112 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			112 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/bin/bash
 | |
| 
 | |
| toolName=ufw
 | |
| toolDeps=$toolName
 | |
| 
 | |
| # Get script working directory
 | |
| # (when called from a different directory)
 | |
| WDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >>/dev/null 2>&1 && pwd )"
 | |
| CONFIG=0
 | |
| CONFIG_FILE_NAME="${toolName}.cfg"
 | |
| CONFIG_FILE_TEMPLATE="$WDIR/${CONFIG_FILE_NAME}.example"
 | |
| 
 | |
| #step_config() {
 | |
| #  initSeqConfig "$CONFIG_FILE_NAME" "$CONFIG_FILE_TEMPLATE"
 | |
| #  if [ $? -eq 0 ] ; then
 | |
| #    CONFIG=1
 | |
| #  fi
 | |
| #}
 | |
| 
 | |
| step_1_info() { echo "Install $toolName and allow ssh access"; }
 | |
| step_1_alias() { ALIAS="install"; }
 | |
| step_1() {
 | |
|   local aptOpt=
 | |
|   if [ $QUIET -ne 0 ];then
 | |
|     aptOpt="-y"
 | |
|   fi
 | |
|   exe apt install $toolDeps $aptOpt
 | |
|   exe ufw allow ssh
 | |
| }
 | |
| 
 | |
| step_2_info() { echo "Enable $toolName"; }
 | |
| step_2() {
 | |
|   exe ufw enable
 | |
| }
 | |
| 
 | |
| step_20_info() { echo "Enable mail server essentials"; }
 | |
| step_20_alias() { ALIAS="mailserver"; }
 | |
| step_20() {
 | |
|   exe ufw allow "Postfix"
 | |
|   exe ufw allow "Postfix SMTPS"
 | |
|   exe ufw allow "Dovecot Secure IMAP"
 | |
|   exe ufw allow "WWW Secure"
 | |
|   # Manage sieve
 | |
|   exe ufw allow 4190/tcp comment 'Managesieve'
 | |
| }
 | |
| 
 | |
| step_22_info() { echoinfoArgs "[IP]"; echo "Deny multicast from gateway"; }
 | |
| step_22_alias() { ALIAS="multicast"; }
 | |
| step_22() {
 | |
|   shift
 | |
|   if [ -z $1 ] ; then
 | |
|     echoerr " [E] No [IP} specified"
 | |
|     return 1
 | |
|   fi
 | |
| 
 | |
|   exe ufw deny in from $1 to 224.0.0.0/4 comment 'Broadcast Fritzbox'
 | |
|   exe ufw deny in from $1 to 239.0.0.0/8 comment 'Broadcast Fritzbox'
 | |
| }
 | |
| 
 | |
| step_24_info() {
 | |
|   echoinfoArgs "<FILE SERVER IP|RANGE> [PORT]"
 | |
|   echo "Allow cifs mounts on eth0" 
 | |
|   echoinfo " [PORT] (default 445)"
 | |
|   echoinfo "  139  : Cifs version 1.0"
 | |
|   echoinfo "  445  : Cifs version 2.0+"
 | |
| }
 | |
| step_24_alias() { ALIAS="cifs"; }
 | |
| step_24() {
 | |
|   shift
 | |
|   local destIp=$1
 | |
|   local ipregex='^[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\/*[0-9]*$'
 | |
|   endCheckEmpty destIp "No IP provided"
 | |
|   if [[ ! $1 =~ $ipregex ]]; then
 | |
|     echoseq " [E] No valid IP provided"
 | |
|     return 1
 | |
|   fi
 | |
|   local destPort=445
 | |
|   case "$2" in
 | |
|     139|445)
 | |
|       destPort=$2;;
 | |
|     "");; # Set default
 | |
|     *)
 | |
|       echoerr " [E] Invalid port."
 | |
|       return 1;;
 | |
|   esac
 | |
| 
 | |
|   exe ufw allow out on eth0 to $destIp port $destPort proto tcp comment "samba/cifs"
 | |
| }
 | |
| 
 | |
| step_26_info() { echo "Basic secure VPN setup"; }
 | |
| step_26_alias() { ALIAS="vpn"; }
 | |
| step_26() {
 | |
|   exe ufw --force reset
 | |
|   exe ufw allow in on eth0 to any port 22 comment "ssh"
 | |
|   exe ufw default deny incoming
 | |
|   exe ufw default deny outgoing
 | |
|   exe ufw allow out on tun0
 | |
| 
 | |
|   # Initial openvpn connection
 | |
|   exe ufw allow out on eth0 to any port 1194 proto udp comment "openvpn default"
 | |
|   # Allow access to socks proxy dante
 | |
|   exe ufw allow in on eth0 to any port 1080 comment "socks5 proxy danted"
 | |
|   # Allow access to http proxy privoxy
 | |
|   #exe ufw allow in on eth0 to any port 8118 comment "http proxy privoxy"
 | |
| 
 | |
|   exe ufw enable
 | |
|   exe ufw status verbose
 | |
| }
 | |
| 
 | |
| VERSION_SEQREV=14
 | |
| . /usr/local/bin/sequencer.sh
 |