evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity

compact syntax for loops

Browse source
This commit is contained in:
Jérémy Lecour 2021-05-22 09:41:29 +02:00 committed by Jérémy Lecour
parent a3ab1a4f2e
commit 8eb0180b51
1 changed files with 96 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

222
minifirewall
View file

@ -159,19 +159,17 @@ start() {
# Trusted ip addresses # Trusted ip addresses
${IPT} -N ONLYTRUSTED ${IPT} -N ONLYTRUSTED
${IPT} -A ONLYTRUSTED -j LOG_DROP ${IPT} -A ONLYTRUSTED -j LOG_DROP
for x in ${TRUSTEDIPS} for ip in ${TRUSTEDIPS}; do
do ${IPT} -I ONLYTRUSTED -s ${ip} -j ACCEPT
${IPT} -I ONLYTRUSTED -s ${x} -j ACCEPT done
done
# Privilegied ip addresses # Privilegied ip addresses
# (trusted ip addresses *are* privilegied) # (trusted ip addresses *are* privilegied)
${IPT} -N ONLYPRIVILEGIED ${IPT} -N ONLYPRIVILEGIED
${IPT} -A ONLYPRIVILEGIED -j ONLYTRUSTED ${IPT} -A ONLYPRIVILEGIED -j ONLYTRUSTED
for x in ${PRIVILEGIEDIPS} for ip in ${PRIVILEGIEDIPS}; do
do ${IPT} -I ONLYPRIVILEGIED -s ${ip} -j ACCEPT
${IPT} -I ONLYPRIVILEGIED -s ${x} -j ACCEPT done
done
# Chain for restrictions (blacklist IPs/ranges) # Chain for restrictions (blacklist IPs/ranges)
${IPT} -N NEEDRESTRICT ${IPT} -N NEEDRESTRICT
@ -223,170 +221,142 @@ start() {
${IPT} -A INPUT -s ${INTLAN} -j ACCEPT ${IPT} -A INPUT -s ${INTLAN} -j ACCEPT
# Enable protection chain for sensible services # Enable protection chain for sensible services
for port in ${SERVICESTCP1p} for port in ${SERVICESTCP1p}; do
do ${IPT} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
${IPT} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT done
done
for port in ${SERVICESUDP1p} for port in ${SERVICESUDP1p}; do
do ${IPT} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
${IPT} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT done
done
# Public service # Public service
for port in ${SERVICESTCP1} for port in ${SERVICESTCP1}; do
do ${IPT} -A INPUT -p tcp --dport ${port} -j ACCEPT
${IPT} -A INPUT -p tcp --dport ${port} -j ACCEPT [ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p tcp --dport ${port} -j ACCEPT
[ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p tcp --dport ${port} -j ACCEPT done
done
for port in ${SERVICESUDP1} for port in ${SERVICESUDP1}; do
do ${IPT} -A INPUT -p udp --dport ${port} -j ACCEPT
${IPT} -A INPUT -p udp --dport ${port} -j ACCEPT [ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p udp --dport ${port} -j ACCEPT
[ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p udp --dport ${port} -j ACCEPT done
done
# Privilegied services # Privilegied services
for port in ${SERVICESTCP2} for port in ${SERVICESTCP2}; do
do ${IPT} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED done
done
for port in ${SERVICESUDP2} for port in ${SERVICESUDP2}; do
do ${IPT} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
${IPT} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED done
done
# Private services # Private services
for port in ${SERVICESTCP3} for port in ${SERVICESTCP3}; do
do ${IPT} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED done
done
for port in ${SERVICESUDP3} for port in ${SERVICESUDP3}; do
do ${IPT} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
${IPT} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED done
done
if [ "${DOCKER}" = "on" ]; then if [ "${DOCKER}" = "on" ]; then
# Public services defined in SERVICESTCP1 & SERVICESUDP1 # Public services defined in SERVICESTCP1 & SERVICESUDP1
for dstport in ${SERVICESTCP1} for dstport in ${SERVICESTCP1}; do
do ${IPT} -I MINIFW-DOCKER-PUB -p tcp --dport "${dstport}" -j RETURN
${IPT} -I MINIFW-DOCKER-PUB -p tcp --dport "${dstport}" -j RETURN done
done
for dstport in ${SERVICESUDP1} for dstport in ${SERVICESUDP1}; do
do ${IPT} -I MINIFW-DOCKER-PUB -p udp --dport "${dstport}" -j RETURN
${IPT} -I MINIFW-DOCKER-PUB -p udp --dport "${dstport}" -j RETURN done
done
# Privileged services (accessible from privileged & trusted IPs) # Privileged services (accessible from privileged & trusted IPs)
for dstport in ${SERVICESTCP2} for dstport in ${SERVICESTCP2}; do
do for srcip in ${PRIVILEGIEDIPS}; do
for srcip in ${PRIVILEGIEDIPS} ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
