rootfs/home/andre/firewall-install.sh aktualisiert

rootfs/home/andre/firewall-install.sh

@@ -1,28 +1,32 @@
 #!/bin/bash
 set -e
 
-echo "[+] Installiere Abhängigkeiten..."
+echo "[+] Installing dependencies..."
 apt update
-apt install -y ipset iptables curl jq dnsutils xtables-addons-common
+apt install -y iptables ipset curl jq dnsutils xtables-addons-common logger
 
-echo "[+] Lade Config..."
+echo "[+] Loading config..."
 source /etc/firewall.conf
 
-echo "[+] Erstelle ipsets..."
+############################################
+# IPSets
+############################################
+echo "[+] Creating ipsets..."
+
 ipset create blacklist hash:ip timeout 10800 -exist
 ipset create blocklist hash:ip timeout 86400 -exist
 ipset create geo_block hash:ip timeout 86400 -exist
 ipset create asn_block hash:ip timeout 86400 -exist
 ipset create whitelist hash:ip timeout 10800 -exist
 
-echo "[+] Fülle statische Whitelist..."
 for IP in $WHITELIST_IPS; do
-  ipset add whitelist $IP timeout 0 -exist
+  ipset add whitelist $IP -exist
 done
 
-echo "[+] Erstelle iptables Regeln..."
+############################################
-
+# IPTABLES BASE
-SSH_PORT=${SSH_PORT:-22}
+############################################
+echo "[+] Writing iptables rules..."
 
 cat > /etc/iptables/rules.v4 <<EOF
 *filter
@@ -32,13 +36,24 @@ cat > /etc/iptables/rules.v4 <<EOF
 
 :BRUTEFORCE - [0:0]
 
-# Whitelist
+# -------------------------
+# HOST INPUT
+# -------------------------
+
+# Whitelist first
 -A INPUT -m set --match-set whitelist src -j ACCEPT
 
-# Drops
+# Blocked sources (HOST)
+-A INPUT -m set --match-set blacklist src -j LOG --log-prefix "FW-HOST-BLACKLIST " --log-level 4
 -A INPUT -m set --match-set blacklist src -j DROP
+
+-A INPUT -m set --match-set blocklist src -j LOG --log-prefix "FW-HOST-BLOCKLIST " --log-level 4
 -A INPUT -m set --match-set blocklist src -j DROP
+
+-A INPUT -m set --match-set geo_block src -j LOG --log-prefix "FW-HOST-GEO " --log-level 4
 -A INPUT -m set --match-set geo_block src -j DROP
+
+-A INPUT -m set --match-set asn_block src -j LOG --log-prefix "FW-HOST-ASN " --log-level 4
 -A INPUT -m set --match-set asn_block src -j DROP
 
 # Established
@@ -47,7 +62,10 @@ cat > /etc/iptables/rules.v4 <<EOF
 # Loopback
 -A INPUT -i lo -j ACCEPT
 
-# Bruteforce Schutz SSH
+# ICMP
+-A INPUT -p icmp -j ACCEPT
+
+# SSH Bruteforce
 -A INPUT -p tcp --dport ${SSH_PORT} -m conntrack --ctstate NEW -j BRUTEFORCE
 
 -A BRUTEFORCE -m recent --name SSH --update --seconds 5 --hitcount 5 \
@@ -55,35 +73,71 @@ cat > /etc/iptables/rules.v4 <<EOF
 
 -A BRUTEFORCE -m recent --name SSH --set -j RETURN
 
-# SSH erlauben
 -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
 
-# ICMP
+# -------------------------
--A INPUT -p icmp -j ACCEPT
+# DOCKER ENTRY
+# -------------------------
+-A FORWARD -j DOCKER-USER
 
-# Logging
+# Default logging
--A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: "
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "FW-HOST-OTHER " --log-level 4
 
