From 2e935f642de9a16a9b2bf7c8533aa7d8e3a13627 Mon Sep 17 00:00:00 2001
From: andre <1+andre@noreply.192.168.100.5>
Date: Sun, 26 Apr 2026 20:46:56 +0200
Subject: [PATCH] =?UTF-8?q?rootfs/home/andre/firewall-install.sh=20hinzuge?=
 =?UTF-8?q?f=C3=BCgt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 rootfs/home/andre/firewall-install.sh | 178 ++++++++++++++++++++++++++
 1 file changed, 178 insertions(+)
 create mode 100644 rootfs/home/andre/firewall-install.sh

diff --git a/rootfs/home/andre/firewall-install.sh b/rootfs/home/andre/firewall-install.sh
new file mode 100644
index 0000000..03b3ac7
--- /dev/null
+++ b/rootfs/home/andre/firewall-install.sh
@@ -0,0 +1,178 @@
+#!/bin/bash
+set -e
+
+echo "[+] Installiere Abhängigkeiten..."
+apt update
+apt install -y ipset iptables curl jq dnsutils xtables-addons-common
+
+echo "[+] Lade Config..."
+source /etc/firewall.conf
+
+echo "[+] Erstelle ipsets..."
+ipset create blacklist hash:ip timeout 10800 -exist
+ipset create blocklist hash:ip timeout 86400 -exist
+ipset create geo_block hash:ip timeout 86400 -exist
+ipset create asn_block hash:ip timeout 86400 -exist
+ipset create whitelist hash:ip timeout 10800 -exist
+
+echo "[+] Fülle statische Whitelist..."
+for IP in $WHITELIST_IPS; do
+  ipset add whitelist $IP timeout 0 -exist
+done
+
+echo "[+] Erstelle iptables Regeln..."
+
+SSH_PORT=${SSH_PORT:-22}
+
+cat > /etc/iptables/rules.v4 <<EOF
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+:BRUTEFORCE - [0:0]
+
+# Whitelist
+-A INPUT -m set --match-set whitelist src -j ACCEPT
+
+# Drops
+-A INPUT -m set --match-set blacklist src -j DROP
+-A INPUT -m set --match-set blocklist src -j DROP
+-A INPUT -m set --match-set geo_block src -j DROP
+-A INPUT -m set --match-set asn_block src -j DROP
+
+# Established
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Loopback
+-A INPUT -i lo -j ACCEPT
+
+# Bruteforce Schutz SSH
+-A INPUT -p tcp --dport ${SSH_PORT} -m conntrack --ctstate NEW -j BRUTEFORCE
+
+-A BRUTEFORCE -m recent --name SSH --update --seconds 5 --hitcount 5 \
+  -j SET --add-set blacklist src
+
+-A BRUTEFORCE -m recent --name SSH --set -j RETURN
+
+# SSH erlauben
+-A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
+
+# ICMP
+-A INPUT -p icmp -j ACCEPT
+
+# Logging
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: "
+
+COMMIT
+EOF
+iptables-restore < /etc/iptables/rules.v4
+
+# -----------------------------
+# Blocklist
+# -----------------------------
+cat > /usr/local/bin/update-blocklist.sh <<'EOF'
+#!/bin/bash
+curl -s http://blocklist.de/downloads/export-ips_all.txt \
+ | grep -v ":" \
+ | while read IP; do
+    ipset add blocklist $IP timeout 86400 -exist
+  done
+EOF
+chmod +x /usr/local/bin/update-blocklist.sh
+
+# -----------------------------
+# GeoIP
+# -----------------------------
+cat > /usr/local/bin/update-geoip.sh <<'EOF'
+#!/bin/bash
+source /etc/firewall.conf
+TMP=$(mktemp)
+
+for CC in $GEOIP_BLOCK; do
+  curl -s https://www.ipdeny.com/ipblocks/data/countries/${CC}.zone >> $TMP
+done
+
+while read IP; do
+  ipset add geo_block $IP timeout 86400 -exist
+done < $TMP
+
+rm $TMP
+EOF
+chmod +x /usr/local/bin/update-geoip.sh
+
+# -----------------------------
+# ASN
+# -----------------------------
+cat > /usr/local/bin/update-asn.sh <<'EOF'
+#!/bin/bash
+source /etc/firewall.conf
+TMP=$(mktemp)
+
+for ASN in $ASN_BLOCK; do
+  curl -s https://api.bgpview.io/asn/${ASN#AS}/prefixes \
+    | jq -r '.data.ipv4_prefixes[].prefix' >> $TMP
+done
+
+while read IP; do
+  ipset add asn_block $IP timeout 86400 -exist
+done < $TMP
+
+rm $TMP
+EOF
+chmod +x /usr/local/bin/update-asn.sh
+
+# -----------------------------
+# DynDNS Whitelist
+# -----------------------------
+cat > /usr/local/bin/update-whitelist-hosts.sh <<'EOF'
+#!/bin/bash
+source /etc/firewall.conf
+
+for HOST in $WHITELIST_HOSTS; do
+  IPS=$(dig +short $HOST | grep -E '^[0-9.]+$')
+  for IP in $IPS; do
+    ipset add whitelist $IP timeout 10800 -exist
+  done
+done
+EOF
+chmod +x /usr/local/bin/update-whitelist-hosts.sh
+
+# -----------------------------
+# Cronjobs
+# -----------------------------
+cat > /etc/cron.d/firewall-updates <<EOF
+0 */3 * * * root /usr/local/bin/update-whitelist-hosts.sh
+10 * * * * root /usr/local/bin/update-blocklist.sh
+30 * * * * root /usr/local/bin/update-geoip.sh
+45 * * * * root /usr/local/bin/update-asn.sh
+EOF
+
+# -----------------------------
+# ipset persistence
+# -----------------------------
+cat > /etc/systemd/system/ipset-restore.service <<EOF
+[Unit]
+Description=Restore ipset
+Before=iptables.service
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ipset restore < /etc/ipset.conf
+ExecStop=/sbin/ipset save > /etc/ipset.conf
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reexec
+systemctl enable ipset-restore
+
+echo "[+] Initiale Updates..."
+/usr/local/bin/update-whitelist-hosts.sh
+/usr/local/bin/update-blocklist.sh
+/usr/local/bin/update-geoip.sh
+/usr/local/bin/update-asn.sh
+
+echo "[+] Fertig."
\ No newline at end of file