Olivier Poncet +# +# Forked by @AtaxyaNetwork +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +# + +# ---------------------------------------------------------------------------- +# Choose the primary network interface : eth0, eno1, ens18, enp3s0, etc ... +# ---------------------------------------------------------------------------- +echo "Please, select a network interface:" +PS3="Your choice: " +QUIT="QUIT THIS PROGRAM - I feel safe now." +touch "$QUIT" + +select Network_interfaces in $(ls /sys/class/net); +do + case $Network_interfaces in + "$QUIT") + echo "Exiting." + break + ;; + *) + echo "You picked $Network_interfaces" + WAN0=$Network_interfaces + break + ;; + esac +done +rm "$QUIT" + + +# ---------------------------------------------------------------------------- +# looking for iptables & ip6tables +# ---------------------------------------------------------------------------- + +IP4TABLES="$(which iptables || echo 'not-found')" +IP6TABLES="$(which ip6tables || echo 'not-found')" + +# ---------------------------------------------------------------------------- +# check for variables +# ---------------------------------------------------------------------------- + +if [ "${WAN0}" = "not-set" ] +then + echo "*** WAN0 was not set ***" + HAS_ERROR="yes" +fi + +if [ "${IP4TABLES}" = "not-found" ] +then + echo "*** iptables was not found ***" + HAS_ERROR="yes" +fi + +if [ "${IP6TABLES}" = "not-found" ] +then + echo "*** ip6tables was not found ***" + HAS_ERROR="yes" +fi + + +#### +# Flush IPtables && apply universal rules +#### +${IP4TABLES} -t filter -F +${IP6TABLES} -t filter -F +${IP4TABLES} -t filter -P INPUT ACCEPT +${IP6TABLES} -t filter -P INPUT ACCEPT +${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -p all -m state --state ESTABLISHED,RELATED -j ACCEPT +${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -p all -m state --state ESTABLISHED,RELATED -j ACCEPT + +# ---------------------------------------------------------------------------- +# Drop all by default +# ---------------------------------------------------------------------------- + +RULE_ICMP____TARGET="DROP" +RULE_SNMP____TARGET="DROP" +RULE_SSH_____TARGET="DROP" +RULE_HTTP____TARGET="DROP" +RULE_HTTPS___TARGET="DROP" +RULE_DEFAULT_TARGET="DROP" + +cmd=(dialog --separate-output --checklist "Select protocol to accept" 22 76 16) +options=(1 "ICMP" on # any option can be set to default to "on" + 2 "SSH" off + 3 "HTTP" off + 4 "HTTPS" off + 5 "SNMP" off) +choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty) +clear +for choice in $choices +do + case $choice in + 1) + RULE_ICMP____TARGET="ACCEPT" + ${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -p icmp -j "${RULE_ICMP____TARGET}" + ${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -p icmp -j "${RULE_ICMP____TARGET}" + ;; + 2) + RULE_SSH_____TARGET="ACCEPT" + ${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -p tcp --dport ssh -j "${RULE_SSH_____TARGET}" + ${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -p tcp --dport ssh -j "${RULE_SSH_____TARGET}" + ;; + 3) + RULE_HTTP____TARGET="ACCEPT" + ${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -p tcp --dport http -j "${RULE_HTTP____TARGET}" + ${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -p tcp --dport http -j "${RULE_HTTP____TARGET}" + ;; + 4) + RULE_HTTPS___TARGET="ACCEPT" + ${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -p tcp --dport https -j "${RULE_HTTPS___TARGET}" + ${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -p tcp --dport https -j "${RULE_HTTPS___TARGET}" + ;; + 5) + RULE_SNMP____TARGET="ACCEPT" + read -p "Saisir le préfix v4 à whitelister pour le SNMP: " SNMP4_TARGET + read -p"Saisir le préfix v6 à whitelister pour le SNMP: " SNMP6_TARGET + ${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -p udp -s "${SNMP4_TARGET}" --dport 161 -j "${RULE_SNMP____TARGET}" + ${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -p udp -s "${SNMP6_TARGET}" --dport 161 -j "${RULE_SNMP____TARGET}" + + ;; + esac +done + + +##### +# Apply default policy +#### +${IP4TABLES} -t filter -A INPUT -i "${WAN0}" -j "${RULE_DEFAULT_TARGET}" +${IP6TABLES} -t filter -A INPUT -i "${WAN0}" -j "${RULE_DEFAULT_TARGET}" + +##### +# Print iptables -nvl +#### +${IP4TABLES} -t filter -L -n +${IP6TABLES} -t filter -L -n + +echo "" +echo "Forked with love by @AtaxyaNetwork" + +# ---------------------------------------------------------------------------- +# End-Of-File +# ----------------------------------------------------------------------------