Guest User

forcewall.sh

a guest
May 30th, 2021
64
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
  4.  
  5. # ---
  6.  
  7. umask 0022
  8.  
  9. # ---
  10.  
  11. if [ $EUID != 0 ]; then
  12.   echo "run as root!"
  13.  
  14.   exit 1
  15. fi
  16.  
  17. # ---
  18.  
  19. id debian-tor || exit 2
  20.  
  21. # ---
  22.  
  23. if [ "$1" == "-F" ]; then
  24.   iptables -F
  25.   iptables -t nat -F
  26.  
  27.   iptables -P INPUT ACCEPT
  28.   iptables -P FORWARD ACCEPT
  29.   iptables -P OUTPUT ACCEPT
  30.  
  31.   iptables -nvL
  32.   iptables -t nat -nvL
  33.  
  34.   chattr -f -i /etc/resolv.conf
  35.   echo nameserver 1.1.1.1 > /etc/resolv.conf
  36.   chattr -f +i /etc/resolv.conf
  37.  
  38.   exit
  39. fi
  40.  
  41. # ---
  42.  
  43. iptables -P INPUT DROP
  44. iptables -P FORWARD DROP
  45. iptables -P OUTPUT DROP
  46.  
  47. # ---
  48.  
  49. iptables -A INPUT -m state --state INVALID -j DROP
  50. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  51. iptables -A INPUT -i lo -j ACCEPT
  52. iptables -A INPUT -j DROP
  53.  
  54. # ---
  55.  
  56. iptables -A FORWARD -j DROP
  57.  
  58. # ---
  59.  
  60. iptables -A OUTPUT -m state --state INVALID -j DROP
  61. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
  62.  
  63. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
  64. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
  65.  
  66. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
  67. iptables -A OUTPUT -o lo -j ACCEPT
  68.  
  69. for special_addr in $SPECIAL_ADDRS; do
  70.   iptables -A OUTPUT -d $special_addr -j DROP
  71. done
  72.  
  73. iptables -A OUTPUT -j DROP
  74.  
  75. # ---
  76.  
  77. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
  78. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
  79.  
  80. iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
  81. iptables -t nat -A OUTPUT -o lo -j RETURN
  82.  
  83. for special_addr in $SPECIAL_ADDRS; do
  84.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
  85. done
  86.  
  87. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
  88.  
  89. # ---
  90.  
  91. ip6tables -P INPUT DROP
  92. ip6tables -P FORWARD DROP
  93. ip6tables -P OUTPUT DROP
  94.  
  95. ip6tables -A INPUT -j DROP
  96. ip6tables -A FORWARD -j DROP
  97. ip6tables -A OUTPUT -j DROP
  98.  
  99. # ---
  100.  
  101. iptables -nvL
  102. iptables -t nat -nvL
  103.  
  104. # ---
  105.  
  106. {
  107.   echo DNSPort 127.0.0.1:9053
  108.   echo AutomapHostsOnResolve 1
  109.   echo AutomapHostsSuffixes .onion
  110.   echo
  111.   echo TransPort 127.0.0.1:9040
  112.   echo VirtualAddrNetwork 10.192.0.0/10
  113. } > /etc/tor/torrc
  114.  
  115. /etc/init.d/tor restart
  116.  
  117. # ---
  118.  
  119. chattr -f -i /etc/hosts.allow
  120. echo > /etc/hosts.allow
  121. chattr -f +i /etc/hosts.allow
  122.  
  123. chattr -f -i /etc/hosts.deny
  124. echo "ALL:ALL" > /etc/hosts.deny
  125. chattr -f +i /etc/hosts.deny
  126.  
  127. chattr -f -i /etc/resolv.conf
  128. echo "nameserver 127.0.0.1" > /etc/resolv.conf
  129. chattr -f +i /etc/resolv.conf
  130.  
  131. # ---
  132.  
  133. exit 0
RAW Paste Data