diff --git a/iptables.sh b/iptables.sh new file mode 100644 index 0000000..f8402a6 --- /dev/null +++ b/iptables.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash + +# Clears the old iptables rules and sets new ones to only allow SSH & I2NP traffic (+ ICMP pings) + + +sudo apt update && sudo apt install iptables iptables-persistent -y + +read -p "[?] Confirm the deletion of old iptables rules: " -n 1 -r +! [[ "$REPLY" =~ ^[Yy]$ ]] && echo -e "\n[!] Aborting..." && exit 0 + +! [ -f ".env" ] && echo "[!] The .env file not found, aborting..." && exit 1 + +set -a +source .env +set +a + +[ -z ${EXT_PORT} ] && echo "[!] EXT_PORT is not configured, aborting..." && exit 1 + +# Clear all old rules (IPv4) +sudo iptables -P INPUT ACCEPT +sudo iptables -P FORWARD ACCEPT +sudo iptables -P OUTPUT ACCEPT +sudo iptables -t nat -F +sudo iptables -t mangle -F +sudo iptables -F +sudo iptables -X + +# Clear all old rules (IPv6) +sudo ip6tables -P INPUT ACCEPT +sudo ip6tables -P FORWARD ACCEPT +sudo ip6tables -P OUTPUT ACCEPT +sudo ip6tables -t nat -F +sudo ip6tables -t mangle -F +sudo ip6tables -F +sudo ip6tables -X + +# Allow all incoming SSH traffic (tcp:22) +sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +sudo ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Allow all I2NP traffic (tcp:$EXT_PORT, udp:$EXT_PORT) +# Not using `--state NEW,ESTABLISHED` guarantees that **all** incoming and outgoing traffic is let through +sudo iptables -A INPUT -p tcp --dport $EXT_PORT -j ACCEPT +sudo ip6tables -A INPUT -p tcp --dport $EXT_PORT -j ACCEPT +sudo iptables -A INPUT -p udp --dport $EXT_PORT -j ACCEPT +sudo ip6tables -A INPUT -p udp --dport $EXT_PORT -j ACCEPT + +# Allow all incoming ICMP echo requests (pings) +sudo iptables -A INPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT + +# Allow all ICMP traffic via IPv6 (ICMPv6 is essential for IPv6 to function) +sudo ip6tables -A INPUT -p ipv6-icmp -j ACCEPT + +# Allow all related and established incoming traffic (i.e. allow responses to outgoing requests initiated by the local system) +sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Reject all other incoming traffic with DROP (DROP doesn't provide information about +# the host configuration to potential attackers like REJECT would, which is why it's used) +sudo iptables -A INPUT -j DROP +sudo ip6tables -A INPUT -j DROP + +# Persist changes +sudo iptables-save | sudo tee /etc/iptables/rules.v4 +sudo ip6tables-save | sudo tee /etc/iptables/rules.v6