verita84/firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Your Name 2024-09-23 15:41:27 -06:00
parent b54efc0e10
commit a64be7f9ee
3 changed files with 15161 additions and 2958 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
bots.txt
View File

@ -3267,3 +3267,34 @@
23.96.249.173
51.222.253.16
94.154.239.69
20.172.6.213
20.42.106.69
40.116.86.227
189.113.238.218
172.206.192.26
66.249.79.65
66.249.79.64
167.172.244.121
66.249.73.1
66.249.73.20
66.249.79.76
66.249.73.129
205.210.31.42
167.172.244.121
185.191.171.10
185.191.171.11
194.35.122.80
185.172.53.35
213.109.200.237
45.129.35.122
91.214.64.20
193.160.245.100
212.103.60.163
45.129.35.170
45.94.211.179
194.35.121.120
52.238.29.198
212.103.60.235
172.183.161.199
194.35.121.152
5.255.231.184

257
firewall2.sh
View File

@ -5,29 +5,45 @@ SERVER_IP='192.168.0.55'
NGINX_ACCESS="/tmp/access.log"
#Firewall Port Configuration
#
WIREGUARD=(57692)
WEB=(80 443)
ADGUARD=(3000 8082 853)
UPTIME=(4001)
DNS=(53 67 68)
CUPS=(631 5353)
BITCOIN=(8333 8332 8334 4050)
LND=(10009 9735 8080 28334 28333 19998 29000)
SYNCTHING=(22000 8384 21027)
NFS=(2049 111)
JELLYFIN=(8096 7359)
declare -A portConfig
portConfig["https"]="443"
portConfig["http"]="80"
portConfig["cups"]="631"
portConfig["WireGuard"]="57692"
portConfig["AdGuard-1"]="3000"
portConfig["AdGuard-2"]="8082"
portConfig["AdGuard-3"]="853"
portConfig["Uptime"]="4001"
portConfig["DNS-1"]="53"
portConfig["DNS-2"]="67"
portConfig["DNS-3"]="68"
portConfig["CUPS-1"]="631"
portConfig["CUPS-2"]="5353"
#portConfig["Bitcoin-1"]="8333"
#portConfig["Bitcoin-2"]="8332"
#portConfig["Bitcoin-3"]="8333"
#portConfig["Bitcoin-4"]="4050"
#portConfig["KDE-Connect"]="1714-1764"
#portConfig["Lightning-1"]="10009"
#portConfig["Lightning-1"]="9735"
#portConfig["Lightning-2"]="8080"
#portConfig["Lightning-3"]="28334"
#portConfig["Lightning-4"]="28333"
#portConfig["Lightning-5"]="19998"
#portConfig["Lightning-6"]="29000"
portConfig["SyncThing-1"]="22000"
portConfig["SyncThing-2"]="8384"
portConfig["SyncThing-3"]="21027"
#portConfig["NFS-1"]="2049"
#portConfig["NFS-2"]="111"
portConfig["Jellyfin-1"]="8096"
portConfig["Jellyfin-1"]="7359"
portConfig["SSH"]="22"
MACHINES=(127.0.0.1)
ADMIN=(22)
VIRT_BRIDGE="virbr0"
#### NFT CONFIG ####
#
NFT='/usr/bin/nft'
NFT_TCP="$NFT add rule ip filter input tcp dport"
NFT_UDP="$NFT add rule ip filter input udp dport"
NFT6_UDP="$NFT add rule ip6 filter input udp dport"
NFT6_TCP="$NFT add rule ip6 filter input tcp dport"
NFT_DROP='counter drop'
NFT_ACCEPT='counter accept'
NFT_CACHE='/tmp/nft.cache'
TMP_BLOCK='/tmp/tmp-blocked.txt'
#Log Files
@ -37,8 +53,6 @@ CRAWLER_DB='/opt/firewall/crawlers.txt'
SAFE_TRAFFIC='/opt/firewall/safe.txt'
PEDO_DB='/opt/firewall/pedo.txt'
PEDO_LOG='/opt/firewall/pedo-log.txt'
ATTACKER_DB='/opt/firewall/attacker-db.txt'
ATTACKER_LOG='/opt/firewall/attackers.txt'
BOT_ACCOUNT="blockbot@detroitriotcity.com"
CRAWLER_TMP='/tmp/crawlers.txt'
RULE_SET='/opt/firewall/nft.rules'
@ -57,21 +71,21 @@ COUNTRY=(
ipBlockParser(){
if [[ "$1" == *":"* ]]; then
$NFT add rule ip6 filter input position 0 ip6 saddr $1 $NFT_DROP
$NFT insert rule ip6 filter input position 0 ip6 saddr $1 drop
else
