firewall.sh

1. #!/bin/bash
2.  
3. PATH=/usr/sbin:/usr/bin:/sbin:/bin
4. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
5.  
6. # ---
7.  
8. [ $EUID != 0 ] && echo run as root && exit 1
9.  
10. # ---
11.  
12. id debian-tor || exit 2
13.  
14. # ---
15.  
16. iptables -F; iptables -t nat -F
17. iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
18.  
19. # ---
20.  
21. iptables -A INPUT -m state --state INVALID -j DROP
22. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
23. iptables -A INPUT -i lo -j ACCEPT
24. iptables -A INPUT -j DROP
25.  
26. # ---
27.  
28. iptables -A FORWARD -j DROP
29.  
30. # ---
31.  
32. iptables -A OUTPUT -m state --state INVALID -j DROP
33. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
34.  
35. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
36. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
37.  
38. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
39. iptables -A OUTPUT -o lo -j ACCEPT
40.  
41. for special_addr in $SPECIAL_ADDRS; do
42.   iptables -A OUTPUT -d $special_addr -j DROP
43. done
44.  
45. iptables -A OUTPUT -j DROP
46.  
47. # ---
48.  
49. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
50. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
51.  
52. iptables -t nat -A OUTPUT -m owner --uid-owner debian-tor -j RETURN
53. iptables -t nat -A OUTPUT -o lo -j RETURN
54.  
55. for special_addr in $SPECIAL_ADDRS; do
56.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
57. done
58.  
59. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
60.  
61. # ---
62.  
63. ip6tables -F; ip6tables -t nat -F
64. ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
65. ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
66.  
67. # ---
68.  
69. > /etc/hosts.allow
70. echo ALL:ALL > /etc/hosts.deny
71.  
72. # ---
73.  
74. chattr -i /etc/resolv.conf
75. {
76.   echo nameserver 127.0.0.1
77. } > /etc/resolv.conf && chattr +i /etc/resolv.conf
78.  
79. # ---
80.  
81. {
82.   echo DNSPort 127.0.0.1:9053
83.   echo AutomapHostsOnResolve 1
84.   echo AutomapHostsSuffixes .onion
85.   echo
86.   echo TransPort 127.0.0.1:9040
87.   echo VirtualAddrNetwork 10.192.0.0/10
88. } > /etc/tor/torrc && systemctl restart tor && echo tcp: ok, udp: ok, icmp: ok, webrtc: ng