4
mirror of git://git.acid.vegas/tools.git synced 2024-12-22 22:36:36 +00:00
tools/help/ircwall
2024-01-25 23:06:20 -05:00

71 lines
2.0 KiB
Bash

#!/bin/sh
# IRCd Firewall - Developed by acidvegas (https://git.acid.vegas/supertools)
# nano /etc/default/grub
# Add ipv6.disable=1 to GRUB_CMDLINE_LINUX_DEFAULT then run update-grub
# Configuration
IP_MAIN="10.0.0.1" # Change this to your IP
IP_HUB="10.0.0.2" # Change this to your hub IP
PORT_SSH=22 # Default 22
PORT_HUB=5900 # Default 5900
# Kernel hardening settings
mkdir -p /etc/sysctl.d
{
printf "net.ipv4.conf.all.accept_source_route = 0\n"
printf "net.ipv6.conf.all.accept_source_route = 0\n"
printf "net.ipv4.conf.all.rp_filter = 1\n"
printf "net.ipv4.conf.default.rp_filter = 1\n"
printf "net.ipv4.conf.all.accept_redirects = 0\n"
printf "net.ipv6.conf.all.accept_redirects = 0\n"
printf "net.ipv4.conf.default.accept_redirects = 0\n"
printf "net.ipv6.conf.default.accept_redirects = 0\n"
printf "net.ipv4.conf.all.log_martians = 1\n"
printf "kernel.randomize_va_space = 2\n"
printf "fs.suid_dumpable = 0\n"
} > /etc/sysctl.d/99-custom-hardening.conf
# Apply hardening settings
sysctl -p /etc/sysctl.d/99-custom-hardening.conf
# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Common Firewall rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i lo -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp -s $IP_MAIN --dport $PORT_SSH -j ACCEPT
# Allow IRCd Hub
iptables -A INPUT -p tcp -s $IP_HUB --dport $PORT_HUB -j ACCEPT
# Allow IRCd Ports
iptables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT
iptables -A INPUT -p tcp --dport 7000 -j ACCEPT
# Allow IRCd TLS Ports
iptables -A INPUT -p tcp --dport 6697 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
# Save rules
apt-get install -y iptables-persistent
netfilter-persistent save
systemctl enable netfilter-persistent && systemctl start netfilter-persistent
# Show rules
iptables -L -v -n