$NFT add rule ip filter input position 0 ip saddr "$1" $NFT_DROP
$NFT insert rule ip filter input position 0 ip saddr "$1" drop
fi
}
portOpenParser(){
if [[ "$1" == *"443"* || "$1" == *"80"* ]]; then
$NFT add rule ip filter input position 0 ct state new tcp dport $i update @http_ratelimit { ip saddr limit rate 10/second } accept
$NFT add rule ip6 filter input position 0 ct state new tcp dport $i update @http_ratelimit { ip6 saddr limit rate 10/second } accept
if [[ "$1" == "443" || "$1" == "80" ]]; then
$NFT add rule ip filter input ct state new tcp dport $1 update @http_ratelimit { ip saddr limit rate 10/second } accept
$NFT add rule ip6 filter input ct state new tcp dport $1 update @http_ratelimit { ip6 saddr limit rate 10/second } accept
else
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_UDP $i $NFT_ACCEPT
$NFT add rule ip filter input position 0 tcp dport $1 accept
$NFT add rule ip filter input position 0 udp dport $1 accept
$NFT add rule ip6 filter input position 0 tcp dport $1 accept
$NFT add rule ip6 filter input position 0 udp dport $1 accept
fi
}
@ -101,9 +115,9 @@ wireguard-networking() {
$NFT add rule nat postrouting oif wg0 iif enp11s0
$NFT add rule nat postrouting oif enp11s0 iif wg0
$NFT add rule nat postrouting masquerade
$NFT add rule filter forward iifname wg0 oif enp11s0 $NFT_ACCEPT
$NFT add rule filter forward iifname enp11s0 oif wg0 $NFT_ACCEPT
$NFT add rule ip filter input ip saddr 192.168.5.0/24 $NFT_ACCEPT
$NFT add rule filter forward iifname wg0 oif enp11s0 accept
$NFT add rule filter forward iifname enp11s0 oif wg0 accept
$NFT add rule ip filter input ip saddr 192.168.5.0/24 accept
}
attacker-protection() {
@ -156,13 +170,21 @@ pedo-search() {
}
basic-security() {
$NFT add rule filter input icmp type echo-request $NFT_DROP
$NFT rule filter output $NFT_ACCEPT
$NFT rule filter forward $NFT_ACCEPT
$NFT insert rule filter input ct state established $NFT_ACCEPT
$NFT insert rule filter input iif lo $NFT_ACCEPT
$NFT flush ruleset
$NFT -f /opt/firewall/ipv4-filter.nft
$NFT -f /opt/firewall/ipv6-filter.nft
$NFT add rule filter input icmp type echo-request drop
$NFT rule filter output accept
$NFT rule filter forward accept
$NFT insert rule filter input ct state established accept
$NFT insert rule filter input iif lo accept
for i in "${!portConfig[@]}"; do
echo "Enabling Port for: $i"
portOpenParser "${portConfig[$i]}"
done
$NFT add rule filter input drop
$NFT add rule ip6 filter input drop
}
@ -173,107 +195,12 @@ virtualization() {
/usr/bin/systemctl restart libvirtd
/usr/bin/virsh net-start default
/usr/bin/systemctl restart pleroma
$NFT insert rule filter input iif $VIRT_BRIDGE $NFT_ACCEPT
}
uptimeKuma() {
for i in "${UPTIME[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
admin() {
for i in "${ADMIN[@]}"; do
portOpenParser $i
done
}
wireguard() {
sysctl -w net.ipv4.conf.all.forwarding=1
for i in "${WIREGUARD[@]}"; do
portOpenParser $i
done
}
web() {
for i in "${WEB[@]}"; do
portOpenParser $i
done
}
dns() {
for i in "${DNS[@]}"; do
portOpenParser $i
$NFT_UDP $i $NFT_ACCEPT
done
}
adguard() {
for i in "${ADGUARD[@]}"; do
portOpenParser $i
done
}
cups() {
for i in "${CUPS[@]}"; do
