forcewall.sh

1. #!/bin/bash
2.  
3. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
4.  
5. # ---
6.  
7. umask 0022
8.  
9. # ---
10.  
11. if [ $EUID != 0 ]; then
12.   echo "run as root!"
13.  
14.   exit 1
15. fi
16.  
17. # ---
18.  
19. id debian-tor || exit 2
20.  
21. # ---
22.  
23. if [ "$1" == "-F" ]; then
24.   iptables -F
25.   iptables -t nat -F
26.  
27.   iptables -P INPUT ACCEPT
28.   iptables -P FORWARD ACCEPT
29.   iptables -P OUTPUT ACCEPT
30.  
31.   iptables -nvL
32.   iptables -t nat -nvL
33.  
34.   chattr -f -i /etc/resolv.conf
35.   echo nameserver 1.1.1.1 > /etc/resolv.conf
36.   chattr -f +i /etc/resolv.conf
37.  
38.   exit
39. fi
40.  
41. # ---
42.  
43. iptables -P INPUT DROP
44. iptables -P FORWARD DROP
45. iptables -P OUTPUT DROP
46.  
47. # ---
48.  
49. iptables -A INPUT -m state --state INVALID -j DROP
50. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
51. iptables -A INPUT -i lo -j ACCEPT
52. iptables -A INPUT -j DROP
53.  
54. # ---
55.  
56. iptables -A FORWARD -j DROP
57.  
58. # ---
59.  
60. iptables -A OUTPUT -m state --state INVALID -j DROP
61. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
62.  
63. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
64. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
65.  
66. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
67. iptables -A OUTPUT -o lo -j ACCEPT
68.  
69. for special_addr in $SPECIAL_ADDRS; do
70.   iptables -A OUTPUT -d $special_addr -j DROP
71. done
72.  
73. iptables -A OUTPUT -j DROP
74.  
75. # ---
76.  
77. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
78. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
79.  
80. iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
81. iptables -t nat -A OUTPUT -o lo -j RETURN
82.  
83. for special_addr in $SPECIAL_ADDRS; do
84.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
85. done
86.  
87. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
88.  
89. # ---
90.  
91. ip6tables -P INPUT DROP
92. ip6tables -P FORWARD DROP
93. ip6tables -P OUTPUT DROP
94.  
95. ip6tables -A INPUT -j DROP
96. ip6tables -A FORWARD -j DROP
97. ip6tables -A OUTPUT -j DROP
98.  
99. # ---
100.  
101. iptables -nvL
102. iptables -t nat -nvL
103.  
104. # ---
105.  
106. {
107.   echo DNSPort 127.0.0.1:9053
108.   echo AutomapHostsOnResolve 1
109.   echo AutomapHostsSuffixes .onion
110.   echo
111.   echo TransPort 127.0.0.1:9040
112.   echo VirtualAddrNetwork 10.192.0.0/10
113. } > /etc/tor/torrc
114.  
115. /etc/init.d/tor restart
116.  
117. # ---
118.  
119. chattr -f -i /etc/hosts.allow
120. echo > /etc/hosts.allow
121. chattr -f +i /etc/hosts.allow
122.  
123. chattr -f -i /etc/hosts.deny
124. echo "ALL:ALL" > /etc/hosts.deny
125. chattr -f +i /etc/hosts.deny
126.  
127. chattr -f -i /etc/resolv.conf
128. echo "nameserver 127.0.0.1" > /etc/resolv.conf
129. chattr -f +i /etc/resolv.conf
130.  
131. # ---
132.  
133. exit 0