tools

- collection of tools for supernets sysadmins
git clone git://git.acid.vegas/tools.git
Log | Files | Refs | Archive

ircwall (2089B)

      1 #!/bin/sh
      2 # IRCd Firewall - Developed by acidvegas (https://git.acid.vegas/supertools)
      3 
      4 # nano /etc/default/grub
      5 # Add ipv6.disable=1 to GRUB_CMDLINE_LINUX_DEFAULT then run update-grub
      6 
      7 # Configuration
      8 IP_MAIN="10.0.0.1" # Change this to your IP
      9 IP_HUB="10.0.0.2"  # Change this to your hub IP
     10 PORT_SSH=22        # Default 22
     11 PORT_HUB=5900      # Default 5900
     12 
     13 # Kernel hardening settings
     14 mkdir -p /etc/sysctl.d
     15 {
     16   printf "net.ipv4.conf.all.accept_source_route = 0\n"
     17   printf "net.ipv6.conf.all.accept_source_route = 0\n"
     18   printf "net.ipv4.conf.all.rp_filter = 1\n"
     19   printf "net.ipv4.conf.default.rp_filter = 1\n"
     20   printf "net.ipv4.conf.all.accept_redirects = 0\n"
     21   printf "net.ipv6.conf.all.accept_redirects = 0\n"
     22   printf "net.ipv4.conf.default.accept_redirects = 0\n"
     23   printf "net.ipv6.conf.default.accept_redirects = 0\n"
     24   printf "net.ipv4.conf.all.log_martians = 1\n"
     25   printf "kernel.randomize_va_space = 2\n"
     26   printf "fs.suid_dumpable = 0\n"
     27 } > /etc/sysctl.d/99-custom-hardening.conf
     28 
     29 # Apply hardening settings
     30 sysctl -p /etc/sysctl.d/99-custom-hardening.conf
     31 
     32 # Flush existing rules
     33 iptables -F
     34 iptables -X
     35 iptables -t nat -F
     36 iptables -t nat -X
     37 iptables -t mangle -F
     38 iptables -t mangle -X
     39 
     40 # Default chain policies
     41 iptables -P INPUT DROP
     42 iptables -P FORWARD DROP
     43 iptables -P OUTPUT ACCEPT
     44 
     45 # Common Firewall rules
     46 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     47 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
     48 iptables -A INPUT -i lo -j ACCEPT
     49 
     50 # Allow SSH
     51 iptables -A INPUT -p tcp -s $IP_MAIN --dport $PORT_SSH -j ACCEPT
     52 
     53 # Allow IRCd Hub
     54 iptables -A INPUT -p tcp -s $IP_HUB  --dport $PORT_HUB -j ACCEPT
     55 
     56 # Allow IRCd Ports
     57 iptables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT
     58 iptables -A INPUT -p tcp --dport 7000 -j ACCEPT
     59 
     60 # Allow IRCd TLS Ports
     61 iptables -A INPUT -p tcp --dport 6697 -j ACCEPT
     62 iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
     63 
     64 # Save rules
     65 apt-get install -y iptables-persistent
     66 netfilter-persistent save
     67 systemctl enable netfilter-persistent && systemctl start netfilter-persistent
     68 
     69 # Show rules
     70 iptables -L -v -n