Initial commit

README

@@ -0,0 +1 @@
+Some scripts related to my blog post : [Proxmox 6.0 : Installation et configuration](https://www.lecoindesdocs.fr/2019/08/19/proxmox-6-0-sur-un-serveur-dedie-1-3-installation-et-configuration-de-debian-10/)

proxmox/add_iptables_rules.sh

@@ -0,0 +1,154 @@
+#!/bin/sh
+
+	##### Variables definitions #####
+
+## Proxmox bridge holding Public IP
+ProxPhyInt="vmbr0"
+## Proxmox bridge on ProxVMBR1Net
+ProxVMBR1="vmbr1"
+## Network/Mask of ProxVMBR1Net
+ProxVMBR1NET="10.0.0.0/30"
+
+## Public IP => Set your own
+PublicIP="XXX.XXX.XXX.XXX"
+## Proxmox WAN Bridge IP
+ProxVMBR1IP="10.0.0.1"
+## Router WAN IP
+RtrWANIP="10.0.0.2"
+
+ProxWebIntPort="8006"
+DNSPort="53"
+HTTPPort="80"
+NTPPort="123"
+HTTPSPort="443"
+SSHDPort="1234"
+DNS1="XXX.XXX.XXX.XXX"
+DNS2="XXX.XXX.XXX.XXX"
+
+
+	##### CLEAN ALL RULES & DROP IPV4 AND IPV6 PACKETS #####
+
+## Delete all existing rules.
+/sbin/iptables -F
+/sbin/iptables -X
+/sbin/iptables -t nat -F
+/sbin/iptables -t nat -X
+/sbin/iptables -t mangle -F
+/sbin/iptables -t mangle -X
+
+/sbin/ip6tables -F
+/sbin/ip6tables -X
+/sbin/ip6tables -t nat -F
+/sbin/ip6tables -t nat -X
+/sbin/ip6tables -t mangle -F
+/sbin/ip6tables -t mangle -X
+
+## Block ALL IPV4 and IPV6 INPUT and OUTPUT
+/sbin/iptables -P INPUT DROP
+/sbin/iptables -P OUTPUT DROP
+/sbin/iptables -P FORWARD DROP
+
+/sbin/ip6tables -P INPUT DROP
+/sbin/ip6tables -P OUTPUT DROP
+/sbin/ip6tables -P FORWARD DROP
+	
+	##### CHAINS #####
+
+## Creating chains
+/sbin/iptables -N TCP
+/sbin/iptables -N UDP
+/sbin/iptables -N udp-flood
+
+## UDP = ACCEPT / SEND TO THIS CHAIN
+/sbin/iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+## TCP = ACCEPT / SEND TO THIS CHAIN
+/sbin/iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+	##### GLOBAL RULES #####
+
+## Allow localhost
+/sbin/iptables -A INPUT -i lo -j ACCEPT
+/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+## Don't break the current/active connections
+/sbin/iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+## Allow response to ping request
+/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+
+	##### INPUT IPV4 RULES FOR ProxPhyInt #####
+
+## Allow Proxmox SSH server
+/sbin/iptables -A TCP -i $ProxPhyInt -d $PublicIP -p tcp --dport $SSHDPort -j ACCEPT
+## Allow Proxmox WebUI
+/sbin/iptables -A TCP -i $ProxPhyInt -d $PublicIP -p tcp --dport $ProxWebIntPort -j ACCEPT
+## NTP Client
+/sbin/iptables -A UDP -i $ProxPhyInt -d $PublicIP -p udp --sport $NTPPort -j ACCEPT
+
+	##### OUTPUT IPV4 RULES FOR ProxPhyInt #####
+
+## Allow ping out
+/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
+## Allow LAN to access internet
