Inhaltsverzeichnis

IpTables Firewall

Hier ein Beispiel für ein Firewallskript mit IpTables

Installation

  1. Ordner anlegen /root/firewall
  2. Skripte hinein kopieren
  3. Link für manuelle Steuerung anlegen
  4. System Link hinzufügen


ln -s /root/firewall/firewall.sh /usr/local/sbin/firewall


ln -s /root/firewall/firewall.service /etc/system/systemd/firewall.service
systemctl daemon-reload


Bedienung

Neue Regeln werden in den Dateien ipv4.rules, ipv6.rules geschrieben. Die Steuerung erfolgt entweder mit systemctl start|stop|status firewall oder direkt mit firewall start|stop|status|rules.
Alle Dateien befinden sich in dem Ordner 

/root/firewall
|
|->firewall.start            # Startet die Firewall, setzt Standard Werte und lädt die Regeln
|->firewall.stop             # Stopt die Firewall und resettet diese
|->firewall.service          # Datei für die Systemd Daemon
|->firewall.sh               # Steuert die Firewall Hauptdatei
|->ipv4.rules                # Regeln für ipv4 <- Neue Regeln hier!
|->ipv6.rules                # Regeln für ipv6 <- Neue Regeln hier!


Dateien


firewall.start
#!/bin/bash
# Startscript for iptables

# Variables
  ipt4=$(which iptables)
  ipt6=$(which ip6tables)
  mypath=$(dirname $(realpath $0)) # Get path
  pidfile=/var/run/firewall.pid

printf "\e[1;33mStarting Firewall\e[1;0m ... \n"

# Enable debugging
  if [ ! -z ${@: -1} ]&&[ ${@: -1} = "debug" ]; then set -x ; fi

# Reset Firewall
  # ipv4
    $ipt4 -F
    $ipt4 -t nat -F
    $ipt4 -t filter -F
    $ipt4 -P INPUT DROP
    $ipt4 -P FORWARD DROP
    $ipt4 -P OUTPUT DROP

  # ipv6
    $ipt6 -F
    $ipt6 -t nat -F
    $ipt6 -t filter -F
    $ipt6 -P INPUT DROP
    $ipt6 -P FORWARD DROP
    $ipt6 -P OUTPUT DROP

# Create PID File
  echo $$ > ${pidfile}

/usr/bin/systemctl restart fail2ban

#################
# Default rules #
#################

  # allow local traffic
    $ipt4 -A INPUT -i lo -j ACCEPT
    $ipt4 -A OUTPUT -o lo -j ACCEPT
    $ipt4 -A FORWARD -i lo -j ACCEPT
    $ipt6 -A INPUT -i lo -j ACCEPT
    $ipt6 -A OUTPUT -o lo -j ACCEPT
    $ipt6 -A FORWARD -i lo -j ACCEPT

  # Enable established incomming/outgoing connections
    $ipt4 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $ipt6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $ipt4 -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
    $ipt6 -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

# Enabled ipv4 rules
  source ${mypath}/ipv4.rules
# Enable ipv6 rules
  source ${mypath}/ipv6.rules

###########
# logging #
###########
    if [ ! -z $2 ]&&[ $2 = "logging" ]; then
      case $3 in
        on)    #$ipt4 -A INPUT -j LOG
               #$ipt6 -A INPUT -j LOG;;
               $ipt4 -N LOGGING
               $ipt4 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 ;;
        of)    $ipt4 -D INPUT -j LOG
               $ipt6 -D INPUT -j LOG;;
        *)     printf "\nfirewall logging on|off\n"
      esac
    fi


# Disable debugging
  if [ ! -z ${@: -1} ]&&[ ${@: -1} = "debug" ]; then set +x ; fi

exit 0


firewall.stop
#!/bin/bash
# Stopscript for iptables

# Variables
  ipt4=$(which iptables)
  ipt6=$(which ip6tables)
  pidfile=/var/run/firewall.pid

printf "\e[1;33mStopping Firewall\e[1;0m ... \n"

# Reset Firewall
  # ipv4
    $ipt4 -F
    $ipt4 -t nat -F
    $ipt4 -t filter -F
    $ipt4 -P INPUT ACCEPT
    $ipt4 -P FORWARD ACCEPT
    $ipt4 -P OUTPUT ACCEPT

  # ipv6
    $ipt6 -F
    $ipt6 -t nat -F
    $ipt6 -t filter -F
    $ipt6 -P INPUT ACCEPT
    $ipt6 -P FORWARD ACCEPT
    $ipt6 -P OUTPUT ACCEPT

