verita84/firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Your Name 2024-07-20 14:34:05 -06:00
parent e11d210e4f
commit d09264453b
2 changed files with 38 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
attackers.txt
View File

@ -290,3 +290,4 @@
45.148.10.202 45.148.10.202
134.209.105.53 134.209.105.53
134.209.105.53 134.209.105.53
134.209.105.53

73
firewall2.sh
View File

@ -13,10 +13,11 @@ JELLYFIN=(8096 1900 7359)
MACHINES=(192.168.0.55 192.168.0.146) MACHINES=(192.168.0.55 192.168.0.146)
ADMIN=(22 9090) ADMIN=(22 9090)
#### NFT CONFIG #### #### NFT CONFIG ####
NFT_TCP='/sbin/nft add rule ip filter input tcp dport' NFT_TCP='$NFT add rule ip filter input tcp dport'
NFT_UDP='/sbin/nft add rule ip filter input udp dport' NFT_UDP='$NFT add rule ip filter input udp dport'
NFT_DROP='counter drop' NFT_DROP='counter drop'
NFT_ACCEPT='counter accept' NFT_ACCEPT='counter accept'
NFT='/usr/sbin/nft'
#### ####
SAVED_BOTS='/root/firewall/bots.txt' SAVED_BOTS='/root/firewall/bots.txt'
CRAWLER_DB='/root/firewall/crawlers.txt' CRAWLER_DB='/root/firewall/crawlers.txt'
@ -31,11 +32,11 @@ DATE="$(date +%Y:%H: -d "1 hour ago")"
noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35 noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35
wireguard-networking() { wireguard-networking() {
/sbin/nft add table nat $NFT add table nat
/sbin/nft add chain nat postrouting $NFT add chain nat postrouting
/sbin/nft add rule nat postrouting oif wg0 iif enp11s0 $NFT add rule nat postrouting oif wg0 iif enp11s0
/sbin/nft add rule nat postrouting oif enp11s0 iif wg0 $NFT add rule nat postrouting oif enp11s0 iif wg0
/sbin/nft add rule nat postrouting masquerade $NFT add rule nat postrouting masquerade
} }
ddos-protection() { ddos-protection() {
@ -51,7 +52,7 @@ saved-bots(){
echo "Feeding $SAVED_BOTS into NFT....." echo "Feeding $SAVED_BOTS into NFT....."
echo echo
for i in "${BOT_LOG[@]}"; do for i in "${BOT_LOG[@]}"; do
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP $NFT add rule ip filter input ip saddr $i $NFT_DROP
echo $i >>$CRAWLER_TMP echo $i >>$CRAWLER_TMP
done done
@ -69,7 +70,7 @@ bot-search() {
echo "Processing Web Crawler list into NFT....." echo "Processing Web Crawler list into NFT....."
echo echo
for i in "${CRAWLERS[@]}"; do for i in "${CRAWLERS[@]}"; do
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP $NFT add rule ip filter input ip saddr $i $NFT_DROP
echo $i >>$CRAWLER_TMP echo $i >>$CRAWLER_TMP
done done
} }
@ -79,7 +80,7 @@ pedo-search() {
echo "Processing Pedo Searches into NFT....." echo "Processing Pedo Searches into NFT....."
PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u)) PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u))
for i in "${PEDO_SEARCH[@]}"; do for i in "${PEDO_SEARCH[@]}"; do
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP $NFT add rule ip filter input ip saddr $i $NFT_DROP
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1) QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1)
if [ -z "$QUERY" ]; then if [ -z "$QUERY" ]; then
echo "No Pedos Found" echo "No Pedos Found"
@ -106,7 +107,7 @@ attacker-search() {
echo echo
ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u)) ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u))
for i in "${ATTACKER_SEARCH[@]}"; do for i in "${ATTACKER_SEARCH[@]}"; do
/sbin/nft add rule ip filter input ip saddr $i $NFT_DROP $NFT add rule ip filter input ip saddr $i $NFT_DROP
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1) QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1)
if [ -z "$QUERY" ]; then if [ -z "$QUERY" ]; then
echo "No Attackers Found" echo "No Attackers Found"
@ -120,16 +121,16 @@ attacker-search() {
} }
basic-security() { basic-security() {
/sbin/nft add rule filter input icmp type echo-request $NFT_DROP $NFT add rule filter input icmp type echo-request $NFT_DROP
/sbin/nft rule filter input $NFT_DROP $NFT rule filter input $NFT_DROP
/sbin/nft rule filter output $NFT_ACCEPT $NFT rule filter output $NFT_ACCEPT
/sbin/nft rule filter forward $NFT_ACCEPT $NFT rule filter forward $NFT_ACCEPT
/sbin/nft insert rule filter input ct state established $NFT_ACCEPT $NFT insert rule filter input ct state established $NFT_ACCEPT
/sbin/nft insert rule filter input iif lo $NFT_ACCEPT $NFT insert rule filter input iif lo $NFT_ACCEPT
/sbin/nft -f /usr/share/doc/nftables/examples/ipv6-filter.nft $NFT -f /usr/share/doc/nftables/examples/ipv6-filter.nft
/sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP
/sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP
} }
admin() { admin() {
@ -206,14 +207,14 @@ nfs() {
trust() { trust() {
for i in "${MACHINES[@]}"; do for i in "${MACHINES[@]}"; do
/sbin/nft add rule filter input ip saddr $i $NFT_ACCEPT $NFT add rule filter input ip saddr $i $NFT_ACCEPT
done done
} }
start() { start() {
/sbin/nft flush ruleset $NFT flush ruleset
/sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft $NFT -f /usr/share/doc/nftables/examples/ipv4-filter.nft
if [[ $HOSTNAME == *"nas"* ]]; then if [[ $HOSTNAME == *"nas"* ]]; then
ddos-protection ddos-protection
@ -245,23 +246,23 @@ start() {
} }
status() { status() {
/sbin/nft list table filter | grep -v "0 bytes 0 drop" $NFT list table filter | grep -v "0 bytes 0 drop"
/sbin/nft list table nat $NFT list table nat
} }
stop() { stop() {
/sbin/nft flush ruleset $NFT flush ruleset
/sbin/nft -f /usr/share/doc/nftables/examples/ipv4-filter.nft $NFT -f /usr/share/doc/nftables/examples/ipv4-filter.nft
/sbin/nft add rule filter input icmp type echo-request $NFT_ACCEPT $NFT add rule filter input icmp type echo-request $NFT_ACCEPT
/sbin/nft rule filter input $NFT_ACCEPT $NFT rule filter input $NFT_ACCEPT
/sbin/nft rule filter output $NFT_ACCEPT $NFT rule filter output $NFT_ACCEPT
/sbin/nft rule filter forward $NFT_ACCEPT $NFT rule filter forward $NFT_ACCEPT
/sbin/nft insert rule filter input ct state established $NFT_ACCEPT $NFT insert rule filter input ct state established $NFT_ACCEPT
/sbin/nft insert rule filter input iif lo $NFT_ACCEPT $NFT insert rule filter input iif lo $NFT_ACCEPT
/sbin/nft -f /usr/share/doc/nftables/examples/ipv6-filter.nft $NFT -f /usr/share/doc/nftables/examples/ipv6-filter.nft
/sbin/nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT
/sbin/nft add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT
} }
if [ "$1" = "start" ]; then if [ "$1" = "start" ]; then