Scripts triggered by systemd for modifying iptables firewall rules.
Downloading
sudo su -
cd /usr/local/etc
git clone --recurse-submodules git@github.com:paranoid-linux/adaptive-iptables.gitUpgrading
sudo su -
cd /usr/local/etc/adaptive-iptables
git pull
git submodule update --init --recursive --mergeThe base-policies.sh script, and each script under the interface-protocols and services directories may be run with --help argument to output available options.
bash base-policies.sh --helpInstallation
-
Assign interface names to array for easier looping
-
Install base policies and protocol filters
-
Enable base policies and protocol filters
_interface_list=('eth0' 'wlan0')
bash base-policies.sh --install
bash interface-protocols/icmp.sh --install
bash interface-protocols/tcp.sh --install
bash interface-protocols/udp.sh --install
bash base-policies.sh --systemd='enable'
for _interface in "${_interface_list[@]}"; do
bash interface-protocols/icmp.sh --systemd='enable' --interface="${_interface}"
bash interface-protocols/tcp.sh --systemd='enable' --interface="${_interface}"
bash interface-protocols/udp.sh --systemd='enable' --interface="${_interface}"
doneRestarting of interfaces should trigger protocol filters, and restarting of device should trigger base-policies.sh
Logging
Enable logging.sh to facilitate debugging of connections that should be allowed...
bash interface-protocols/logging.sh --install
for _interface in "${_interface_list[@]}"; do
bash interface-protocols/logging.sh --systemd='enable' --interface="${_interface}"
doneDisable logging.sh to avoid filling logs with traffic that should be ignored...
for _interface in "${_interface_list[@]}"; do
bash interface-protocols/logging.sh --systemd='disable' --interface="${_interface}"
doneView logs with your favorite text parser...
grep -i -- 'put_log' /var/log/messages
tail -f /var/log/messages | awk '$7 ~ "put_log" {print}'Services
-
Install
systemdtemplate for a given service -
Enable service firewall rules for a set of interfaces
bash services/ssh.sh --install
for _interface in "${_interface_list[@]}"; do
bash services/ssh.sh --systemd='enable' --interface="${_interface}"
doneFirewall rules should be started when service and interface are available, and stopped when either are unavailable.
Unless other wise stated within an individual script, the scripts within this repository target iptables and not ip6tables
The tcp.sh filters will log specific types of dropped packets and is intended to be used with fail2ban (or similar firewall management software). Future revisions may include a command-line option to toggle logging behaviors.
Some services, such as OpenVPN, require setting additional command-line options; please review the --help documentation for details.
-
ICMP -
UDP -
TCP- https://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/
- https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
- https://www.linuxquestions.org/questions/linux-security-4/tcp-packet-flags-syn-fin-ack-etc-and-firewall-rules-317389/
- https://gist.github.com/petrilli/1959001
- https://serverfault.com/questions/123208/iptables-p-udp-state-established
- https://serverfault.com/questions/191390/iptables-and-dhcp-questions
Legal bits of Open Source software
Adaptive iptables documentation on how this project may be utilized
Copyright (C) 2019 S0AndS0
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation; version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
