From d09264453bed4ec963509a98849594ae5ac278de Mon Sep 17 00:00:00 2001 From: Your Name Date: Sat, 20 Jul 2024 14:34:05 -0600 Subject: [PATCH] fix --- attackers.txt | 1 + firewall2.sh | 73 ++++++++++++++++++++++++++------------------------- 2 files changed, 38 insertions(+), 36 deletions(-) diff --git a/attackers.txt b/attackers.txt index 46b0127..833eb17 100644 --- a/attackers.txt +++ b/attackers.txt @@ -290,3 +290,4 @@ 45.148.10.202 134.209.105.53 134.209.105.53 +134.209.105.53 diff --git a/firewall2.sh b/firewall2.sh index c6255a7..fdd2d7f 100644 --- a/firewall2.sh +++ b/firewall2.sh @@ -13,10 +13,11 @@ JELLYFIN=(8096 1900 7359) MACHINES=(192.168.0.55 192.168.0.146) ADMIN=(22 9090) #### NFT CONFIG #### -NFT_TCP='/sbin/nft add rule ip filter input tcp dport' -NFT_UDP='/sbin/nft add rule ip filter input udp dport' +NFT_TCP='$NFT add rule ip filter input tcp dport' +NFT_UDP='$NFT add rule ip filter input udp dport' NFT_DROP='counter drop' NFT_ACCEPT='counter accept' +NFT='/usr/sbin/nft' #### SAVED_BOTS='/root/firewall/bots.txt' CRAWLER_DB='/root/firewall/crawlers.txt' @@ -31,11 +32,11 @@ DATE="$(date +%Y:%H: -d "1 hour ago")" noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35 wireguard-networking() { - /sbin/nft add table nat - /sbin/nft add chain nat postrouting - /sbin/nft add rule nat postrouting oif wg0 iif enp11s0 - /sbin/nft add rule nat postrouting oif enp11s0 iif wg0 - /sbin/nft add rule nat postrouting masquerade + $NFT add table nat + $NFT add chain nat postrouting + $NFT add rule nat postrouting oif wg0 iif enp11s0 + $NFT add rule nat postrouting oif enp11s0 iif wg0 + $NFT add rule nat postrouting masquerade } ddos-protection() { @@ -51,7 +52,7 @@ saved-bots(){ echo "Feeding $SAVED_BOTS into NFT....." echo for i in "${BOT_LOG[@]}"; do - /sbin/nft add rule ip filter input ip saddr $i $NFT_DROP + $NFT add rule ip filter input ip saddr $i $NFT_DROP echo $i >>$CRAWLER_TMP done @@ -69,7 +70,7 @@ bot-search() { echo "Processing Web Crawler list into NFT....." echo for i in "${CRAWLERS[@]}"; do - /sbin/nft add rule ip filter input ip saddr $i $NFT_DROP + $NFT add rule ip filter input ip saddr $i $NFT_DROP echo $i >>$CRAWLER_TMP done } @@ -79,7 +80,7 @@ pedo-search() { echo "Processing Pedo Searches into NFT....." PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u)) for i in "${PEDO_SEARCH[@]}"; do - /sbin/nft add rule ip filter input ip saddr $i $NFT_DROP + $NFT add rule ip filter input ip saddr $i $NFT_DROP QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1) if [ -z "$QUERY" ]; then echo "No Pedos Found" @@ -106,7 +107,7 @@ attacker-search() { echo ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u)) for i in "${ATTACKER_SEARCH[@]}"; do - /sbin/nft add rule ip filter input ip saddr $i $NFT_DROP + $NFT add rule ip filter input ip saddr $i $NFT_DROP QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1) if [ -z "$QUERY" ]; then echo "No Attackers Found" @@ -120,16 +121,16 @@ attacker-search() { } basic-security() { - /sbin/nft add rule filter input icmp type echo-request $NFT_DROP - /sbin/nft rule filter input $NFT_DROP - /sbin/nft rule filter output $NFT_ACCEPT - /sbin/nft rule filter forward $NFT_ACCEPT - /sbin/nft insert rule filter input ct state established $NFT_ACCEPT - /sbin/nft insert rule filter input iif lo $NFT_ACCEPT + $NFT add rule filter input icmp type echo-request $NFT_DROP + $NFT rule filter input $NFT_DROP + $NFT rule filter output $NFT_ACCEPT + $NFT rule filter forward $NFT_ACCEPT + $NFT insert rule filter input ct state established $NFT_ACCEPT + $NFT insert rule filter input iif lo $NFT_ACCEPT - /sbin/nft -f /usr/share/doc/nftables/examples/ipv6-filter.nft - /sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP - /sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP + $NFT -f /usr/share/doc/nftables/examples/ipv6-filter.nft + $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP + $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP } admin() { @@ -206,14 +207,14 @@ nfs() { trust() { for i in "${MACHINES[@]}"; do - /sbin/nft add rule filter input ip saddr $i $NFT_ACCEPT + $NFT add rule filter input ip saddr $i $NFT_ACCEPT done } start() { - /sbin/nft flush ruleset - /sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft + $NFT flush ruleset + $NFT -f /usr/share/doc/nftables/examples/ipv4-filter.nft if [[ $HOSTNAME == *"nas"* ]]; then ddos-protection @@ -245,23 +246,23 @@ start() { } status() { - /sbin/nft list table filter | grep -v "0 bytes 0 drop" - /sbin/nft list table nat + $NFT list table filter | grep -v "0 bytes 0 drop" + $NFT list table nat } stop() { - /sbin/nft flush ruleset - /sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft - /sbin/nft add rule filter input icmp type echo-request $NFT_ACCEPT - /sbin/nft rule filter input $NFT_ACCEPT - /sbin/nft rule filter output $NFT_ACCEPT - /sbin/nft rule filter forward $NFT_ACCEPT - /sbin/nft insert rule filter input ct state established $NFT_ACCEPT - /sbin/nft insert rule filter input iif lo $NFT_ACCEPT + $NFT flush ruleset + $NFT -f /usr/share/doc/nftables/examples/ipv4-filter.nft + $NFT add rule filter input icmp type echo-request $NFT_ACCEPT + $NFT rule filter input $NFT_ACCEPT + $NFT rule filter output $NFT_ACCEPT + $NFT rule filter forward $NFT_ACCEPT + $NFT insert rule filter input ct state established $NFT_ACCEPT + $NFT insert rule filter input iif lo $NFT_ACCEPT - /sbin/nft -f /usr/share/doc/nftables/examples/ipv6-filter.nft - /sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT - /sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT + $NFT -f /usr/share/doc/nftables/examples/ipv6-filter.nft + $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT + $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT } if [ "$1" = "start" ]; then