Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- WAN_IF=eth0
- SERVER_IP=xxx.xxx.xxx.xxx
- SSH_PORT=1337
- WHITELIST_SSH="xxx.xxx.xxx.xxx/16, 185.195.25.207/32"
- WHITELIST_ICMP="xxx.xxx.xxx.xxx/32, xxx.xxx.xxx.xxx/16"
- DOCKER_IF=user0
- #---------------Starting Point----------------------------------------------------------
- nft flush ruleset
- nft add table ip filter
- nft add chain ip filter INPUT { type filter hook input priority 0 \; policy accept \; }
- nft add chain ip filter FORWARD { type filter hook forward priority 0 \; policy accept \; }
- nft add chain ip filter OUTPUT { type filter hook output priority 0 \; policy accept \; }
- #--------------Type filter INPUT Chain--------------------------------------------------
- #enable loopback intarface
- nft add rule ip filter INPUT iifname "lo" counter accept
- #drop invalid packets
- nft add rule ip filter INPUT ct state invalid counter drop
- #enable connections initiated by server
- nft add rule ip filter INPUT ct state related,established counter accept
- #enable network
- #nft add rule ip filter INPUT iifname "eth0" ip saddr 192.168.0.0/16 counter accept
- #---------------------------------------------------------------------------------------
- #ssh
- #enable ssh on custom port 1337
- nft add rule ip filter INPUT ip saddr { $WHITELIST_SSH } tcp dport $SSH_PORT counter accept
- #enable ssh to saddr only from specified mac addr
- #nft add rule ip filter INPUT ip saddr 192.168.8.235/32 ether saddr 44:85:00:8e:42:84 tcp dport 22 counter accept
- #---------------------------------------------------------------------------------------
- #Services
- #
- #enable dns
- #nft add rule ip filter INPUT ip protocol udp dport 53 counter accept
- nft add rule ip filter INPUT udp dport 53 counter accept
- #enable ntp global
- nft add rule ip filter INPUT udp dport 123 counter accept
- #enable ntp only for network 192.168.8.0/24
- #nft add rule ip filter INPUT ip saddr 192.168.8.0/24 udp dport 137 counter accept
- #enable http https 80, 443
- #nft add rule ip filter INPUT ip saddr 192.168.8.0/24 tcp dport {80, 443} counter accept
- nft add rule ip filter INPUT ip protocol tcp tcp dport {80, 443} counter accept
- nft add rule ip filter INPUT ip protocol tcp tcp dport { 8080 } counter accept
- #---------------------------------------------------------------------------------------
- #ICMP
- #enable icmp
- #nft add rule ip filter INPUT ip protocol icmp counter log prefix \"ICMP_TRACE\"
- nft add rule ip filter INPUT ip saddr { $WHITELIST_ICMP} ip protocol icmp counter accept
- nft add rule ip filter INPUT ip protocol icmp drop
- #enable icmp at specified time only
- #nft add rule ip filter INPUT ip protocol icmp meta hour "08:13"-"08:14" counter accept
- #enable max ping packet length = 64 bytes (64 + 28 icmp packet payload = 92 bytes for incoming ping 64 byte)
- #nft add rule ip filter INPUT icmp type echo-request meta length 93-65535 counter drop
- #nft add rule ip filter INPUT ip protocol icmp counter accept
- #rate limit icmp packets 10 per minute
- #nft add rule ip filter INPUT ip protocol icmp limit rate 10/minute burst 5 packets counter accept
- #rate limit icmp packets 10 per second
- #nft add rule ip filter INPUT ip protocol icmp limit rate 10/second burst 5 packets counter accept
- #---------------------------------------------------------------------------------------
- #testing
- # Allow outgoing from my custom Docker network
- #nft add rule ip filter INPUT iifname $DOCKER_IF accept
- #---------------------------------------------------------------------------------------
- #EXIT RULE
- # block all other traffic
- nft add rule ip filter INPUT counter drop
- #------------------------------INPUT--END-----------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement