andre/git-sync
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rootfs/home/andre/firewall-install.sh hinzugefügt

Browse Source
This commit is contained in:
andre
2026-04-26 20:46:56 +02:00
parent 5ba459a3b5
commit 2e935f642d
1 changed files with 178 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rootfs/home/andre/firewall-install.sh
+178
View File
@@ -0,0 +1,178 @@
#!/bin/bash
set -e
echo "[+] Installiere Abhängigkeiten..."
apt update
apt install -y ipset iptables curl jq dnsutils xtables-addons-common
echo "[+] Lade Config..."
source /etc/firewall.conf
echo "[+] Erstelle ipsets..."
ipset create blacklist hash:ip timeout 10800 -exist
ipset create blocklist hash:ip timeout 86400 -exist
ipset create geo_block hash:ip timeout 86400 -exist
ipset create asn_block hash:ip timeout 86400 -exist
ipset create whitelist hash:ip timeout 10800 -exist
echo "[+] Fülle statische Whitelist..."
for IP in $WHITELIST_IPS; do
ipset add whitelist $IP timeout 0 -exist
done
echo "[+] Erstelle iptables Regeln..."
SSH_PORT=${SSH_PORT:-22}
cat > /etc/iptables/rules.v4 <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BRUTEFORCE - [0:0]
# Whitelist
-A INPUT -m set --match-set whitelist src -j ACCEPT
# Drops
-A INPUT -m set --match-set blacklist src -j DROP
-A INPUT -m set --match-set blocklist src -j DROP
-A INPUT -m set --match-set geo_block src -j DROP
-A INPUT -m set --match-set asn_block src -j DROP
# Established
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Loopback
-A INPUT -i lo -j ACCEPT
# Bruteforce Schutz SSH
-A INPUT -p tcp --dport ${SSH_PORT} -m conntrack --ctstate NEW -j BRUTEFORCE
-A BRUTEFORCE -m recent --name SSH --update --seconds 5 --hitcount 5 \
-j SET --add-set blacklist src
-A BRUTEFORCE -m recent --name SSH --set -j RETURN
# SSH erlauben
-A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
# ICMP
-A INPUT -p icmp -j ACCEPT
# Logging
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: "
COMMIT
EOF
iptables-restore < /etc/iptables/rules.v4
# -----------------------------
# Blocklist
# -----------------------------
cat > /usr/local/bin/update-blocklist.sh <<'EOF'
#!/bin/bash
curl -s http://blocklist.de/downloads/export-ips_all.txt \
| grep -v ":" \
| while read IP; do
ipset add blocklist $IP timeout 86400 -exist
done
EOF
chmod +x /usr/local/bin/update-blocklist.sh
# -----------------------------
# GeoIP
# -----------------------------
cat > /usr/local/bin/update-geoip.sh <<'EOF'
#!/bin/bash
source /etc/firewall.conf
TMP=$(mktemp)
for CC in $GEOIP_BLOCK; do
curl -s https://www.ipdeny.com/ipblocks/data/countries/${CC}.zone >> $TMP
done
while read IP; do
ipset add geo_block $IP timeout 86400 -exist
done < $TMP
rm $TMP
EOF
chmod +x /usr/local/bin/update-geoip.sh
# -----------------------------
# ASN
# -----------------------------
cat > /usr/local/bin/update-asn.sh <<'EOF'
#!/bin/bash
source /etc/firewall.conf
TMP=$(mktemp)
for ASN in $ASN_BLOCK; do
curl -s https://api.bgpview.io/asn/${ASN#AS}/prefixes \
| jq -r '.data.ipv4_prefixes[].prefix' >> $TMP
done
while read IP; do
ipset add asn_block $IP timeout 86400 -exist
done < $TMP
rm $TMP
EOF
chmod +x /usr/local/bin/update-asn.sh
# -----------------------------
# DynDNS Whitelist
# -----------------------------
cat > /usr/local/bin/update-whitelist-hosts.sh <<'EOF'
#!/bin/bash
source /etc/firewall.conf
for HOST in $WHITELIST_HOSTS; do
IPS=$(dig +short $HOST | grep -E '^[0-9.]+$')
for IP in $IPS; do
ipset add whitelist $IP timeout 10800 -exist
done
done
EOF
chmod +x /usr/local/bin/update-whitelist-hosts.sh
# -----------------------------
# Cronjobs
# -----------------------------
cat > /etc/cron.d/firewall-updates <<EOF
0 */3 * * * root /usr/local/bin/update-whitelist-hosts.sh
10 * * * * root /usr/local/bin/update-blocklist.sh
30 * * * * root /usr/local/bin/update-geoip.sh
45 * * * * root /usr/local/bin/update-asn.sh
EOF
# -----------------------------
# ipset persistence
# -----------------------------
cat > /etc/systemd/system/ipset-restore.service <<EOF
[Unit]
Description=Restore ipset
Before=iptables.service
[Service]
Type=oneshot
ExecStart=/sbin/ipset restore < /etc/ipset.conf
ExecStop=/sbin/ipset save > /etc/ipset.conf
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reexec
systemctl enable ipset-restore
echo "[+] Initiale Updates..."
/usr/local/bin/update-whitelist-hosts.sh
/usr/local/bin/update-blocklist.sh
/usr/local/bin/update-geoip.sh
/usr/local/bin/update-asn.sh
echo "[+] Fertig."