From 94dfff89fdecd5abef225dc6ee69e03e78e36d93 Mon Sep 17 00:00:00 2001
From: Romain de Laage <romain.delaage@rdelaage.ovh>
Date: Mon, 27 Jul 2020 18:50:14 +0200
Subject: [PATCH] Add a script to manage firewall

---
 firewall.service | 13 +++++++++
 firewall.sh      | 68 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)
 create mode 100644 firewall.service
 create mode 100755 firewall.sh

diff --git a/firewall.service b/firewall.service
new file mode 100644
index 0000000..09d386d
--- /dev/null
+++ b/firewall.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Firewall
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+User=root
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/DATA/sysadmin/firewall.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/firewall.sh b/firewall.sh
new file mode 100755
index 0000000..20f5557
--- /dev/null
+++ b/firewall.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+########
+# IPv4 #
+########
+
+# Flush
+iptables -F
+iptables -X
+
+# Politics
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# Established connexions
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# Authorize loopback
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# SSH
+iptables -A INPUT -p tcp --dport 2210 -j ACCEPT
+
+# HTTP(S)
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+
+iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
+
+# DNS
+
+iptables -A INPUT -p udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+########
+# IPv6 #
+########
+
+# Flush
+#ip6tables -F
+#ip6tables -X
+
+# Politics
+#ip6tables -P OUTPUT DROP
+#ip6tables -P INPUT DROP
+#ip6tables -P FORWARD DROP
+
+# Established connexions
+#ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+#ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# Authorize loopback
+#ip6tables -A INPUT -i lo -j ACCEPT
+#ip6tables -A OUTPUT -o lo -j ACCEPT
+
+# SSH
+#ip6tables -A INPUT -p tcp --dport 2210 -j ACCEPT
+
+# HTTP(S)
+#ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
+#ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
+
+#ip6tables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+#ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT