Tested on Debian 12, CentOS 9, Rocky 8/9
-All testing has been done with distributions using nftables, so there could be issues with the iptables backend
+All testing has been done with distributions using nftables, so there potentially could be issues with the iptables backend
```
-Usage: ./firewall.sh [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y]
+Usage: ./firewall.sh [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y] [-b]
-r Rule to set, with the actions: "accept" or "drop", the directions: "in" or "out", and the protocols: "tcp", "udp".
If the port is "_", then the rule applies to all ports
-p Save rules persistently (restore after reboot)
-n Allow dns to any ip
-i Allow icmp pings
-y Don't confirm connectivity
+ -b Don't back up previous rules
Examples:
./firewall.sh -f iptables -r 80,accept,in -r 443,accept,in -r 22,drop,out
SKIP_CONNECTIVITY_CHECK=0
+SKIP_BACKUP=0
+
BACKUP_FILE=firewall-backup
COLOR_NONE="\033[0m"
help() {
- printf "Usage: %s [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y]\n" "$0"
+ printf "Usage: %s [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y] [-b]\n" "$0"
printf " -r\tRule to set, with the actions: \"accept\" or \"drop\", the directions: \"in\" or \"out\", and the protocols: \"tcp\", \"udp\".\n \tIf the port is \"_\", then the rule applies to all ports\n"
printf " -p\tSave rules persistently (restore after reboot)\n"
printf " -d\tSet default firewall policy to actions: \"accept\" or \"drop\"\n"
printf " -n\tAllow dns to any ip\n"
printf " -i\tAllow icmp pings\n"
printf " -y\tDon't confirm connectivity\n"
+ printf " -b\tDon't back up previous rules\n"
printf "\n"
printf "Examples:\n"
printf " %s -f iptables -r 80,accept,in -r 443,accept,in -r 22,drop,out\n" "$0"
exit 1
fi
-while getopts f:d:N:r:S:hinpsy ARG
+while getopts f:d:N:r:S:bhinpsy ARG
do
case "$ARG" in
f)
y)
SKIP_CONNECTIVITY_CHECK=1
;;
+ b)
+ SKIP_BACKUP=1
+ ;;
*)
help
exit 1
# Restore original rules if user got kicked out
if [ $SKIP_CONNECTIVITY_CHECK -eq 0 ]; then
- printf "\n%bTo confirm you can still access this machine, log in using another terminal and run \"touch /tmp/fw-confirm\"%b\nRestoring old rules in 20 seconds\n" "$COLOR_RED" "$COLOR_NONE"
+ printf "\n%bTo confirm you can still access this machine, log in using a new terminal and run \"touch /tmp/fw-confirm\"%b\nRestoring old rules in 30 seconds\n" "$COLOR_RED" "$COLOR_NONE"
- original_date=$(ls -cl /tmp/fw-confirm 2>/dev/null | cut -d' ' -f 6-)
- sleep 20
- current_date=$(ls -cl /tmp/fw-confirm 2>/dev/null | cut -d' ' -f 6-)
+ original_date=$(stat /tmp/fw-confirm 2>/dev/null)
+ sleep 30
+ current_date=$(stat /tmp/fw-confirm 2>/dev/null)
if [ "$original_date" = "$current_date" ]; then
printf "%bOriginal rules restored%b\n" "$COLOR_GREEN" "$COLOR_NONE"
fi
fi
+if [ $SKIP_BACKUP -eq 1 ]; then
+ if [ -e "${BACKUP_FILE}-nft.txt" ]; then
+ rm -f "${BACKUP_FILE}-nft.txt"
+ elif [ -e "${BACKUP_FILE}-ip.txt" ]; then
+ rm -f "${BACKUP_FILE}-ip.txt"
+ rm -f "${BACKUP_FILE}-ip6.txt"
+ fi
+fi
+
printf "%bKeeping new rules%b\n" "$COLOR_GREEN" "$COLOR_NONE"
if [ $PERSIST -eq 1 ]; then
persist_rules
projects / firewall-scripts.git / commitdiff