Hi guys, developed this simple bash script that will enable and disable IPTABLES based firewall targeted to mainly Asterisk with FreePBX users.
NOTE:
- This is a basic firewall, feel free to fine tune as much as you want.
- IT may erase existing FW/IPTABLES rules you have but it does back it up to /root
- It does not interfere with fail2ban if you are using fail2ban
- You add this into a startup if you like but it is not formatted to the init format, you need to set that up yourself or include this script into any existing init.d script you may have
- It only allows SSH from anywhere, rest are allowed internally
- You can edit the file to set to allow anywhere access to other common protocols if you want
- Make sure you define your internal network range, by default it will allow RFC1918 …
What are the default rules
- SSH allow from any
- HTTP/HTTPS, SIP(and RTP), IAX2, NTP, SSH, TFTP and DHCP (tftp and dhcp accepts both server mode and client mode)
- For HTTP(insecure http) you need to uncomment inside the script to allow port 80
- Outbound is unrestrictive
- Uses default ports as defined by standards
- # nano astfw.sh
- Copy the script as below and paste into the file you just opened/created, save and exit
- # chmod +x astfw.sh
- # mv astfw.sh /bin/
- Try starting and stopping (MAKE SURE YOU CAN ACCESS CONSOLE IF SOMETHING BREAKS!!!!!!)
# /bin/astfw.sh start
# /bin/astfw.sh stop - Add to an init.d script or edit the rc.local to start this automatically when booting
Copy these below…
#!/bin/bash
# [email protected]
# V.1.1 – Modded for our Asterisk installs, reldate 08-01-2013
# V.1.2 – Added enable disable functinality just incase
# iptables Asterisk related to stop start
# usage ./astfw.sh start[stop]
#
# IMPORTANT READ THIS NOW
# =======================
# —BE SURE TO DEFINE WHAT IS YOUR INTERNAL NETWORK, BY DEFAULT ALL RFC1918 IPs ARE ALLOWED
# —DO NOT USE OTHER 3RD PARTY IPTABLES MANAGEMENT SYSTEM WHEN USING THIS, E.G. WEBMIN
# —There is a section below to define custom ports/rules for incoming, use that
# —YOU CAN DISABLE ENABLE SCRIPT COMPLETELY NOW
#
# —DEFAULT SERVICES INBOUND ALLOWED FROM ANYWHERE
# ++++SSH
#
# —DEFAULT SERVICES INBOUND ALLOWED INTERNAL ONLY
# ++++HTTPS,IAX2,NTP,SSH,SIP(WITH RTP),TFTP (SERVER AND CLIENT MODE), DHCP(SERVER AND CLIENT MODE)
#
# —DEFAULT SERVICES ALLOWED OUTBOUND
# ++++ANY
#
# —DEFAULT SERVICES ALLOWED LOCALHOST
# ++++ANY
#
# — EXISTING RULES WILL ALWAYS BE BACKED UP IN /root/fwrulesbackup.<datetime>
#
# USER DEFINITION
# ENABLE OR DISABLE,IF DISABLED, ONLY FAIL2BAN WILL RUN, YES[NO]
ENABLE=YES
#
# INTERNAL BY DEFAULT ACCEPTS RFC1918 IP RANGES. ADD NEW OR MODIFY NEW ONES BY ADDING COMMAS. DEFINE BY MASK BITS LIKE 192.168.100.0/24
INTERNALNETWORK=”10.0.0.0/8,172.16.0.0/12,192.168.0.0/16″
#
# BY DEFAULT ONLY SSH IS ALLOWED FROM ANYWHERE, REST RESTRICTED INTERNAL ONLY, ACCEPTS 0 OR 1
allowextsip=0
allowextntp=0
allowextssh=1
allowextdhcp=0
allowexttftp=0
allowextiax=0
allowextweb=0
allowextntp=0
#
# Starting script here
if [[ “$ENABLE” == “YES” ]]; then
mydate=date +%d%m%y-%H%M%S
fw=which iptables
