diff --git a/firewall2.sh b/firewall2.sh new file mode 100644 index 0000000..5cfc85f --- /dev/null +++ b/firewall2.sh @@ -0,0 +1,267 @@ +#!/bin/bash +MY_IP=$(curl ifconfig.me) +NGINX_ACCESS="/var/log/nginx/access.log" +WIREGUARD=(57692 853) +WEB=(80 443) +ADGUARD=(53 3000 8082 67) +CUPS=(631 5353) +BITCOIN=(8333 8332 8334 4050) +LND=(9735 8080 28334 28333 19998 29000) +SYNCTHING=(22000 8384 21027) +NFS=(2049 111) +JELLYFIN=(8096 1900 7359) +MACHINES=(192.168.0.55 192.168.0.146) +ADMIN=(22 9090) +#### IPTABLES CONFIG #### +IPTABLES_TCP='nft add rule inet main main tcp dport ' +IPTABLES_UDP='nft add rule inet main main udp dport ' +IPTABLES_DROP='counter drop' +IPTABLES_ACCEPT='counter accecpt' +#### +SAVED_BOTS='/root/firewall/bots.txt' +CRAWLER_DB='/root/firewall/crawlers.txt' +PEDO_DB='/root/firewall/pedo.txt' +PEDO_LOG='/root/firewall/pedo-log.txt' +ATTACKER_DB='/root/firewall/attacker-db.txt' +ATTACKER_LOG='/root/firewall/attackers.txt' +BOT_ACCOUNT="blockbot@detroitriotcity.com" +CRAWLER_TMP='/tmp/crawlers.txt' +DATE="$(date +%Y:%H: -d "1 hour ago")" +#DATE="$(date +%Y:%H:)"; + +ddos-protection() { + attacker-search + pedo-search + bot-search +} + +bot-search() { + noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35 + CRAWLERS=($(cat $NGINX_ACCESS | grep -vEi $MY_IP | grep -Evi 'spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u)) + echo >$CRAWLER_TMP + + echo + echo "Processing Web Crawler list into iptables....." + echo + for i in "${CRAWLERS[@]}"; do + $IPTABLES_TCP -s $i $IPTABLES_DROP + echo $i >>$CRAWLER_TMP + done + + BOT_LOG=($(cat $SAVED_BOTS | sort -u)) + echo + echo "Feeding $SAVED_BOTS into iptables....." + echo + for i in "${BOT_LOG[@]}"; do + $IPTABLES_TCP -s $i $IPTABLES_DROP + echo $i >>$CRAWLER_TMP + done + + echo "Saving Bot list to $SAVED_BOTS....." + cat $CRAWLER_TMP | sort -u >$SAVED_BOTS +} + +pedo-search() { + echo + echo "Processing Pedo Searches into iptables....." + PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u)) + for i in "${PEDO_SEARCH[@]}"; do + $IPTABLES_TCP -s $i $IPTABLES_DROP + QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1) + if [ -z "$QUERY" ]; then + echo "No Pedos Found" + else + echo "Found Pedo!" + if [[ "$QUERY" == *"detroit"* ]]; then + noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY" + toot activate $BOT_ACCOUNT + toot post ":emergency: :hacker_p: :hacker_e: :hacker_d: :hacker_o: :trans: :hacker_a: :hacker_l: :hacker_e: :hacker_r: :hacker_t: :emergency2: $QUERY" -m /root/detroit/akkoma/blockbot/pedo.png + else + noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Pedo Alert] A Pedo has been found! $QUERY" + + fi + + echo $i >>$PEDO_LOG + fi + done + +} + +attacker-search() { + echo + echo "Processing Attacker Searches into iptables....." + echo + ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u)) + for i in "${ATTACKER_SEARCH[@]}"; do + $IPTABLES_TCP -s $i $IPTABLES_DROP + QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1) + if [ -z "$QUERY" ]; then + echo "No Attackers Found" + else + echo "Found Attacker!" + noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "[Attacker Alert] An attacker has been found! $QUERY" + echo $i >>$ATTACKER_LOG + fi + done + +} + +basic-security() { + nft