From 56ae9b08ef0954ff02ed3719c0d7519385b351a9 Mon Sep 17 00:00:00 2001 From: Konano Date: Sat, 22 Jul 2023 14:48:22 +0800 Subject: [PATCH] add iptables-load --- files/.zshrc | 6 ++++++ files/iptables-load | 37 +++++++++++++++++++++++++++++++++++++ init_root.sh | 11 +++++++++++ init_sudo.sh | 11 +++++++++++ 4 files changed, 65 insertions(+) create mode 100644 files/iptables-load diff --git a/files/.zshrc b/files/.zshrc index 1d3c233..6ed162f 100644 --- a/files/.zshrc +++ b/files/.zshrc @@ -120,6 +120,12 @@ alias -s bz2='tar -xjvf' alias cp='cp -i' alias cl='clear' +if [ -f "/etc/network/if-pre-up.d/iptables-load" ]; then + alias ipl='sudo iptables -L -n' + alias ipe='sudo nano /etc/network/if-pre-up.d/iptables-load' + alias ips='sudo /etc/network/if-pre-up.d/iptables-load' +fi + command_exists() { command -v "$@" >/dev/null 2>&1; } command_exists trash-put && alias rm='trash-put' diff --git a/files/iptables-load b/files/iptables-load new file mode 100644 index 0000000..c17cc0c --- /dev/null +++ b/files/iptables-load @@ -0,0 +1,37 @@ +#!/bin/sh + +# check iptables rule specification is exist, +# if not add it +check_and_add_iptables() +{ + iptables -C "$@" > /dev/null 2>&1 + EXIST=$? + if [ $EXIST -ne 0 ]; then + iptables -A "$@" + fi +} + +add_input_tcp_filter() { + check_and_add_iptables INPUT -p tcp -m tcp --dport "$1" -m comment --comment "$2" -j ACCEPT +} + +# allow basic services +add_input_tcp_filter 22 SSH +add_input_tcp_filter 2263 SSH +add_input_tcp_filter 80 HTTP +add_input_tcp_filter 443 HTTPS + +# allow DNS +check_and_add_iptables INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "DNS" +check_and_add_iptables INPUT -p udp --dport 53 -j ACCEPT -m comment --comment "DNS" + +# allow internal network +check_and_add_iptables INPUT -s 127.0.0.0/24 -m comment --comment "Internal Network" -j ACCEPT +# allow ping +check_and_add_iptables INPUT -p icmp -m comment --comment ping -j ACCEPT +# allow all established and related connections +check_and_add_iptables INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# allow loopback +check_and_add_iptables INPUT -i lo -j ACCEPT +# dropped for INPUT by default +iptables -P INPUT DROP diff --git a/init_root.sh b/init_root.sh index e627147..529066f 100755 --- a/init_root.sh +++ b/init_root.sh @@ -134,6 +134,16 @@ configure_tmux() { fi } +configure_iptables() { + read -p "要配置 iptables 吗?[n/Y]: " response + + if [[ $response =~ ^[Yy]$ ]]; then + cp $scriptdir/files/iptables-load /etc/network/if-pre-up.d/iptables-load + chmod +x /etc/network/if-pre-up.d/iptables-load + sh /etc/network/if-pre-up.d/iptables-load + fi +} + if [[ $EUID -ne 0 ]]; then echo "This script must be run as root." exit 1 @@ -148,3 +158,4 @@ configure_apt_upgrade configure_apt_install configure_zsh configure_tmux +configure_iptables diff --git a/init_sudo.sh b/init_sudo.sh index d29abcb..bf92e6f 100755 --- a/init_sudo.sh +++ b/init_sudo.sh @@ -134,6 +134,16 @@ configure_tmux() { fi } +configure_iptables() { + read -p "要配置 iptables 吗?[n/Y]: " response + + if [[ $response =~ ^[Yy]$ ]]; then + sudo cp $scriptdir/files/iptables-load /etc/network/if-pre-up.d/iptables-load + sudo chmod +x /etc/network/if-pre-up.d/iptables-load + sudo sh /etc/network/if-pre-up.d/iptables-load + fi +} + if [[ $EUID -eq 0 ]]; then echo "This script should not be run as root." exit 1 @@ -148,3 +158,4 @@ configure_apt_upgrade configure_apt_install configure_zsh configure_tmux +configure_iptables