#!/bin/sh
 # poor mans firewall - developed by acidvegas (https://git.acid.vegas/void)
 
 set -xev
 
 # Configuration
 PORT_SSH='22'
 
 # Kernel hardening settings
 mkdir -p /etc/sysctl.d
 {
   printf "net.ipv4.conf.all.accept_source_route = 0\n"
   printf "net.ipv6.conf.all.accept_source_route = 0\n"
   printf "net.ipv4.conf.all.rp_filter = 1\n"
   printf "net.ipv4.conf.default.rp_filter = 1\n"
   printf "net.ipv4.conf.all.accept_redirects = 0\n"
   printf "net.ipv6.conf.all.accept_redirects = 0\n"
   printf "net.ipv4.conf.default.accept_redirects = 0\n"
   printf "net.ipv6.conf.default.accept_redirects = 0\n"
   printf "net.ipv4.conf.all.log_martians = 1\n"
   printf "kernel.randomize_va_space = 2\n"
   printf "fs.suid_dumpable = 0\n"
 } > /etc/sysctl.d/99-custom-hardening.conf
 
 # Apply hardening settings
 sysctl -p /etc/sysctl.d/99-custom-hardening.conf
 
 # Flush existing rules
 iptables -F
 iptables -X
 iptables -t nat -F
 iptables -t nat -X
 iptables -t mangle -F
 iptables -t mangle -X
 
 # Default chain policies
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 
 # Common Firewall rules
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type echo-request     -j DROP # Disable response to ping requests
 iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP
 iptables -A INPUT -i lo -j ACCEPT
 
 # Allow SSH access from the Pi server
 iptables -A INPUT -p tcp --dport $PORT_SSH -j ACCEPT
 
 # Save rules
 iptables-save > /etc/iptables/iptables.rules
 
 # Create and configure the iptables service
 printf '#!/bin/sh\nexec 2>&1\niptables-restore < /etc/iptables/iptables.rules\nexec chpst -b iptables pause\n' > /etc/sv/iptables/run
 chmod +x /etc/sv/iptables/run
 ln -sf /etc/sv/iptables /var/service/ && sv restart iptables
 
 # Show rules
 iptables -L -v -n

© 2023 acidvegas, inc • generated with stagit