-
Notifications
You must be signed in to change notification settings - Fork 5
/
firewall.sh
executable file
·34 lines (24 loc) · 1.12 KB
/
firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#! /bin/bash
set -e
# runs on first login to set up and save firewall rules
SSH_PORT=REPLACE_ME
read -r -p "$(echo -e "\e[32mWelcome! The last thing we need to do is set up and save firewall rules. Do you want to do this now (y/n)?\e[0m ")" yn
if [[ ! $yn =~ ^[Yy]$ ]]
then
echo "Goodbye. This script will run again next time you log in."
exit
fi
# allow return traffic for outgoing connections initiated by the server itself
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow loopback traffic from localhost
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# allow http, https, ssh
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443,$SSH_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# set input policy to drop everything else
sudo iptables --policy INPUT DROP
sudo apt install iptables-persistent -y
# don't need to run this as it runs automatically on install
# sudo netfilter-persistent save
echo -e "\n\e[32mFirewall configured 👍. If you didn't save rules, please run sudo netfilter-persistent save :)\e[0m\n"
rm ~/firewall.sh