add iptables-load

2023-07-22 14:48:22 +08:00 · 2023-07-22 14:48:22 +08:00 · 56ae9b08ef
commit 56ae9b08ef
parent 902f47bff3
4 changed files with 65 additions and 0 deletions
--- a/files/.zshrc
+++ b/files/.zshrc
@ -120,6 +120,12 @@ alias -s bz2='tar -xjvf'
 alias cp='cp -i'
 alias cl='clear'

+if [ -f "/etc/network/if-pre-up.d/iptables-load" ]; then
+    alias ipl='sudo iptables -L -n'
+    alias ipe='sudo nano /etc/network/if-pre-up.d/iptables-load'
+    alias ips='sudo /etc/network/if-pre-up.d/iptables-load'
+fi
+
 command_exists() { command -v "$@" >/dev/null 2>&1; }

 command_exists trash-put && alias rm='trash-put'
--- a/files/iptables-load
+++ b/files/iptables-load
@ -0,0 +1,37 @@
+#!/bin/sh
+
+# check iptables rule specification is exist,
+# if not add it
+check_and_add_iptables()
+{
+    iptables -C "$@" > /dev/null 2>&1
+    EXIST=$?
+    if [ $EXIST -ne 0 ]; then
+        iptables -A "$@"
+    fi
+}
+
+add_input_tcp_filter() {
+    check_and_add_iptables INPUT -p tcp -m tcp --dport "$1" -m comment --comment "$2" -j ACCEPT
+}
+
+# allow basic services
+add_input_tcp_filter 22 SSH
+add_input_tcp_filter 2263 SSH
+add_input_tcp_filter 80 HTTP
+add_input_tcp_filter 443 HTTPS
+
+# allow DNS
+check_and_add_iptables INPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "DNS"
+check_and_add_iptables INPUT -p udp --dport 53 -j ACCEPT -m comment --comment "DNS"
+
+# allow internal network
+check_and_add_iptables INPUT -s 127.0.0.0/24 -m comment --comment "Internal Network" -j ACCEPT
+# allow ping
+check_and_add_iptables INPUT -p icmp -m comment --comment ping -j ACCEPT
+# allow all established and related connections
+check_and_add_iptables INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# allow loopback
+check_and_add_iptables INPUT -i lo -j ACCEPT
+# dropped for INPUT by default
+iptables -P INPUT DROP
--- a/init_root.sh
+++ b/init_root.sh
@ -134,6 +134,16 @@ configure_tmux() {
    fi
 }

+configure_iptables() {
+    read -p "要配置 iptables 吗？[n/Y]: " response
+
+    if [[ $response =~ ^[Yy]$ ]]; then
+        cp $scriptdir/files/iptables-load /etc/network/if-pre-up.d/iptables-load
+        chmod +x /etc/network/if-pre-up.d/iptables-load
+        sh /etc/network/if-pre-up.d/iptables-load
+    fi
+}
+
 if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root."
   exit 1
@ -148,3 +158,4 @@ configure_apt_upgrade
 configure_apt_install
 configure_zsh
 configure_tmux
+configure_iptables
--- a/init_sudo.sh
+++ b/init_sudo.sh
@ -134,6 +134,16 @@ configure_tmux() {
    fi
 }

+configure_iptables() {
+    read -p "要配置 iptables 吗？[n/Y]: " response
+
+    if [[ $response =~ ^[Yy]$ ]]; then
+        sudo cp $scriptdir/files/iptables-load /etc/network/if-pre-up.d/iptables-load
+        sudo chmod +x /etc/network/if-pre-up.d/iptables-load
+        sudo sh /etc/network/if-pre-up.d/iptables-load
+    fi
+}
+
 if [[ $EUID -eq 0 ]]; then
   echo "This script should not be run as root."
   exit 1
@ -148,3 +158,4 @@ configure_apt_upgrade
 configure_apt_install
 configure_zsh
 configure_tmux
+configure_iptables