fwsave=which iptables-save
opt=$1
if [[ “$opt” == “” ]]; then
echo Command not specified, quitting
exit
fi
if [[ “$opt” == “start” ]]; then
echo “Starting firewall rules”
echo “Backing up current rules to /root/filename”
$fwsave > /root/fwrulesbackup.$mydate
echo “Setting up defaults, clearing other rules”
$fw -F INPUT
$fw -F OUTPUT
$fw -F FORWARD
$fw -P INPUT ACCEPT
$fw -P FORWARD ACCEPT
$fw -P OUTPUT ACCEPT
echo “Done sweeping”
echo “Setting specific rules”
#####INBOUND RULES#####
# DEFAULT ALLOWED
$fw -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$fw -A INPUT -p icmp –icmp-type 8 -s 0/0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
#
if [[ $allowextsip == “1” ]]; then
$fw -A INPUT -p udp -m udp –dport 5060:5062 -j ACCEPT
$fw -A INPUT -p udp -m udp –dport 10000:20000 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 5060:5062 -j ACCEPT
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 10000:20000 -j ACCEPT
fi
if [[ $allowextiax == “1” ]]; then
$fw -A INPUT -p udp -m udp –dport 4569 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 4569 -j ACCEPT
fi
if [[ $allowextweb == “1” ]]; then
$fw -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
#$fw -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp –dport 443 -j ACCEPT
#$fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp –dport 80 -j ACCEPT
fi
if [[ $allowextssh == “1” ]]; then
$fw -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp –dport 22 -j ACCEPT
fi
if [[ $allowextntp == “1” ]]; then
$fw -A INPUT -p udp -m udp –dport 123 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 123 -j ACCEPT
fi
if [[ $allowextdhcp == “1” ]]; then
$fw -A INPUT -p udp -m udp –dport 67:68 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 67:68 -j ACCEPT
fi
if [[ $allowexttftp == “1” ]]; then
$fw -A INPUT -p udp -m udp –dport 69 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 69 -j ACCEPT
fi
if [[ $allowextntp== “1” ]]; then
$fw -A INPUT -p udp -m udp –dport 123 -j ACCEPT
else
$fw -A INPUT -s $INTERNALNETWORK -p udp -m udp –dport 123 -j ACCEPT
fi
#
#
###ADD YOUR CUSTOM INBOUND PORTS HERE
# E.G. MYSQL, INTERNAL ONLY
# $fw -A INPUT -s $INTERNALNETWORK -p tcp -m tcp –dport 3306 -j ACCEPT
# E.G. MYSQL EXTERNAL AND INTERNAL
# $fw -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
#####OUTRULES#####
#out stuff, currently none only defaults
$fw -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$fw -A OUTPUT -j ACCEPT
#loopallow, dont mess with this
$fw -A INPUT -i lo -j ACCEPT
$fw -A OUTPUT -s 127.0.0.1 -j ACCEPT
#policy
$fw -P INPUT DROP
$fw -P OUTPUT DROP
$fw -P FORWARD DROP
clear
tput bel
echo “Done – FIREWALL RUNNING – SECURED”
exit 0
elif [[ “$opt” == “stop” ]]; then
echo “Stopping firewall rules”
echo “Backing up current rules to /root/filename”
$fwsave > /root/fwrulesbackup.$mydate
$fw -F INPUT
$fw -F OUTPUT
$fw -F FORWARD
$fw -P INPUT ACCEPT
$fw -P FORWARD ACCEPT
$fw -P OUTPUT ACCEPT
tput bel
clear
echo “Done – FIREWALL NOT RUNNING – INSECURE”
exit 0
else
echo “Option not found, quitting”
exit 1
fi
exit 0
else
echo “Bypassing since flag set to ENABLE=$ENABLE”
exit 0
fi