d
This commit is contained in:
Your Name
parent
1dbdb31320
commit
cbfe1c1005
62
firewall2.sh
62
firewall2.sh
@ -15,8 +15,8 @@ ADMIN=(22 9090)
|
||||
#### NFT CONFIG ####
|
||||
NFT_TCP='/sbin/nft add rule ip filter input tcp dport'
|
||||
NFT_UDP='/sbin/nft add rule ip filter input udp dport'
|
||||
NFT_DROP='drop'
|
||||
NFT_ACCEPT='accept'
|
||||
NFT_DROP='counter drop'
|
||||
NFT_ACCEPT='counter accept'
|
||||
####
|
||||
SAVED_BOTS='/root/firewall/bots.txt'
|
||||
CRAWLER_DB='/root/firewall/crawlers.txt'
|
||||
@ -44,7 +44,7 @@ bot-search() {
|
||||
echo "Processing Web Crawler list into NFT....."
|
||||
echo
|
||||
for i in "${CRAWLERS[@]}"; do
|
||||
/sbin/nft add rule ip filter input ip daddr $i drop
|
||||
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP
|
||||
echo $i >>$CRAWLER_TMP
|
||||
done
|
||||
|
||||
@ -53,7 +53,7 @@ bot-search() {
|
||||
echo "Feeding $SAVED_BOTS into NFT....."
|
||||
echo
|
||||
for i in "${BOT_LOG[@]}"; do
|
||||
/sbin/nft add rule ip filter output ip daddr $i drop
|
||||
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP
|
||||
echo $i >>$CRAWLER_TMP
|
||||
done
|
||||
|
||||
@ -66,7 +66,7 @@ pedo-search() {
|
||||
echo "Processing Pedo Searches into NFT....."
|
||||
PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u))
|
||||
for i in "${PEDO_SEARCH[@]}"; do
|
||||
/sbin/nft add rule ip filter output ip daddr $i drop
|
||||
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP
|
||||
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1)
|
||||
if [ -z "$QUERY" ]; then
|
||||
echo "No Pedos Found"
|
||||
@ -93,7 +93,7 @@ attacker-search() {
|
||||
echo
|
||||
ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u))
|
||||
for i in "${ATTACKER_SEARCH[@]}"; do
|
||||
/sbin/nft add rule ip filter output ip daddr $i drop
|
||||
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP
|
||||
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1)
|
||||
if [ -z "$QUERY" ]; then
|
||||
echo "No Attackers Found"
|
||||
@ -107,18 +107,16 @@ attacker-search() {
|
||||
}
|
||||
|
||||
basic-security() {
|
||||
/sbin/nft flush ruleset
|
||||
/sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft
|
||||
/sbin/nft add rule filter input icmp type echo-request drop
|
||||
/sbin/nft rule filter input drop
|
||||
/sbin/nft rule filter output accept
|
||||
/sbin/nft rule filter forward accept
|
||||
/sbin/nft insert rule filter input ct state established accept
|
||||
/sbin/nft insert rule filter input iif lo accept
|
||||
/sbin/nft add rule filter output ip daddr 192.168.0.55 drop
|
||||
/sbin/nft add rule filter input icmp type echo-request $NFT_DROP
|
||||
/sbin/nft rule filter input $NFT_DROP
|
||||
/sbin/nft rule filter output $NFT_ACCEPT
|
||||
/sbin/nft rule filter forward $NFT_ACCEPT
|
||||
/sbin/nft insert rule filter input ct state established $NFT_ACCEPT
|
||||
/sbin/nft insert rule filter input iif lo $NFT_ACCEPT
|
||||
|
||||
/sbin/nft -f /usr/share/doc/nftables/examples/ipv6-filter.nft
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit drop
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert drop
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP
|
||||
}
|
||||
|
||||
admin() {
|
||||
@ -196,15 +194,15 @@ nfs() {
|
||||
|
||||
trust() {
|
||||
for i in "${MACHINES[@]}"; do
|
||||
$NFT_TCP -s $i $NFT_ACCEPT
|
||||
$NFT_UDP -s $i $NFT_ACCEPT
|
||||
/sbin/nft add rule filter input ip saddr $i $NFT_ACCEPT
|
||||
done
|
||||
}
|
||||
|
||||
start() {
|
||||
|
||||
basic-security
|
||||
|
||||
/sbin/nft flush ruleset
|
||||
/sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft
|
||||
|
||||
if [[ $HOSTNAME == *"nas"* ]]; then
|
||||
ddos-protection
|
||||
wireguard
|
||||
@ -219,31 +217,35 @@ start() {
|
||||
|
||||
#Uptime
|
||||
podman restart uptime-kuma
|
||||
|
||||
basic-security
|
||||
else
|
||||
{
|
||||
syncthing
|
||||
kde-connect
|
||||
/usr/bin/systemctl restart libvirtd
|
||||
/sbin/nft list table filter
|
||||
basic-security
|
||||
}
|
||||
fi
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
stop() {
|
||||
/sbin/nft flush ruleset
|
||||
/sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft
|
||||
/sbin/nft add rule filter input icmp type echo-request accept
|
||||
/sbin/nft rule filter input accept
|
||||
/sbin/nft rule filter output accept
|
||||
/sbin/nft rule filter forward accept
|
||||
/sbin/nft insert rule filter input ct state established accept
|
||||
/sbin/nft insert rule filter input iif lo accept
|
||||
/sbin/nft add rule filter input icmp type echo-request $NFT_ACCEPT
|
||||
/sbin/nft rule filter input $NFT_ACCEPT
|
||||
/sbin/nft rule filter output $NFT_ACCEPT
|
||||
/sbin/nft rule filter forward $NFT_ACCEPT
|
||||
/sbin/nft insert rule filter input ct state established $NFT_ACCEPT
|
||||
/sbin/nft insert rule filter input iif lo $NFT_ACCEPT
|
||||
|
||||
/sbin/nft -f /usr/share/doc/nftables/examples/ipv6-filter.nft
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert accept
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT
|
||||
/sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT
|
||||
}
|
||||
|
||||
if [ "$1" = "start" ]; then
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user