Guest User

firewall.sh

a guest
Jun 1st, 2021
50
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. PATH=/usr/sbin:/usr/bin:/sbin:/bin
  4. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
  5.  
  6. # ---
  7.  
  8. [ $EUID != 0 ] && echo run as root && exit 1
  9.  
  10. # ---
  11.  
  12. id debian-tor || exit 2
  13.  
  14. # ---
  15.  
  16. iptables -F; iptables -t nat -F
  17. iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
  18.  
  19. # ---
  20.  
  21. iptables -A INPUT -m state --state INVALID -j DROP
  22. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  23. iptables -A INPUT -i lo -j ACCEPT
  24. iptables -A INPUT -j DROP
  25.  
  26. # ---
  27.  
  28. iptables -A FORWARD -j DROP
  29.  
  30. # ---
  31.  
  32. iptables -A OUTPUT -m state --state INVALID -j DROP
  33. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
  34.  
  35. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
  36. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
  37.  
  38. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
  39. iptables -A OUTPUT -o lo -j ACCEPT
  40.  
  41. for special_addr in $SPECIAL_ADDRS; do
  42.   iptables -A OUTPUT -d $special_addr -j DROP
  43. done
  44.  
  45. iptables -A OUTPUT -j DROP
  46.  
  47. # ---
  48.  
  49. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
  50. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
  51.  
  52. iptables -t nat -A OUTPUT -m owner --uid-owner debian-tor -j RETURN
  53. iptables -t nat -A OUTPUT -o lo -j RETURN
  54.  
  55. for special_addr in $SPECIAL_ADDRS; do
  56.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
  57. done
  58.  
  59. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
  60.  
  61. # ---
  62.  
  63. ip6tables -F; ip6tables -t nat -F
  64. ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
  65. ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
  66.  
  67. # ---
  68.  
  69. > /etc/hosts.allow
  70. echo ALL:ALL > /etc/hosts.deny
  71.  
  72. # ---
  73.  
  74. chattr -i /etc/resolv.conf
  75. {
  76.   echo nameserver 127.0.0.1
  77. } > /etc/resolv.conf && chattr +i /etc/resolv.conf
  78.  
  79. # ---
  80.  
  81. {
  82.   echo DNSPort 127.0.0.1:9053
  83.   echo AutomapHostsOnResolve 1
  84.   echo AutomapHostsSuffixes .onion
  85.   echo
  86.   echo TransPort 127.0.0.1:9040
  87.   echo VirtualAddrNetwork 10.192.0.0/10
  88. } > /etc/tor/torrc && systemctl restart tor && echo tcp: ok, udp: ok, icmp: ok, webrtc: ng
RAW Paste Data