diff options
| author | Mateja <mail@matejamaric.com> | 2021-04-03 00:37:03 +0200 |
|---|---|---|
| committer | Mateja <mail@matejamaric.com> | 2021-04-03 00:37:03 +0200 |
| commit | a945feb02f6d64df2219ea1044251a7fe2ea98fc (patch) | |
| tree | fe0242495eb35317fd5358e403a047657dfa04b5 /firewall | |
| download | misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.tar.gz misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.zip | |
Initial commit.
Diffstat (limited to 'firewall')
| -rw-r--r-- | firewall/fail2ban/action.d/nftables-common.local | 3 | ||||
| -rw-r--r-- | firewall/fail2ban/jail.local | 16 | ||||
| -rw-r--r-- | firewall/iptables | 1 | ||||
| -rwxr-xr-x | firewall/nftables.conf | 33 | ||||
| -rw-r--r-- | firewall/nftables/fail2ban.conf | 7 |
5 files changed, 60 insertions, 0 deletions
diff --git a/firewall/fail2ban/action.d/nftables-common.local b/firewall/fail2ban/action.d/nftables-common.local new file mode 100644 index 0000000..198e93f --- /dev/null +++ b/firewall/fail2ban/action.d/nftables-common.local @@ -0,0 +1,3 @@ +[Init] +nftables_table = fail2ban +blocktype = drop diff --git a/firewall/fail2ban/jail.local b/firewall/fail2ban/jail.local new file mode 100644 index 0000000..f891d06 --- /dev/null +++ b/firewall/fail2ban/jail.local @@ -0,0 +1,16 @@ +[DEFAULT] +banaction = nftables-multiport +chain = input + +[nginx-http-auth] +enabled = true + +#[apache-auth] +#enabled = true + +[dovecot] +enabled = true +port = pop3,pop3s,imap2,imaps,submission,465,sieve + +[postfix] +enabled = true diff --git a/firewall/iptables b/firewall/iptables new file mode 100644 index 0000000..97cf1d1 --- /dev/null +++ b/firewall/iptables @@ -0,0 +1 @@ +https://github.com/ChrisTitusTech/firewallsetup.git diff --git a/firewall/nftables.conf b/firewall/nftables.conf new file mode 100755 index 0000000..d5e7f25 --- /dev/null +++ b/firewall/nftables.conf @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iifname lo accept + ct state established,related accept + tcp dport ssh ct state new accept + tcp dport http ct state new accept + tcp dport https ct state new accept + tcp dport imaps ct state new accept + tcp dport submission ct state new accept + tcp dport smtp ct state new accept + + # ICMP: errors, pings + ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept + # ICMPv6: errors, pings, routing + ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" + + # Reject other packets + ip protocol tcp reject with tcp reset + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} + +include "/etc/nftables/fail2ban.conf" diff --git a/firewall/nftables/fail2ban.conf b/firewall/nftables/fail2ban.conf new file mode 100644 index 0000000..62b9897 --- /dev/null +++ b/firewall/nftables/fail2ban.conf @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table inet fail2ban { + chain input { + type filter hook input priority 100; + } +} |