rootfs/home/andre/firewall-install.sh aktualisiert

2026-04-26 21:05:17 +02:00
parent 921b93e6f1
commit 3c060facbd
1 changed files with 101 additions and 44 deletions
@@ -1,28 +1,32 @@
 #!/bin/bash
 set -e
-echo "[+] Installiere Abhängigkeiten..."
+echo "[+] Installing dependencies..."
 apt update
-apt install -y ipset iptables curl jq dnsutils xtables-addons-common
+apt install -y iptables ipset curl jq dnsutils xtables-addons-common logger
-echo "[+] Lade Config..."
+echo "[+] Loading config..."
 source /etc/firewall.conf
-echo "[+] Erstelle ipsets..."
+############################################
 # IPSets
 ############################################
 echo "[+] Creating ipsets..."
 ipset create blacklist hash:ip timeout 10800 -exist
 ipset create blocklist hash:ip timeout 86400 -exist
 ipset create geo_block hash:ip timeout 86400 -exist
 ipset create asn_block hash:ip timeout 86400 -exist
 ipset create whitelist hash:ip timeout 10800 -exist
 echo "[+] Fülle statische Whitelist..."
 for IP in $WHITELIST_IPS; do
-  ipset add whitelist $IP timeout 0 -exist
+  ipset add whitelist $IP -exist
 done
-echo "[+] Erstelle iptables Regeln..."
+############################################
-
+# IPTABLES BASE
-SSH_PORT=${SSH_PORT:-22}
+############################################
 echo "[+] Writing iptables rules..."
 cat > /etc/iptables/rules.v4 <<EOF
 *filter
@@ -32,13 +36,24 @@ cat > /etc/iptables/rules.v4 <<EOF
 :BRUTEFORCE - [0:0]
-# Whitelist
+# -------------------------
 # HOST INPUT
 # -------------------------
 # Whitelist first
 -A INPUT -m set --match-set whitelist src -j ACCEPT
-# Drops
+# Blocked sources (HOST)
 -A INPUT -m set --match-set blacklist src -j LOG --log-prefix "FW-HOST-BLACKLIST " --log-level 4
 -A INPUT -m set --match-set blacklist src -j DROP
 -A INPUT -m set --match-set blocklist src -j LOG --log-prefix "FW-HOST-BLOCKLIST " --log-level 4
 -A INPUT -m set --match-set blocklist src -j DROP
 -A INPUT -m set --match-set geo_block src -j LOG --log-prefix "FW-HOST-GEO " --log-level 4
 -A INPUT -m set --match-set geo_block src -j DROP
 -A INPUT -m set --match-set asn_block src -j LOG --log-prefix "FW-HOST-ASN " --log-level 4
 -A INPUT -m set --match-set asn_block src -j DROP
 # Established
@@ -47,7 +62,10 @@ cat > /etc/iptables/rules.v4 <<EOF
 # Loopback
 -A INPUT -i lo -j ACCEPT
-# Bruteforce Schutz SSH
+# ICMP
 -A INPUT -p icmp -j ACCEPT
 # SSH Bruteforce
 -A INPUT -p tcp --dport ${SSH_PORT} -m conntrack --ctstate NEW -j BRUTEFORCE
 -A BRUTEFORCE -m recent --name SSH --update --seconds 5 --hitcount 5 \
@@ -55,22 +73,58 @@ cat > /etc/iptables/rules.v4 <<EOF
 -A BRUTEFORCE -m recent --name SSH --set -j RETURN
 # SSH erlauben
 -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
-# ICMP
+# -------------------------
-A INPUT -p icmp -j ACCEPT
+# DOCKER ENTRY
 # -------------------------
 -A FORWARD -j DOCKER-USER
-# Logging
+# Default logging
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: "
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "FW-HOST-OTHER " --log-level 4
 COMMIT
 EOF
 iptables-restore < /etc/iptables/rules.v4
-# -----------------------------
+############################################
-# Blocklist
+# DOCKER USER CHAIN
-# -----------------------------
+############################################
 echo "[+] Configuring DOCKER-USER..."
