From a945feb02f6d64df2219ea1044251a7fe2ea98fc Mon Sep 17 00:00:00 2001
From: Mateja <mail@matejamaric.com>
Date: Sat, 3 Apr 2021 00:37:03 +0200
Subject: Initial commit.

---
 firewall/fail2ban/action.d/nftables-common.local |  3 +++
 firewall/fail2ban/jail.local                     | 16 ++++++++++++
 firewall/iptables                                |  1 +
 firewall/nftables.conf                           | 33 ++++++++++++++++++++++++
 firewall/nftables/fail2ban.conf                  |  7 +++++
 5 files changed, 60 insertions(+)
 create mode 100644 firewall/fail2ban/action.d/nftables-common.local
 create mode 100644 firewall/fail2ban/jail.local
 create mode 100644 firewall/iptables
 create mode 100755 firewall/nftables.conf
 create mode 100644 firewall/nftables/fail2ban.conf

(limited to 'firewall')

diff --git a/firewall/fail2ban/action.d/nftables-common.local b/firewall/fail2ban/action.d/nftables-common.local
new file mode 100644
index 0000000..198e93f
--- /dev/null
+++ b/firewall/fail2ban/action.d/nftables-common.local
@@ -0,0 +1,3 @@
+[Init]
+nftables_table = fail2ban
+blocktype = drop
diff --git a/firewall/fail2ban/jail.local b/firewall/fail2ban/jail.local
new file mode 100644
index 0000000..f891d06
--- /dev/null
+++ b/firewall/fail2ban/jail.local
@@ -0,0 +1,16 @@
+[DEFAULT]
+banaction = nftables-multiport
+chain     = input
+
+[nginx-http-auth]
+enabled = true
+
+#[apache-auth]
+#enabled = true
+
+[dovecot]
+enabled = true
+port    = pop3,pop3s,imap2,imaps,submission,465,sieve
+
+[postfix]
+enabled = true
diff --git a/firewall/iptables b/firewall/iptables
new file mode 100644
index 0000000..97cf1d1
--- /dev/null
+++ b/firewall/iptables
@@ -0,0 +1 @@
+https://github.com/ChrisTitusTech/firewallsetup.git
diff --git a/firewall/nftables.conf b/firewall/nftables.conf
new file mode 100755
index 0000000..d5e7f25
--- /dev/null
+++ b/firewall/nftables.conf
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iifname lo accept
+		ct state established,related accept
+		tcp dport ssh ct state new accept
+		tcp dport http ct state new accept
+		tcp dport https ct state new accept
+		tcp dport imaps ct state new accept
+		tcp dport submission ct state new accept
+		tcp dport smtp ct state new accept
+
+		# ICMP: errors, pings
+		ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
+		# ICMPv6: errors, pings, routing
+		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
+
+		# Reject other packets
+		ip protocol tcp reject with tcp reset
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+include "/etc/nftables/fail2ban.conf"
diff --git a/firewall/nftables/fail2ban.conf b/firewall/nftables/fail2ban.conf
new file mode 100644
index 0000000..62b9897
--- /dev/null
+++ b/firewall/nftables/fail2ban.conf
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+table inet fail2ban {
+  chain input {
+    type filter hook input priority 100;
+  }
+}
-- 
cgit v1.2.3