118 lines
3.0 KiB
Bash
Executable File
118 lines
3.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
toolName=ufw
|
|
toolDeps=$toolName
|
|
|
|
sq_aptOpt=
|
|
#sq_config=0
|
|
|
|
seq_config() {
|
|
#if initSeqConfig "${seq_configName:?}" "${seq_configTemplate:?} ; then
|
|
# sq_config=1
|
|
#else
|
|
# # End if no configuration file exists
|
|
# dry || return 1
|
|
#fi
|
|
## Apt cmdline option to suppress user interaction
|
|
interactive || sq_aptOpt="-y"
|
|
|
|
## Disable error checks if external scripts are used
|
|
## e.g. error on unbound variables
|
|
#disableErrorCheck
|
|
|
|
## Return of non zero value will abort the sequence
|
|
return 0
|
|
}
|
|
|
|
step_1_info() { echo "Install $toolName and allow ssh access"; }
|
|
step_1_alias() { echo "install"; }
|
|
step_1() {
|
|
exe apt install $toolDeps ${sq_aptOpt}
|
|
exe ufw allow ssh
|
|
}
|
|
|
|
step_2_info() { echo "Enable $toolName"; }
|
|
step_2() {
|
|
exe ufw enable
|
|
}
|
|
|
|
step_20_info() { echo "Enable mail server essentials"; }
|
|
step_20_alias() { echo "mailserver"; }
|
|
step_20() {
|
|
exe ufw allow "Postfix"
|
|
exe ufw allow "Postfix SMTPS"
|
|
exe ufw allow "Dovecot Secure IMAP"
|
|
exe ufw allow "WWW Secure"
|
|
# Manage sieve
|
|
exe ufw allow 4190/tcp comment 'Managesieve'
|
|
}
|
|
|
|
step_22_info() { echo "Deny multicast from gateway"; }
|
|
step_22_options() { echo "[IP]"; }
|
|
step_22_alias() { echo "multicast"; }
|
|
step_22() {
|
|
shift
|
|
if [ -z "${1:-}" ] ; then
|
|
error -e "No [IP} specified"
|
|
return 1
|
|
fi
|
|
|
|
exe ufw deny in from "${1}" to 224.0.0.0/4 comment 'Broadcast Fritzbox'
|
|
exe ufw deny in from "${1}" to 239.0.0.0/8 comment 'Broadcast Fritzbox'
|
|
}
|
|
|
|
step_24_info() {
|
|
echo "Allow cifs mounts on eth0"
|
|
echoinfo " [PORT] (default 445)"
|
|
echoinfo " 139 : Cifs version 1.0"
|
|
echoinfo " 445 : Cifs version 2.0+"
|
|
}
|
|
step_24_options() { echo "<FILE SERVER IP|RANGE> [PORT]"; }
|
|
step_24_alias() { echo "cifs"; }
|
|
step_24() {
|
|
shift
|
|
local destIp=${1:-}
|
|
local ipregex='^[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\/*[0-9]*$'
|
|
endIfEmpty destIp "No IP provided"
|
|
if [[ ! ${1:-} =~ $ipregex ]]; then
|
|
error "No valid IP provided"
|
|
return 1
|
|
fi
|
|
local destPort=445
|
|
case "${2:-}" in
|
|
139|445)
|
|
destPort="${2}";;
|
|
"");; # Set default
|
|
*)
|
|
error -e "Invalid port."
|
|
return 1;;
|
|
esac
|
|
|
|
exe ufw allow out on eth0 to "${destIp}" port "${destPort}" proto tcp comment "samba/cifs"
|
|
}
|
|
|
|
step_26_info() { echo "Basic secure VPN setup"; }
|
|
step_26_alias() { echo "vpn"; }
|
|
step_26() {
|
|
exe ufw --force reset
|
|
exe ufw allow in on eth0 to any port 22 comment "ssh"
|
|
exe ufw default deny incoming
|
|
exe ufw default deny outgoing
|
|
exe ufw allow out on tun0
|
|
|
|
# Initial openvpn connection
|
|
exe ufw allow out on eth0 to any port 1194 proto udp comment "openvpn default"
|
|
# Allow access to socks proxy dante
|
|
exe ufw allow in on eth0 to any port 1080 comment "socks5 proxy danted"
|
|
# Allow access to http proxy privoxy
|
|
#exe ufw allow in on eth0 to any port 8118 comment "http proxy privoxy"
|
|
|
|
exe ufw enable
|
|
exe ufw status verbose
|
|
}
|
|
|
|
# shellcheck disable=SC2034 # Appears unused
|
|
readonly sqr_minVersion=16
|
|
# shellcheck disable=SC1091 # Don't follow this source
|
|
. /usr/local/bin/sequencer.sh
|