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $RtrWANIP -d $PublicIP -j ACCEPT
+
+## Proxmox Host as CLIENT
+## Allow SSH
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --dport $SSHDPort -j ACCEPT
+## Allow DNS
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p udp --dport $DNSPort -d $DNS1,$DNS2 -j ACCEPT
+## Allow HTTP/HTTPS
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --dport $HTTPPort -j ACCEPT
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --dport $HTTPSPort -j ACCEPT
+## Allow NTP
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p udp --dport $NTPPort -j ACCEPT
+
+## Proxmox Host as SERVER
+## Allow SSH
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --sport $SSHDPort -j ACCEPT
+## Allow PROXMOX WebUI
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --sport $ProxWebIntPort -j ACCEPT
+## Allow NTP
+/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p udp --sport $NTPPort -j ACCEPT
+
+	##### FORWARD IPV4 RULES #####
+
+## Allow request forwarding from WAN to Router WAN interface
+/sbin/iptables -A FORWARD -i $ProxPhyInt -d $RtrWANIP -o $ProxVMBR1 -p tcp -j ACCEPT
+/sbin/iptables -A FORWARD -i $ProxPhyInt -d $RtrWANIP -o $ProxVMBR1 -p udp -j ACCEPT
+
+## Allow request forwarding from LAN
+/sbin/iptables -A FORWARD -i $ProxVMBR1 -s $ProxVMBR1NET -j ACCEPT
+
+	##### MASQUERADE MANDATORY #####
+
+## Allow WAN network to use vmbr0 public adress to go out
+/sbin/iptables -t nat -A POSTROUTING -s $ProxVMBR1NET -o $ProxPhyInt -j MASQUERADE
+
+	##### Redirect IPV4 (NAT) traffic from internet #####
+
+## All tcp to Router WAN except 22 and 8006
+/sbin/iptables -t nat -A PREROUTING -i $ProxPhyInt -p tcp --match multiport ! --dports $SSHDPort,$ProxWebIntPort -j DNAT --to $RtrWANIP
+## All udp to Router WAN
+/sbin/iptables -t nat -A PREROUTING -i $ProxPhyInt -p udp -j DNAT --to $RtrWANIP
+
+	##### INPUT IPV4 RULES FOR ProxVMBR1 #####
+
+## SSH (Server)
+/sbin/iptables -A TCP -i $ProxVMBR1 -d $ProxVMBR1IP -p tcp --dport $SSHDPort -j ACCEPT
+## Proxmox WebUI (Server)
+/sbin/iptables -A TCP -i $ProxVMBR1 -d $ProxVMBR1IP -p tcp --dport $ProxWebIntPort -j ACCEPT
+
+	##### OUTPUT IPV4 RULES FOR ProxVMBR1 #####
+
+## Allow SSH server
+/sbin/iptables -A OUTPUT -o $ProxVMBR1 -s $ProxVMBR1IP -p tcp --sport $SSHDPort -j ACCEPT
+## Allow Proxmox WebUI
+/sbin/iptables -A OUTPUT -o $ProxVMBR1 -s $ProxVMBR1IP -p tcp --sport $ProxWebIntPort -j ACCEPT
+
+	##### OUTPUT FLOOD PROTECTION #####
+
+/sbin/iptables -A OUTPUT -p udp -j udp-flood
+/sbin/iptables -A udp-flood -p udp -m limit --limit 10/s -j RETURN
+/sbin/iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
+/sbin/iptables -A udp-flood -j DROP
+/sbin/iptables -A OUTPUT -p udp -j DROP

