From a945feb02f6d64df2219ea1044251a7fe2ea98fc Mon Sep 17 00:00:00 2001 From: Mateja Date: Sat, 3 Apr 2021 00:37:03 +0200 Subject: Initial commit. --- firewall/fail2ban/action.d/nftables-common.local | 3 +++ firewall/fail2ban/jail.local | 16 ++++++++++++ firewall/iptables | 1 + firewall/nftables.conf | 33 ++++++++++++++++++++++++ firewall/nftables/fail2ban.conf | 7 +++++ 5 files changed, 60 insertions(+) create mode 100644 firewall/fail2ban/action.d/nftables-common.local create mode 100644 firewall/fail2ban/jail.local create mode 100644 firewall/iptables create mode 100755 firewall/nftables.conf create mode 100644 firewall/nftables/fail2ban.conf (limited to 'firewall') diff --git a/firewall/fail2ban/action.d/nftables-common.local b/firewall/fail2ban/action.d/nftables-common.local new file mode 100644 index 0000000..198e93f --- /dev/null +++ b/firewall/fail2ban/action.d/nftables-common.local @@ -0,0 +1,3 @@ +[Init] +nftables_table = fail2ban +blocktype = drop diff --git a/firewall/fail2ban/jail.local b/firewall/fail2ban/jail.local new file mode 100644 index 0000000..f891d06 --- /dev/null +++ b/firewall/fail2ban/jail.local @@ -0,0 +1,16 @@ +[DEFAULT] +banaction = nftables-multiport +chain = input + +[nginx-http-auth] +enabled = true + +#[apache-auth] +#enabled = true + +[dovecot] +enabled = true +port = pop3,pop3s,imap2,imaps,submission,465,sieve + +[postfix] +enabled = true diff --git a/firewall/iptables b/firewall/iptables new file mode 100644 index 0000000..97cf1d1 --- /dev/null +++ b/firewall/iptables @@ -0,0 +1 @@ +https://github.com/ChrisTitusTech/firewallsetup.git diff --git a/firewall/nftables.conf b/firewall/nftables.conf new file mode 100755 index 0000000..d5e7f25 --- /dev/null +++ b/firewall/nftables.conf @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iifname lo accept + ct state established,related accept + tcp dport ssh ct state new accept + tcp dport http ct state new accept + tcp dport https ct state new accept + tcp dport imaps ct state new accept + tcp dport submission ct state new accept + tcp dport smtp ct state new accept + + # ICMP: errors, pings + ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept + # ICMPv6: errors, pings, routing + ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" + + # Reject other packets + ip protocol tcp reject with tcp reset + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} + +include "/etc/nftables/fail2ban.conf" diff --git a/firewall/nftables/fail2ban.conf b/firewall/nftables/fail2ban.conf new file mode 100644 index 0000000..62b9897 --- /dev/null +++ b/firewall/nftables/fail2ban.conf @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table inet fail2ban { + chain input { + type filter hook input priority 100; + } +} -- cgit v1.2.3