weechat- me personal weechat setup 🔵🟢 |
| git clone git://git.acid.vegas/weechat.git |
| Log | Files | Refs | Archive | README |
pmf (1635B)
1 #!/bin/sh 2 # poor mans firewall (weechat edition) - developed by acidvegas (https://git.acid.vegas/weechat) 3 4 set -xev 5 6 # Configuration 7 PORT_SSH='22' 8 PORT_RELAY='2222' 9 10 # Kernel hardening settings 11 mkdir -p /etc/sysctl.d 12 { 13 printf "net.ipv4.conf.all.accept_source_route = 0\n" 14 printf "net.ipv6.conf.all.accept_source_route = 0\n" 15 printf "net.ipv4.conf.all.rp_filter = 1\n" 16 printf "net.ipv4.conf.default.rp_filter = 1\n" 17 printf "net.ipv4.conf.all.accept_redirects = 0\n" 18 printf "net.ipv6.conf.all.accept_redirects = 0\n" 19 printf "net.ipv4.conf.default.accept_redirects = 0\n" 20 printf "net.ipv6.conf.default.accept_redirects = 0\n" 21 printf "net.ipv4.conf.all.log_martians = 1\n" 22 printf "kernel.randomize_va_space = 2\n" 23 printf "fs.suid_dumpable = 0\n" 24 } > /etc/sysctl.d/99-custom-hardening.conf 25 26 # Apply hardening settings 27 sysctl -p /etc/sysctl.d/99-custom-hardening.conf 28 29 # Flush existing rules 30 iptables -F 31 iptables -X 32 iptables -t nat -F 33 iptables -t nat -X 34 iptables -t mangle -F 35 iptables -t mangle -X 36 37 # Default chain policies 38 iptables -P INPUT DROP 39 iptables -P FORWARD DROP 40 iptables -P OUTPUT ACCEPT 41 42 # Common Firewall rules 43 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 44 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # Disable response to ping requests 45 iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP 46 iptables -A INPUT -i lo -j ACCEPT 47 48 # Allow access 49 iptables -A INPUT -p tcp --dport $PORT_SSH -j ACCEPT 50 iptables -A INPUT -p tcp --dport $PORT_RELAY -j ACCEPT 51 iptables -A INPUT -p tcp --dport 80 -j ACCEPT 52 53 # Save rules 54 iptables-save > /etc/iptables/iptables.rules