prosody

- xmpp.supernets.org
git clone git://git.acid.vegas/prosody.git
Log | Files | Refs | Archive | README

fiya (3427B)

      1 #!/bin/bash
      2 # Prosody XMPP Firewall - developed by acidvegas (https://git.acid.vegas/prosody)
      3 
      4 set -xev
      5 
      6 # Configuration
      7 IP_SSH="changeme"
      8 PORT_SSH=22        # Default 22
      9 PORT_XMPP_C2S=5222 # Default 5222
     10 PORT_XMPP_S2S=5269 # Default 5269
     11 
     12 CONTAINER_IP=$(incus list | grep prosody-container | awk '{print $6}')
     13 SUBNET=$(echo $CONTAINER_IP | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/\1.0\/24/')
     14 
     15 # -------------------------------------------------- #
     16 
     17 # Kernel hardening settings
     18 mkdir -p /etc/sysctl.d
     19 {
     20   echo "net.ipv4.conf.all.accept_source_route = 0"
     21   echo "net.ipv6.conf.all.accept_source_route = 0"
     22   echo "net.ipv4.conf.all.rp_filter = 1"
     23   echo "net.ipv4.conf.default.rp_filter = 1"
     24   echo "net.ipv4.conf.all.accept_redirects = 0"
     25   echo "net.ipv6.conf.all.accept_redirects = 0"
     26   echo "net.ipv4.conf.default.accept_redirects = 0"
     27   echo "net.ipv6.conf.default.accept_redirects = 0"
     28   echo "net.ipv4.conf.all.log_martians = 1"
     29   echo "kernel.randomize_va_space = 2"
     30   echo "fs.suid_dumpable = 0"
     31   echo "net.ipv4.ip_forward=1"
     32 } > /etc/sysctl.d/99-custom-hardening.conf
     33 
     34 # Apply hardening settings
     35 sysctl -p /etc/sysctl.d/99-custom-hardening.conf
     36 
     37 # -------------------------------------------------- #
     38 
     39 # Flush existing rules
     40 iptables -F
     41 iptables -X
     42 iptables -t nat -F
     43 iptables -t nat -X
     44 iptables -t mangle -F
     45 iptables -t mangle -X
     46 
     47 # Default chain policies
     48 iptables -P INPUT ACCEPT
     49 iptables -P FORWARD DROP
     50 iptables -P OUTPUT ACCEPT
     51 
     52 # Common Firewall rules
     53 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     54 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
     55 iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP
     56 iptables -A INPUT -i lo -j ACCEPT
     57 
     58 # -------------------------------------------------- #
     59 
     60 # Allow container NAT
     61 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
     62 iptables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT
     63 iptables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
     64 
     65 # Allow container DHCP
     66 iptables -I INPUT -i incusbr0 -p udp --dport 67:68 -j ACCEPT
     67 iptables -I FORWARD -i incusbr0 -p udp --dport 67:68 -j ACCEPT
     68 
     69 # Allow container DNS
     70 iptables -A INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT
     71 iptables -A INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT
     72 iptables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT
     73 iptables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT
     74 
     75 # -------------------------------------------------- #
     76 
     77 # Allow SSH
     78 iptables -A INPUT -p tcp -s $IP_SSH --dport $PORT_SSH -j ACCEPT
     79 
     80 # Allow Certbot
     81 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination $CONTAINER_IP:80
     82 iptables -t nat -A POSTROUTING -s $SUBNET -o eth0 -j MASQUERADE
     83 iptables -A FORWARD -d ${CONTAINER_IP}/32 -o incusbr0 -p tcp --dport 80 -j ACCEPT
     84 iptables -A FORWARD -s ${CONTAINER_IP}/32 -i incusbr0 -j ACCEPT
     85 
     86 # Allow Prosody
     87 iptables -A INPUT -p tcp --dport $PORT_XMPP_C2S -j ACCEPT
     88 iptables -A INPUT -p tcp --dport $PORT_XMPP_S2S -j ACCEPT
     89 
     90 # -------------------------------------------------- #
     91 
     92 # Save rules (iptables-persistent package)
     93 iptables-save > /etc/iptables/iptables.rules
     94 
     95 # Create and configure the iptables service
     96 printf '#!/bin/sh\nexec 2>&1\niptables-restore < /etc/iptables/iptables.rules\nexec chpst -b iptables pause\n' > /etc/sv/iptables/run
     97 chmod +x /etc/sv/iptables/run
     98 ln -sf /etc/sv/iptables /var/service/ && sv restart iptables
     99 
    100 # Show rules
    101 iptables -L -v -n