 COMMIT
 EOF
+
 iptables-restore < /etc/iptables/rules.v4
 
-# -----------------------------
+############################################
-# Blocklist
+# DOCKER USER CHAIN
-# -----------------------------
+############################################
+echo "[+] Configuring DOCKER-USER..."
+
+iptables -N DOCKER-USER 2>/dev/null || true
+iptables -F DOCKER-USER
+
+# Established first
+iptables -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
+
+# Whitelist
+iptables -A DOCKER-USER -m set --match-set whitelist src -j RETURN
+
+# Logging + drops (Docker context)
+iptables -A DOCKER-USER -m set --match-set blacklist src \
+  -j LOG --log-prefix "FW-DOCKER-BLACKLIST " --log-level 4
+iptables -A DOCKER-USER -m set --match-set blacklist src -j DROP
+
+iptables -A DOCKER-USER -m set --match-set blocklist src \
+  -j LOG --log-prefix "FW-DOCKER-BLOCKLIST " --log-level 4
+iptables -A DOCKER-USER -m set --match-set blocklist src -j DROP
+
+iptables -A DOCKER-USER -m set --match-set geo_block src \
+  -j LOG --log-prefix "FW-DOCKER-GEO " --log-level 4
+iptables -A DOCKER-USER -m set --match-set geo_block src -j DROP
+
+iptables -A DOCKER-USER -m set --match-set asn_block src \
+  -j LOG --log-prefix "FW-DOCKER-ASN " --log-level 4
+iptables -A DOCKER-USER -m set --match-set asn_block src -j DROP
+
+# Return to Docker
+iptables -A DOCKER-USER -j RETURN
+
+############################################
+# BLOCKLIST.DE
+############################################
 cat > /usr/local/bin/update-blocklist.sh <<'EOF'
 #!/bin/bash
 curl -s http://blocklist.de/downloads/export-ips_all.txt \
- | grep -v ":" \
+| grep -v ":" \
- | while read IP; do
+| while read IP; do
     ipset add blocklist $IP timeout 86400 -exist
   done
 EOF
 chmod +x /usr/local/bin/update-blocklist.sh
 
-# -----------------------------
+############################################
-# GeoIP
+# GEOIP
-# -----------------------------
+############################################
 cat > /usr/local/bin/update-geoip.sh <<'EOF'
 #!/bin/bash
 source /etc/firewall.conf
@@ -101,9 +155,9 @@ rm $TMP
 EOF
 chmod +x /usr/local/bin/update-geoip.sh
 
-# -----------------------------
+############################################
 # ASN
-# -----------------------------
+############################################
 cat > /usr/local/bin/update-asn.sh <<'EOF'
 #!/bin/bash
 source /etc/firewall.conf
@@ -122,10 +176,10 @@ rm $TMP
 EOF
 chmod +x /usr/local/bin/update-asn.sh
 
-# -----------------------------
+############################################
-# DynDNS Whitelist
+# DNS WHITELIST (3h)
-# -----------------------------
+############################################
-cat > /usr/local/bin/update-whitelist-hosts.sh <<'EOF'
+cat > /usr/local/bin/update-whitelist.sh <<'EOF'
 #!/bin/bash
 source /etc/firewall.conf
 
@@ -136,21 +190,21 @@ for HOST in $WHITELIST_HOSTS; do
   done
 done
 EOF
-chmod +x /usr/local/bin/update-whitelist-hosts.sh
+chmod +x /usr/local/bin/update-whitelist.sh
 
-# -----------------------------
+############################################
-# Cronjobs
+# CRON
-# -----------------------------
+############################################
-cat > /etc/cron.d/firewall-updates <<EOF
+cat > /etc/cron.d/firewall <<EOF
-0 */3 * * * root /usr/local/bin/update-whitelist-hosts.sh
+0 */3 * * * root /usr/local/bin/update-whitelist.sh
 10 * * * * root /usr/local/bin/update-blocklist.sh
 30 * * * * root /usr/local/bin/update-geoip.sh
 45 * * * * root /usr/local/bin/update-asn.sh
 EOF
 
-# -----------------------------
+############################################
-# ipset persistence
+# IPSET PERSISTENCE
-# -----------------------------
+############################################
 cat > /etc/systemd/system/ipset-restore.service <<EOF
 [Unit]
 Description=Restore ipset
@@ -169,10 +223,13 @@ EOF
 systemctl daemon-reexec
 systemctl enable ipset-restore
 
-echo "[+] Initiale Updates..."
+############################################
-/usr/local/bin/update-whitelist-hosts.sh
+# INITIAL RUN
+############################################
+echo "[+] Initial updates..."
 /usr/local/bin/update-blocklist.sh
 /usr/local/bin/update-geoip.sh
 /usr/local/bin/update-asn.sh
+/usr/local/bin/update-whitelist.sh
 
-echo "[+] Fertig."
+echo "[+] DONE"