Nano/lazy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add iptables-load

Browse Source
This commit is contained in:
Konano 2023-07-22 14:48:22 +08:00
parent 902f47bff3
commit 56ae9b08ef
4 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
files/.zshrc
View File

@ -120,6 +120,12 @@ alias -s bz2='tar -xjvf'
alias cp='cp -i' alias cp='cp -i'
alias cl='clear' alias cl='clear'
if [ -f "/etc/network/if-pre-up.d/iptables-load" ]; then
alias ipl='sudo iptables -L -n'
alias ipe='sudo nano /etc/network/if-pre-up.d/iptables-load'
alias ips='sudo /etc/network/if-pre-up.d/iptables-load'
fi
command_exists() { command -v "$@" >/dev/null 2>&1; } command_exists() { command -v "$@" >/dev/null 2>&1; }
command_exists trash-put && alias rm='trash-put' command_exists trash-put && alias rm='trash-put'

37
files/iptables-load Normal file
View File

@ -0,0 +1,37 @@
#!/bin/sh
# check iptables rule specification is exist,
# if not add it
check_and_add_iptables()
{
iptables -C "$@" > /dev/null 2>&1
EXIST=$?
if [ $EXIST -ne 0 ]; then
iptables -A "$@"
fi
}
add_input_tcp_filter() {
check_and_add_iptables INPUT -p tcp -m tcp --dport "$1" -m comment --comment "$2" -j ACCEPT
}
# allow basic services
add_input_tcp_filter 22 SSH
add_input_tcp_filter 2263 SSH
add_input_tcp_filter 80 HTTP
add_input_tcp_filter 443 HTTPS
# allow DNS
check_and_add_iptables INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "DNS"
check_and_add_iptables INPUT -p udp --dport 53 -j ACCEPT -m comment --comment "DNS"
# allow internal network
check_and_add_iptables INPUT -s 127.0.0.0/24 -m comment --comment "Internal Network" -j ACCEPT
# allow ping
check_and_add_iptables INPUT -p icmp -m comment --comment ping -j ACCEPT
# allow all established and related connections
check_and_add_iptables INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow loopback
check_and_add_iptables INPUT -i lo -j ACCEPT
# dropped for INPUT by default
iptables -P INPUT DROP

11
init_root.sh
View File

@ -134,6 +134,16 @@ configure_tmux() {
fi fi
} }
configure_iptables() {
read -p "要配置 iptables 吗?[n/Y]: " response
if [[ $response =~ ^[Yy]$ ]]; then
cp $scriptdir/files/iptables-load /etc/network/if-pre-up.d/iptables-load
chmod +x /etc/network/if-pre-up.d/iptables-load
sh /etc/network/if-pre-up.d/iptables-load
fi
}
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root." echo "This script must be run as root."
exit 1 exit 1
@ -148,3 +158,4 @@ configure_apt_upgrade
configure_apt_install configure_apt_install
configure_zsh configure_zsh
configure_tmux configure_tmux
configure_iptables

11
init_sudo.sh
View File

@ -134,6 +134,16 @@ configure_tmux() {
fi fi
} }
configure_iptables() {
read -p "要配置 iptables 吗?[n/Y]: " response
if [[ $response =~ ^[Yy]$ ]]; then
sudo cp $scriptdir/files/iptables-load /etc/network/if-pre-up.d/iptables-load
sudo chmod +x /etc/network/if-pre-up.d/iptables-load
sudo sh /etc/network/if-pre-up.d/iptables-load
fi
}
if [[ $EUID -eq 0 ]]; then if [[ $EUID -eq 0 ]]; then
echo "This script should not be run as root." echo "This script should not be run as root."
exit 1 exit 1
@ -148,3 +158,4 @@ configure_apt_upgrade
configure_apt_install configure_apt_install
configure_zsh configure_zsh
configure_tmux configure_tmux
configure_iptables