From aaabd915f58601cc6152132b036f6be83f510364 Mon Sep 17 00:00:00 2001
From: Julien Oculi <xdrz.jot.sr@gmail.com>
Date: Wed, 29 May 2024 12:40:06 +0200
Subject: [PATCH] feat: add `iptables` config files

---
 iptables/_deploy.sh        |  2 ++
 iptables/_install.sh       |  1 +
 iptables/iptables/rules.sh | 29 +++++++++++++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 iptables/_deploy.sh
 create mode 100644 iptables/_install.sh
 create mode 100644 iptables/iptables/rules.sh

diff --git a/iptables/_deploy.sh b/iptables/_deploy.sh
new file mode 100644
index 0000000..9ae9b56
--- /dev/null
+++ b/iptables/_deploy.sh
@@ -0,0 +1,2 @@
+iptables -F
+source ./iptables/rules.sh
diff --git a/iptables/_install.sh b/iptables/_install.sh
new file mode 100644
index 0000000..07ffbeb
--- /dev/null
+++ b/iptables/_install.sh
@@ -0,0 +1 @@
+nala install iptables
diff --git a/iptables/iptables/rules.sh b/iptables/iptables/rules.sh
new file mode 100644
index 0000000..64650f2
--- /dev/null
+++ b/iptables/iptables/rules.sh
@@ -0,0 +1,29 @@
+# General rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# Fail2Ban
+iptables -N f2b-sshd
+iptables -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+iptables -A INPUT -p tcp -m multiport --dports 55555 -j f2b-sshd
+
+# LoopBack
+iptables -A INPUT -i lo -j ACCEPT
+
+# Keep Opened connection
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Anti DDOS
+iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
+
+# SSH
+iptables -A INPUT -p tcp -m tcp --dport 55555 -j ACCEPT
+
+# Main proxy
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
+iptables -A INPUT -p udp --dport 443 -j ACCEPT # QUIC
+
+# Fail2Ban -Return-
+iptables -A f2b-sshd -j RETURN