do
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
done
for srcip in ${TRUSTEDIPS}
do
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
done
done done
for dstport in ${SERVICESUDP2} for srcip in ${TRUSTEDIPS}; do
do ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
for srcip in ${PRIVILEGIEDIPS}
do
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
done
for srcip in ${TRUSTEDIPS}
do
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
done
done done
done
for dstport in ${SERVICESUDP2}; do
for srcip in ${PRIVILEGIEDIPS}; do
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
done
for srcip in ${TRUSTEDIPS}; do
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
done
done
# Trusted services (accessible from trusted IPs) # Trusted services (accessible from trusted IPs)
for dstport in ${SERVICESTCP3} for dstport in ${SERVICESTCP3}; do
do for srcip in ${TRUSTEDIPS}; do
for srcip in ${TRUSTEDIPS} ${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
do
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
done
done done
done
for dstport in ${SERVICESUDP3} for dstport in ${SERVICESUDP3}; do
do for srcip in ${TRUSTEDIPS}; do
for srcip in ${TRUSTEDIPS} ${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
do
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
done
done done
done
fi fi
# External services # External services
################### ###################
# DNS authorizations # DNS authorizations
for x in ${DNSSERVEURS} for x in ${DNSSERVEURS}; do
do ${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${x} -j ACCEPT ${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT ${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 53 --match state --state NEW -j ACCEPT
${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 53 --match state --state NEW -j ACCEPT done
done
# HTTP (TCP/80) authorizations # HTTP (TCP/80) authorizations
for x in ${HTTPSITES} for x in ${HTTPSITES}; do
do ${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${x} -j ACCEPT done
done
# HTTPS (TCP/443) authorizations # HTTPS (TCP/443) authorizations
for x in ${HTTPSSITES} for x in ${HTTPSSITES}; do
do ${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${x} -j ACCEPT done
done
# FTP (so complex protocol...) authorizations # FTP (so complex protocol...) authorizations
for x in ${FTPSITES} for x in ${FTPSITES}; do
do # requests on Control connection
# requests on Control connection ${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${x} -j ACCEPT # FTP port-mode on Data Connection
# FTP port-mode on Data Connection ${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${x} -j ACCEPT # FTP passive-mode on Data Connection
# FTP passive-mode on Data Connection # WARNING, this allow all connections on TCP ports > 1024
# WARNING, this allow all connections on TCP ports > 1024 ${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${x} -j ACCEPT done
done
# SSH authorizations # SSH authorizations
for x in ${SSHOK} for x in ${SSHOK}; do
do ${IPT} -A INPUT -p tcp ! --syn --sport 22 -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 22 -s ${x} -j ACCEPT done
done
# SMTP authorizations # SMTP authorizations
for x in ${SMTPOK} for x in ${SMTPOK}; do
do ${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${x} -j ACCEPT done
done
# secure SMTP (TCP/465 et TCP/587) authorizations # secure SMTP (TCP/465 et TCP/587) authorizations
for x in ${SMTPSECUREOK} for x in ${SMTPSECUREOK}; do
do ${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${x} -j ACCEPT ${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${x} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${x} -j ACCEPT done
done
# NTP authorizations # NTP authorizations
for x in ${NTPOK} for x in ${NTPOK}; do
do ${IPT} -A INPUT -p udp --sport 123 -s ${x} -j ACCEPT
${IPT} -A INPUT -p udp --sport 123 -s ${x} -j ACCEPT ${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 123 --match state --state NEW -j ACCEPT
${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 123 --match state --state NEW -j ACCEPT done
done
# Always allow ICMP # Always allow ICMP
${IPT} -A INPUT -p icmp -j ACCEPT ${IPT} -A INPUT -p icmp -j ACCEPT