diff --git a/Alpine/iptables.setup b/Alpine/iptables.setup new file mode 100644 index 00000000..f39a329e --- /dev/null +++ b/Alpine/iptables.setup @@ -0,0 +1,200 @@ +#!/bin/sh +# Interactive Alpine Linux iptables firewall script (no NAT changes) + +set -e + +RULES_DIR="/etc" +BEFORE_RULES="$RULES_DIR/rules.bs" +AFTER_RULES="$RULES_DIR/rules.as" + +ask() { + while true; do + printf "%s [y/n]: " "$1" + read ans + case "$ans" in + y|Y) return 0 ;; + n|N) return 1 ;; + *) echo "Please answer y or n." ;; + esac + done +} + +prompt() { + printf "%s: " "$1" + read value + echo "$value" +} + +echo "-> Saving current rules" +iptables-save > "$BEFORE_RULES" + +# ------------------------- +# FLUSH RULES +# ------------------------- +if ask "Flush current filter rules?"; then + echo "-> Flushing filter table rules" + iptables -F + iptables -X +fi + +# ------------------------- +# ESTABLISHED / RELATED +# ------------------------- +if ask "Allow established and related connections?"; then + iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + echo "-> Established and related connections allowed" +fi + +# ------------------------- +# INVALID +# ------------------------- +if ask "Drop Invalid connections?"; then + iptables -A INPUT -m conntrack --ctstate INVALID -j DROP + iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP + echo "-> Droping Invalid connections" +fi + +# ------------------------- +# TRUSTED /24 TCP RULES +# ------------------------- +if ask "Add TCP allow rules for a trusted /24 network?"; then + # Prompt for IP + printf "Enter the IP address to target: " + read TARGET_IP + + if [ -z "$TARGET_IP" ]; then + echo "Error: No IP address entered." + exit 1 + fi + + # Prompt for TCP ports (comma-separated, max 15 for multiport) + printf "Enter multiple TCP port numbers (comma-separated, e.g., 22,80,443): " + read PORTS + + if [ -z "$PORTS" ]; then + echo "Error: No port numbers entered." + exit 1 + fi + + # Count the number of ports + PORT_COUNT=$(echo "$PORTS" | awk -F',' '{print NF}') + if [ "$PORT_COUNT" -gt 15 ]; then + echo "Error: Multiport supports up to 15 ports per rule. Please reduce the number of ports." + exit 1 + fi + + # Add iptables rules using multiport + echo "Adding multiport rules for IP $TARGET_IP on TCP ports: $PORTS" + + iptables -A INPUT -p tcp -s "$TARGET_IP" -m multiport --dports "$PORTS" -j ACCEPT + iptables -A FORWARD -p tcp -s "$TARGET_IP" -m multiport --dports "$PORTS" -j ACCEPT + + echo "-> rule added successfully!" + +fi + +# ------------------------- +# TRUSTED /24 UDP RULES +# ------------------------- +if ask "Add UDP allow rules for a trusted /24 network?"; then +# Prompt for IP + printf "Enter the IP address to target: " + read TARGET_IP + + if [ -z "$TARGET_IP" ]; then + echo "Error: No IP address entered." + exit 1 + fi + + # Prompt for UDP ports (comma-separated, max 15 for multiport) + printf "Enter multiple UDP port numbers (comma-separated, e.g., 53,123,137): " + read PORTS + + if [ -z "$PORTS" ]; then + echo "Error: No port numbers entered." + exit 1 + fi + + # Count the number of ports + PORT_COUNT=$(echo "$PORTS" | awk -F',' '{print NF}') + if [ "$PORT_COUNT" -gt 15 ]; then + echo "Error: Multiport supports up to 15 ports per rule. Please reduce the number of ports." + exit 1 + fi + + # Add iptables rules using multiport + echo "Adding multiport rules for IP $TARGET_IP on UDP ports: $PORTS" + + iptables -A INPUT -p udp -s "$TARGET_IP" -m multiport --dports "$PORTS" -j ACCEPT + iptables -A FORWARD -p udp -s "$TARGET_IP" -m multiport --dports "$PORTS" -j ACCEPT + + echo "-> rule added successfully!" +fi + +# ------------------------- +# DEFAULT POLICIES +# ------------------------- +if ask "Block all traffic by default?"; then + iptables -P INPUT DROP + iptables -P OUTPUT DROP + iptables -P FORWARD DROP + echo "-> Setting default policies to DROP" +fi + +# ------------------------- +# LOOPBACK +# ------------------------- +if ask "Allow loopback (lo) traffic?"; then + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT + iptables -A FORWARD -i lo -j ACCEPT + echo "-> Loopback allowed" +fi + +# ------------------------- +# ICMP (PING) +# ------------------------- +if ask "Allow ICMP (ping)?"; then + iptables -A INPUT -p icmp -j ACCEPT + iptables -A OUTPUT -p icmp -j ACCEPT + iptables -A FORWARD -p icmp -j ACCEPT + echo "-> ICMP allowed" +fi + +# ------------------------- +# SSH AND RDP BRUTE FORCE PROTECTION AND ALLOW +# ------------------------- +if ask "Enable SSH AND RDP brute-force protection (rate limiting)?"; then + iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \ + -m limit --limit 1/min --limit-burst 5 -j ACCEPT + iptables -A FORWARD -p tcp --dport 22 -m conntrack --ctstate NEW \ + -m limit --limit 1/min --limit-burst 5 -j ACCEPT + iptables -A INPUT -p tcp --dport 3389 -m conntrack --ctstate NEW \ + -m limit --limit 1/min --limit-burst 5 -j ACCEPT + iptables -A FORWARD -p tcp --dport 3389 -m conntrack --ctstate NEW \ + -m limit --limit 1/min --limit-burst 5 -j ACCEPT + echo "-> SSH AND RDP brute-force protection enabled" +fi + +# ------------------------- +# REMOTE ACCESS +# ------------------------- +if ask "Allow remote access (SSH 22 / RDP 3389)?"; then + iptables -A INPUT -p tcp -m multiport --dports 22,3389 -j ACCEPT + iptables -A INPUT -p udp -m multiport --dports 22,3389 -j ACCEPT + iptables -A FORWARD -p tcp -m multiport --dports 22,3389 -j ACCEPT + iptables -A FORWARD -p udp -m multiport --dports 22,3389 -j ACCEPT + echo "-> Remote access allowed" +fi + +# ------------------------- +# SAVE RULES +# ------------------------- +echo "-> Saving final rules" +iptables-save > "$AFTER_RULES" +echo "-> Firewall configuration complete" +echo "-> Backup before: /etc/rule.bs" +echo "-> Active rules: /etc/rule.as" +echo "-> Check rules with (iptables -nvL)"