# Delete PID File if exists
  if [ -f ${pidfile} ]; then rm ${pidfile}; fi

exit 0


firewall.sh
#!/bin/bash

pidfile=/var/run/firewall.pid # Create PID File
mypath=$(dirname $(realpath $0)) # Get path
ipt=$(which iptables)

help="

This script can use to control iptables

Config
------
  Write firewall rules in
    /root/firewall/ipv4.rules
    /root/firewall/ipv6.rules

Control
-------
  \e[1;1mfirewall.sh {start|stop|restart|status|rules}}\e[1;0m

    \e[1;1mstart\e[1;0m You can start iptables.

                After start command you can set the logging command to enable or disable
                logging to syslog.

                \e[1;1mfirewall start logging {on|off}\e[1;0m

                On the last position you can write debug to debug your rules.

                \e[1;1mfirewall start debug\e[1;0m

    \e[1;1mstop\e[1;0m  You can flush your rules and disable iptables.

    \e[1;1mrestart\e[1;0m       Stop and start your firewall.

    \e[1;1mstatus\e[1;0m        Show if your firewall is running.

    \e[1;1mrules\e[1;0m Show runnig rules.

"

case $1 in
  start)   ${mypath}/firewall.start $@;;
  stop)    ${mypath}/firewall.stop;;
  restart) ;;
  status)  if [ -f ${pidfile} ]; then
             printf "\nFirewall is \e[1;32mrunning\e[1;0m\n\n"
           else
             printf "\nFirewall is \e[1;31mstopped\n\n\e[1;0m"
           fi ;;
  rules)   printf "\n\e[4;33;1mFirewall filter rules\e[1;0m\n\n$($ipt -t filter -L -n -v --line-numbers)\n\n\e[4;33;1mFirewall NAT rules\e[1;0m\n\n$($ipt -t nat -L -n -v --line-numbers)\n\n" ;;
  help)    printf "${help}";;
  *)       printf "${help}";;
esac

exit 0


firewall.servivce
[Unit]
  Description = Firewallscript for IpTables
[Service]
  Type = oneshot
  ExecStart = /root/firewall/firewall.sh start
  ExecReload = /root/firewall/firewall.sh restart
  ExecStop = /root/firewall/firewall.sh stop
  ExecStatus = /root/firewall/firewall.sh status
[Install]
  WantedBy = multi-user.target


ipv4.rules
# Variables
  ipt4=$(which iptables)
  ipt6=$(which ip6tables)

#######
# SSH #
#######

  # enable outgoing/incoming ssh connections
    $ipt4 -A INPUT -p tcp --sport 1024: --dport 22-m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept all incoming ssh on port 22"
    #$ipt6 -A INPUT -p tcp --sport 1024: --dport 22-m state --state NEW,ESTABLISHED -j ACCEPT
    $ipt4 -A OUTPUT -p tcp --sport 1024: --dport 22 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Accept all outgoing ssh"
    #ipt6 -A OUTPUT -p tcp --sport 1024: --dport 22 -m state --state ESTABLISHED -j ACCEPT

########
# http #
########
    $ipt4 -A INPUT -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept alle incoming htt in port 80"
    $ipt4 -A INPUT -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept alle incoming htt in port 443"

###########
# updates #
###########

  # Ubuntu Repos
    repos="185.125.190.39 91.189.91.83 91.189.91.82 91.189.91.81 185.125.190.36"
    for repo in ${repos}; do
      $ipt4 -A OUTPUT -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
      $ipt4 -A OUTPUT -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
      $ipt6 -A OUTPUT -p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
      $ipt6 -A OUTPUT -p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept Update Repo"
    done

#######
# DNS #
#######

  # enable outgoing dns requests
    dnsservers="8.8.8.8"
    for dnsserver in $dnsservers ; do
      $ipt4 -A OUTPUT -p tcp --dport 53 -d $dnsserver -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept outgoing dns to server"
      $ipt4 -A OUTPUT -p udp --dport 53 -d $dnsserver -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept outgoing dns to server"
    done

#######
# NTP #
#######
  # enable ntp requests to internet ptbtime1.ptb.de
    ntpservers="192.53.103.108 192.53.103.104 192.53.103.103"
    for ntpserver in $ntpservers; do
      $ipt4 -A OUTPUT -p udp --dport 123 -d $ntpserver -m state --state  NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept ntp requests to internet"
    done


ipv6.rules