29 lines
922 B
Bash
29 lines
922 B
Bash
#!/bin/sh
|
|
|
|
# This script provides the minimal firewall rules necessary to run
|
|
# knocknock. Essentially, no connections are allowed, unless they
|
|
# are authenticated with knocknock.
|
|
#
|
|
# Courtesy: Jake Appelbaum
|
|
|
|
IPTABLES="/sbin/iptables"
|
|
|
|
# We want to allow open connections
|
|
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
# Allow everything out
|
|
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
|
$IPTABLES -A OUTPUT -j ACCEPT
|
|
|
|
# We want to reject any attempts to forward
|
|
$IPTABLES -A FORWARD -j REJECT
|
|
|
|
# Add the knock knock rules
|
|
$IPTABLES -N REJECTLOG
|
|
$IPTABLES -A REJECTLOG -j LOG --log-level debug --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 3/s --limit-burst 8 --log-prefix "REJECT "
|
|
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
|
|
$IPTABLES -A REJECTLOG -j REJECT
|
|
|
|
# Reject all other incoming traffic:
|
|
$IPTABLES -A INPUT -j REJECTLOG
|