proxmox/del_iptables_rules.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+	##### CLEAN ALL RULES & DROP IPV4 AND IPV6 PACKETS #####
+
+## Delete all existing rules.
+/usr/sbin/iptables -F
+/usr/sbin/iptables -X
+/usr/sbin/iptables -t nat -F
+/usr/sbin/iptables -t nat -X
+/usr/sbin/iptables -t mangle -F
+/usr/sbin/iptables -t mangle -X
+
+/usr/sbin/ip6tables -F
+/usr/sbin/ip6tables -X
+/usr/sbin/ip6tables -t nat -F
+/usr/sbin/ip6tables -t nat -X
+/usr/sbin/ip6tables -t mangle -F
+/usr/sbin/ip6tables -t mangle -X
+
+## Accept ALL IPV4 and IPV6 INPUT and OUTPUT
+/usr/sbin/iptables -P INPUT ACCEPT
+/usr/sbin/iptables -P OUTPUT ACCEPT
+/usr/sbin/iptables -P FORWARD ACCEPT
+
+/usr/sbin/ip6tables -P INPUT ACCEPT
+/usr/sbin/ip6tables -P OUTPUT ACCEPT
+/usr/sbin/ip6tables -P FORWARD ACCEPT

router/add_iptables_rules.sh

@@ -0,0 +1,120 @@
+#!/bin/bash
+
+        ##### Port forwarding activation #####
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+        ##### Variables definitions #####
+
+## WAN Router Interface
+WanInt="eth0"
+## LAN Router Interface
+LanInt="eth1"
+## Network LAN
+LanNet="192.168.0.0/24"
+
+## WAN Router IP
+WanIP="10.0.0.2"
+## LAN Router IP
+LanIP="192.168.0.2"
+## HAProxy IP
+HAProxyIP="192.168.0.3"
+
+DNSPort="53"
+HTTPPort="80"
+HTTPSPort="443"
+
+DNS1="XXX.XXX.XXX.XXX"
+DNS2="XXX.XXX.XXX.XXX"
+
+        ##### CLEAN ALL RULES & DROP IPV4 AND IPV6 PACKETS #####
+
+## Delete all existing rules.
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+
+ip6tables -F
+ip6tables -X
+ip6tables -t nat -F
+ip6tables -t nat -X
+ip6tables -t mangle -F
+ip6tables -t mangle -X
+
+## Block ALL IPV4 and IPV6 INPUT and OUTPUT
+iptables -P INPUT DROP
+iptables -P OUTPUT DROP
+iptables -P FORWARD DROP
+
+ip6tables -P INPUT DROP
+ip6tables -P OUTPUT DROP
+ip6tables -P FORWARD DROP
+
+        ##### CHAINS #####
+
+## Creating chains
+iptables -N TCP
+iptables -N UDP
+iptables -N udp-flood
+
+## UDP = ACCEPT / SEND TO THIS CHAIN
+iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+## TCP = ACCEPT / SEND TO THIS CHAIN
+iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+        ##### GLOBAL RULES #####
+
+## Allow localhost
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+## Don't break the current/active connections
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+## Allow response to ping request on interface eth1
+iptables -A INPUT -i $LanInt -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+
+        ##### OUTPUT IPV4 RULES FOR Router #####
+
+## Allow ping out
+iptables -A OUTPUT -p icmp -j ACCEPT
+
+## Routeur as CLIENT
+## Allow DNS
+iptables -A OUTPUT -o $WanInt -s $WanIP -p udp --dport $DNSPort -d $DNS1,$DNS2 -j ACCEPT
+## Block All Other UDP
+#iptables -A OUTPUT -p udp -j DROP
+## Allow HTTP/HTTPS
+iptables -A OUTPUT -o $WanInt -s $WanIP -p tcp --match multiport --dports $HTTPPort,$HTTPSPort -j ACCEPT
+
+        ##### FORWARD IPV4 RULES #####
+
+## Allow request forwarding from WAN to Router LAN interface
+iptables -A FORWARD -i $WanInt -d $WanIP -o $LanInt -p tcp -j ACCEPT
+iptables -A FORWARD -i $WanInt -d $WanIP -o $LanInt -p udp -j ACCEPT
+## Allow request forwarding from LAN
+iptables -A FORWARD -i $LanInt -s $LanNet -j ACCEPT
+## Forward HTTP/HTTPS to HAProxy
+iptables -A FORWARD -i $WanInt -p tcp --match multiport --dports $HTTPPort,$HTTPSPort -d $HAProxyIP -j ACCEPT
+
+        ##### MASQUERADE MANDATORY #####
+
+## Allow WAN network to use WanInt public adress to go out
+iptables -t nat -A POSTROUTING -s $LanNet -o $WanInt -j MASQUERADE
+
+        ##### Redirect IPV4 (NAT) traffic from internet #####
+
+## All tcp to Router WAN
+iptables -t nat -A PREROUTING -i $WanInt -p tcp --match multiport --dports $HTTPPort,$HTTPSPort -j DNAT --to $HAProxyIP
+## All udp to Router WAN
+iptables -t nat -A PREROUTING -i $WanInt -p udp -j DNAT --to $LanIP
+
+	##### OUTPUT FLOOD PROTECTION #####
+
+iptables -A OUTPUT -p udp -j udp-flood
+iptables -A udp-flood -p udp -m limit --limit 10/s -j RETURN
+iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
+iptables -A udp-flood -j DROP
+iptables -A OUTPUT -p udp -j DROP

router/del_iptables_rules.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+	##### CLEAN ALL RULES & DROP IPV4 AND IPV6 PACKETS #####
+
+## Delete all existing rules.
+/usr/sbin/iptables -F
+/usr/sbin/iptables -X
+/usr/sbin/iptables -t nat -F
+/usr/sbin/iptables -t nat -X
+/usr/sbin/iptables -t mangle -F
+/usr/sbin/iptables -t mangle -X
+
+/usr/sbin/ip6tables -F
+/usr/sbin/ip6tables -X
+/usr/sbin/ip6tables -t nat -F
+/usr/sbin/ip6tables -t nat -X
+/usr/sbin/ip6tables -t mangle -F
+/usr/sbin/ip6tables -t mangle -X
+
+## Accept ALL IPV4 and IPV6 INPUT and OUTPUT
+/usr/sbin/iptables -P INPUT ACCEPT
+/usr/sbin/iptables -P OUTPUT ACCEPT
+/usr/sbin/iptables -P FORWARD ACCEPT
+
+/usr/sbin/ip6tables -P INPUT ACCEPT
+/usr/sbin/ip6tables -P OUTPUT ACCEPT
+/usr/sbin/ip6tables -P FORWARD ACCEPT