portOpenParser $i
done
}
bitcoin() {
for i in "${BITCOIN[@]}"; do
portOpenParser $i
done
}
lnd() {
for i in "${LND[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
syncthingServer() {
for i in "${SYNCTHING[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
syncthing() {
for i in "${SYNCTHING[@]}"; do
portOpenParser $i
done
}
jellyfin() {
for i in "${JELLYFIN[@]}"; do
portOpenParser $i
done
}
kde-connect() {
$NFT_TCP 1714-1764 $NFT_ACCEPT
$NFT_UDP 1714-1764 $NFT_ACCEPT
}
nfs() {
for i in "${NFS[@]}"; do
portOpenParser $i
done
$NFT insert rule filter input iif $VIRT_BRIDGE accept
}
trust() {
for i in "${MACHINES[@]}"; do
$NFT add rule filter input ip saddr $i $NFT_ACCEPT
done
}
quickImport() {
STATS=($(cat /tmp/db.txt | sort -u))
for i in "${STATS[@]}"; do
ipBlockParser $i
$NFT add rule filter input ip saddr $i accept
done
}
@ -285,35 +212,22 @@ import-saved() {
done
}
start() {
$NFT flush ruleset
$NFT -f /opt/firewall/ipv4-filter.nft
$NFT -f /opt/firewall/ipv6-filter.nft
basic-security
if [[ $HOSTNAME == *"nas"* ]]; then
sysctl -w net.ipv4.conf.all.forwarding=1
import-saved
wireguard
web
admin
adguard
dns
cups
syncthingServer
syncthing
blockCountry
jellyfin
wireguard-networking
uptimeKuma
docker restart uptime-kuma
$NFT insert rule filter input iif docker0 $NFT_ACCEPT
basic-security
#Docker
$NFT insert rule filter input iif docker0 accept
else
virtualization
basic-security
fi
message "Starting Firewall"
}
research() {
@ -374,16 +288,16 @@ stop() {
$NFT -s list ruleset | tee $RULE_SET
$NFT flush ruleset
$NFT -f /usr/share/nftables/ipv4-filter.nft
$NFT add rule filter input icmp type echo-request $NFT_ACCEPT
$NFT rule filter input $NFT_ACCEPT
$NFT rule filter output $NFT_ACCEPT
$NFT rule filter forward $NFT_ACCEPT
$NFT insert rule filter input ct state established $NFT_ACCEPT
$NFT insert rule filter input iif lo $NFT_ACCEPT
$NFT add rule filter input icmp type echo-request accept
$NFT rule filter input accept
$NFT rule filter output accept
$NFT rule filter forward accept
$NFT insert rule filter input ct state established accept
$NFT insert rule filter input iif lo accept
$NFT -f /opt/firewall/ipv6-filter.nft
# $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT
# $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT
# $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
# $NFT add rule ip6 filter input icmpv6 type nd-router-advert accept
message "Stopping Firewall"
}
@ -401,23 +315,6 @@ forgive() {
echo >$TMP_BLOCK
}
saved-attackers() {
echo
IP=($(cat $ATTACKER_LOG | grep -vi $MY_IP | cut -d ' ' -f1 | sort -u))
for i in "${IP[@]}"; do
CHECK=$(cat $NFT_CACHE | grep $i)
if [ "$CHECK" = "" ]; then
echo "Blocking IP: $i"
logger "Blocking IP: $i"
ipBlockParser $i
else
echo
echo "Skipping Duplicate IP $i"
echo
fi
done
}
module-go() {
GO_SPAM=$(grep $2 $NGINX_ACCESS | grep -E "Go-http-client" | wc -l)
if [[ "$GO_SPAM" -gt 10 ]]; then
@ -629,7 +526,7 @@ elif [ "$1" = "test" ]; then
elif [ "$1" = "nostr" ]; then
module-nostr
elif [ "$1" = "import" ]; then
import
import-saved
elif [ "$1" = "saved" ]; then
saved-bots
else

17831
nft.rules
View File

File diff suppressed because it is too large Load Diff