firewall.sh

1. #!/bin/bash
2.  
3. type tor || exit 1
4. [ $EUID != 0 ] && echo run as root ! && exit 2
5. PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
6. SP='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
7.  
8. stop() {
9.     iptables -t nat -F
10.  
11.     echo ---
12.     iptables -t nat -nvL
13.  
14.     # ---
15.  
16.     iptables -F
17.  
18.     iptables -P INPUT ACCEPT
19.     iptables -P FORWARD ACCEPT
20.     iptables -P OUTPUT ACCEPT
21.  
22.     echo ---
23.     iptables -nvL
24.  
25.     # ---
26.  
27.     ip6tables -t nat -F
28.  
29.     echo ---
30.     ip6tables -t nat -nvL
31.  
32.     # ---
33.  
34.     ip6tables -F
35.  
36.     ip6tables -P INPUT ACCEPT
37.     ip6tables -P FORWARD ACCEPT
38.     ip6tables -P OUTPUT ACCEPT
39.  
40.     echo ---
41.     ip6tables -nvL
42.  
43.     # ---
44.  
45.     systemctl stop tor
46. }
47.  
48. start() {
49.     uid=${1:-tor}; id $uid || exit 3
50.  
51.     # ---
52.  
53.     iptables -t nat -F
54.  
55.     iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
56.     iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
57.  
58.     iptables -t nat -A OUTPUT -m owner --uid-owner $uid -j RETURN
59.     iptables -t nat -A OUTPUT -o lo -j RETURN
60.  
61.     for sp in $SP; do
62.         iptables -t nat -A OUTPUT -d $sp -j RETURN
63.     done
64.  
65.     iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
66.  
67.     echo ---
68.     iptables -t nat -nvL
69.  
70.     # ---
71.  
72.     iptables -F
73.  
74.     iptables -A INPUT -m state --state INVALID -j DROP
75.     iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
76.     iptables -A INPUT -i lo -j ACCEPT
77.     iptables -A INPUT -j DROP
78.     iptables -P INPUT DROP
79.  
80.     iptables -A FORWARD -j DROP
81.     iptables -P FORWARD DROP
82.  
83.     iptables -A OUTPUT -m state --state INVALID -j DROP
84.     iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
85.  
86.     iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
87.     iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
88.  
89.     iptables -A OUTPUT -p tcp -m owner --uid-owner $uid -m state --state NEW --syn -j ACCEPT
90.     iptables -A OUTPUT -o lo -j ACCEPT
91.  
92.     for sp in $SP; do
93.         iptables -A OUTPUT -d $sp -j DROP
94.     done
95.  
96.     iptables -A OUTPUT -j DROP
97.     iptables -P OUTPUT DROP
98.  
99.     echo ---
100.     iptables -nvL
101.  
102.     # ---
103.  
104.     ip6tables -F
105.  
106.     ip6tables -A INPUT -j DROP
107.     ip6tables -P INPUT DROP
108.  
109.     ip6tables -A FORWARD -j DROP
110.     ip6tables -P FORWARD DROP
111.  
112.     ip6tables -A OUTPUT -j DROP
113.     ip6tables -P OUTPUT DROP
114.  
115.     echo ---
116.     ip6tables -nvL
117.  
118.     # ---
119.  
120.     {
121.         echo
122.         echo DNSPort 127.0.0.1:9053
123.         echo AutomapHostsOnResolve 1
124.         echo AutomapHostsSuffixes .onion
125.         echo
126.         echo TransPort 127.0.0.1:9040
127.         echo VirtualAddrNetwork 10.192.0.0/10
128.     } > /etc/tor/torrc && systemctl restart tor && cat /etc/tor/torrc
129. }
130.  
131. case $1 in
132.     stop)
133.         stop
134.     ;;
135.     start)
136.         start $2
137.     ;;
138.     *)
139.         echo $0 stop
140.         echo $0 start [debian-]tor
141.     ;;
142. esac
143.