firewall.sh

1. #!/bin/sh
2.  
3. iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
4.  
5. # ---
6.  
7. iptables -A INPUT -m state --state INVALID -j DROP
8. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
9. iptables -A INPUT -i lo -j ACCEPT
10. iptables -A INPUT -j DROP
11.  
12. # ---
13.  
14. iptables -A FORWARD -j DROP
15.  
16. # ---
17.  
18. iptables -A OUTPUT -m state --state INVALID -j DROP
19. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
20.  
21. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
22. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
23.  
24. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
25. iptables -A OUTPUT -o lo -j ACCEPT
26.  
27. for special_addr in '255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'; do
28.     iptables -A OUTPUT -d $special_addr -j DROP
29. done
30.  
31. iptables -A OUTPUT -j DROP
32.  
33. # ---
34.  
35. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
36. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
37.  
38. iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
39. iptables -t nat -A OUTPUT -o lo -j RETURN
40.  
41. for special_addr in '255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'; do
42.     iptables -t nat -A OUTPUT -d $special_addr -j RETURN
43. done
44.  
45. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
46.  
47. # ---
48.  
49. ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
50. ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
51.  
52. # ---
53.  
54. {
55.     echo DNSPort 127.0.0.1:9053
56.     echo AutomapHostsOnResolve 1
57.     echo AutomapHostsSuffixes .onion
58.     echo
59.     echo TransPort 127.0.0.1:9040
60.     echo VirtualAddrNetwork 10.192.0.0/10
61. } > /etc/tor/torrc
62.  
63. # ---
64.  
65. systemctl restart tor
66.  
67. # ---
68.  
69. exit 0
70.