prosody- xmpp.supernets.org |
| git clone git://git.acid.vegas/prosody.git |
| Log | Files | Refs | Archive | README |
fiya (3427B)
1 #!/bin/bash 2 # Prosody XMPP Firewall - developed by acidvegas (https://git.acid.vegas/prosody) 3 4 set -xev 5 6 # Configuration 7 IP_SSH="changeme" 8 PORT_SSH=22 # Default 22 9 PORT_XMPP_C2S=5222 # Default 5222 10 PORT_XMPP_S2S=5269 # Default 5269 11 12 CONTAINER_IP=$(incus list | grep prosody-container | awk '{print $6}') 13 SUBNET=$(echo $CONTAINER_IP | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/\1.0\/24/') 14 15 # -------------------------------------------------- # 16 17 # Kernel hardening settings 18 mkdir -p /etc/sysctl.d 19 { 20 echo "net.ipv4.conf.all.accept_source_route = 0" 21 echo "net.ipv6.conf.all.accept_source_route = 0" 22 echo "net.ipv4.conf.all.rp_filter = 1" 23 echo "net.ipv4.conf.default.rp_filter = 1" 24 echo "net.ipv4.conf.all.accept_redirects = 0" 25 echo "net.ipv6.conf.all.accept_redirects = 0" 26 echo "net.ipv4.conf.default.accept_redirects = 0" 27 echo "net.ipv6.conf.default.accept_redirects = 0" 28 echo "net.ipv4.conf.all.log_martians = 1" 29 echo "kernel.randomize_va_space = 2" 30 echo "fs.suid_dumpable = 0" 31 echo "net.ipv4.ip_forward=1" 32 } > /etc/sysctl.d/99-custom-hardening.conf 33 34 # Apply hardening settings 35 sysctl -p /etc/sysctl.d/99-custom-hardening.conf 36 37 # -------------------------------------------------- # 38 39 # Flush existing rules 40 iptables -F 41 iptables -X 42 iptables -t nat -F 43 iptables -t nat -X 44 iptables -t mangle -F 45 iptables -t mangle -X 46 47 # Default chain policies 48 iptables -P INPUT ACCEPT 49 iptables -P FORWARD DROP 50 iptables -P OUTPUT ACCEPT 51 52 # Common Firewall rules 53 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 54 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP 55 iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP 56 iptables -A INPUT -i lo -j ACCEPT 57 58 # -------------------------------------------------- # 59 60 # Allow container NAT 61 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 62 iptables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT 63 iptables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 64 65 # Allow container DHCP 66 iptables -I INPUT -i incusbr0 -p udp --dport 67:68 -j ACCEPT 67 iptables -I FORWARD -i incusbr0 -p udp --dport 67:68 -j ACCEPT 68 69 # Allow container DNS 70 iptables -A INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT 71 iptables -A INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT 72 iptables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT 73 iptables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT 74 75 # -------------------------------------------------- # 76 77 # Allow SSH 78 iptables -A INPUT -p tcp -s $IP_SSH --dport $PORT_SSH -j ACCEPT 79 80 # Allow Certbot 81 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination $CONTAINER_IP:80 82 iptables -t nat -A POSTROUTING -s $SUBNET -o eth0 -j MASQUERADE 83 iptables -A FORWARD -d ${CONTAINER_IP}/32 -o incusbr0 -p tcp --dport 80 -j ACCEPT 84 iptables -A FORWARD -s ${CONTAINER_IP}/32 -i incusbr0 -j ACCEPT 85 86 # Allow Prosody 87 iptables -A INPUT -p tcp --dport $PORT_XMPP_C2S -j ACCEPT 88 iptables -A INPUT -p tcp --dport $PORT_XMPP_S2S -j ACCEPT 89 90 # -------------------------------------------------- # 91 92 # Save rules (iptables-persistent package) 93 iptables-save > /etc/iptables/iptables.rules 94 95 # Create and configure the iptables service 96 printf '#!/bin/sh\nexec 2>&1\niptables-restore < /etc/iptables/iptables.rules\nexec chpst -b iptables pause\n' > /etc/sv/iptables/run 97 chmod +x /etc/sv/iptables/run 98 ln -sf /etc/sv/iptables /var/service/ && sv restart iptables 99 100 # Show rules 101 iptables -L -v -n