delete chain inet main + nft delete table main + nft add table inet main + nft add chain inet main main + + /usr/sbin/iptables -F + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD ACCEPT + /usr/sbin/iptables -P OUTPUT ACCEPT + /usr/sbin/iptables -A INPUT -m conntrack --ctstate established,related $IPTABLES_ACCEPT + /usr/sbin/iptables -A INPUT -i lo $IPTABLES_ACCEPT + + /usr/sbin/ip6tables -F + /usr/sbin/ip6tables -P INPUT DROP + /usr/sbin/ip6tables -P FORWARD ACCEPT + /usr/sbin/ip6tables -P OUTPUT ACCEPT + /usr/sbin/ip6tables -A INPUT -m conntrack --ctstate established,related $IPTABLES_ACCEPT + /usr/sbin/ip6tables -A INPUT -i lo $IPTABLES_ACCEPT + #iptables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4 + #ip6tables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4 + +} + +admin() { + for i in "${ADMIN[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + done +} + +wireguard() { + sysctl -w net.ipv4.conf.all.forwarding=1 + for i in "${WIREGUARD[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT + done +} + +web() { + for i in "${WEB[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + done +} + +adguard() { + for i in "${ADGUARD[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT + done +} + +cups() { + for i in "${CUPS[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT + done +} + +bitcoin() { + for i in "${BITCOIN[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + done +} + +lnd() { + for i in "${LND[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + done +} + +syncthing() { + for i in "${SYNCTHING[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT + done +} + +jellyfin() { + for i in "${JELLYFIN[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT + done +} + +kde-connect() { + for i in "${KDE_CONNECT[@]}"; do + $IPTABLES_TCP --dport 1714:1764 $IPTABLES_ACCEPT + $IPTABLES_UDP --dport 1714:1764 $IPTABLES_ACCEPT + done +} +nfs() { + for i in "${NFS[@]}"; do + $IPTABLES_TCP --dport $i $IPTABLES_ACCEPT + $IPTABLES_UDP --dport $i $IPTABLES_ACCEPT + done +} + +trust() { + for i in "${MACHINES[@]}"; do + $IPTABLES_TCP -s $i $IPTABLES_ACCEPT + $IPTABLES_UDP -s $i $IPTABLES_ACCEPT + done +} + +start() { + + basic-security + + if [[ $HOSTNAME == *"nas"* ]]; then + ddos-protection + wireguard + web + admin + adguard + cups + bitcoin + syncthing + lnd + jellyfin + + #Uptime + podman restart uptime-kuma + else + { + syncthing + kde-connect + /usr/bin/systemctl restart libvirtd + } + fi + +} + +stop() { + /usr/sbin/iptables -F + /usr/sbin/iptables -P INPUT ACCEPT + /usr/sbin/iptables -P FORWARD ACCEPT + /usr/sbin/iptables -P OUTPUT ACCEPT + /usr/sbin/iptables -t nat -F + /usr/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES_ACCEPT + /usr/sbin/iptables -A INPUT -i lo $IPTABLES_ACCEPT + + /usr/sbin/iptables -F + /usr/sbin/ip6tables -P INPUT ACCEPT + /usr/sbin/ip6tables -P FORWARD ACCEPT + /usr/sbin/ip6tables -P OUTPUT ACCEPT + /usr/sbin/ip6tables -t nat -F + /usr/sbin/ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES_ACCEPT + /usr/sbin/ip6tables -A INPUT -i lo $IPTABLES_ACCEPT +} + +if [ "$1" = "start" ]; then + start +elif [ "$1" = "ddos" ]; then + ddos-protection +elif [ "$1" = "stop" ]; then + stop +else + echo "Invalid Choice" +fi