 iptables -N DOCKER-USER 2>/dev/null || true
 iptables -F DOCKER-USER
 # Established first
 iptables -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
 # Whitelist
 iptables -A DOCKER-USER -m set --match-set whitelist src -j RETURN
 # Logging + drops (Docker context)
 iptables -A DOCKER-USER -m set --match-set blacklist src \
  -j LOG --log-prefix "FW-DOCKER-BLACKLIST " --log-level 4
 iptables -A DOCKER-USER -m set --match-set blacklist src -j DROP
 iptables -A DOCKER-USER -m set --match-set blocklist src \
  -j LOG --log-prefix "FW-DOCKER-BLOCKLIST " --log-level 4
 iptables -A DOCKER-USER -m set --match-set blocklist src -j DROP
 iptables -A DOCKER-USER -m set --match-set geo_block src \
  -j LOG --log-prefix "FW-DOCKER-GEO " --log-level 4
 iptables -A DOCKER-USER -m set --match-set geo_block src -j DROP
 iptables -A DOCKER-USER -m set --match-set asn_block src \
  -j LOG --log-prefix "FW-DOCKER-ASN " --log-level 4
 iptables -A DOCKER-USER -m set --match-set asn_block src -j DROP
 # Return to Docker
 iptables -A DOCKER-USER -j RETURN
 ############################################
 # BLOCKLIST.DE
 ############################################
 cat > /usr/local/bin/update-blocklist.sh <<'EOF'
 #!/bin/bash
 curl -s http://blocklist.de/downloads/export-ips_all.txt \
@@ -81,9 +135,9 @@ curl -s http://blocklist.de/downloads/export-ips_all.txt \
 EOF
 chmod +x /usr/local/bin/update-blocklist.sh
-# -----------------------------
+############################################
-# GeoIP
+# GEOIP
-# -----------------------------
+############################################
 cat > /usr/local/bin/update-geoip.sh <<'EOF'
 #!/bin/bash
 source /etc/firewall.conf
@@ -101,9 +155,9 @@ rm $TMP
 EOF
 chmod +x /usr/local/bin/update-geoip.sh
-# -----------------------------
+############################################
 # ASN
-# -----------------------------
+############################################
 cat > /usr/local/bin/update-asn.sh <<'EOF'
 #!/bin/bash
 source /etc/firewall.conf
@@ -122,10 +176,10 @@ rm $TMP
 EOF
 chmod +x /usr/local/bin/update-asn.sh
-# -----------------------------
+############################################
-# DynDNS Whitelist
+# DNS WHITELIST (3h)
-# -----------------------------
+############################################
-cat > /usr/local/bin/update-whitelist-hosts.sh <<'EOF'
+cat > /usr/local/bin/update-whitelist.sh <<'EOF'
 #!/bin/bash
 source /etc/firewall.conf
@@ -136,21 +190,21 @@ for HOST in $WHITELIST_HOSTS; do
  done
 done
 EOF
-chmod +x /usr/local/bin/update-whitelist-hosts.sh
+chmod +x /usr/local/bin/update-whitelist.sh
-# -----------------------------
+############################################
-# Cronjobs
+# CRON
-# -----------------------------
+############################################
-cat > /etc/cron.d/firewall-updates <<EOF
+cat > /etc/cron.d/firewall <<EOF
-0 */3 * * * root /usr/local/bin/update-whitelist-hosts.sh
+0 */3 * * * root /usr/local/bin/update-whitelist.sh
 10 * * * * root /usr/local/bin/update-blocklist.sh
 30 * * * * root /usr/local/bin/update-geoip.sh
 45 * * * * root /usr/local/bin/update-asn.sh
 EOF
-# -----------------------------
+############################################
-# ipset persistence
+# IPSET PERSISTENCE
-# -----------------------------
+############################################
 cat > /etc/systemd/system/ipset-restore.service <<EOF
 [Unit]
 Description=Restore ipset
@@ -169,10 +223,13 @@ EOF
 systemctl daemon-reexec
 systemctl enable ipset-restore
-echo "[+] Initiale Updates..."
+############################################
-/usr/local/bin/update-whitelist-hosts.sh
+# INITIAL RUN
 ############################################
 echo "[+] Initial updates..."
 /usr/local/bin/update-blocklist.sh
 /usr/local/bin/update-geoip.sh
 /usr/local/bin/update-asn.sh
 /usr/local/bin/update-whitelist.sh
-echo "[+] Fertig."
+echo "[+] DONE"