From 3db62e534698dda94c1debb12a6f60d57b8f5864 Mon Sep 17 00:00:00 2001 From: godot Date: Fri, 26 Jul 2024 10:16:09 +0200 Subject: [PATCH] firewalling done --- README.md | 5 ++-- script.sh | 79 +++++++++++++++++++++++++------------------------------ 2 files changed, 39 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index c02ccc2..9cbd953 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,14 @@ - [x] addons for Forge ## To DO! -- [ ] Firewall shinanigns - - [ ] Proxmox admin acces in firewall +- [*] Firewall shinanigns + - [*] Proxmox admin acces in firewall - [x] Auto add plugins - [ ] Config of velocity.toml - [ ] IP - [ ] Comments of what is doing what - [ ] Tailscale +- [ ] SystemD service ## To learn - [x] What content of start.sh means diff --git a/script.sh b/script.sh index 89c8c64..8008591 100755 --- a/script.sh +++ b/script.sh @@ -5,7 +5,7 @@ printf "Better to run as root, because of permisions handeling.\n" sleep 2 -### Firewall ### needs to update +### Firewall printf "Do you want to set up firewall rules by iptables? [Y/n]: \n" read ansFirewallSetup @@ -18,42 +18,27 @@ if [[ "$ansFirewallSetup" =~ ("N"|"n") ]]; then elif [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z $ansFirewallSetup ]]; then - printf "Do you want to block non-VPN ssh connections? [Y/n/castom]: " + printf "Do you want to block non-Tailscale ssh connections? [Y/n]: " read sshBlockRange -### needs update from LAN to VPN - - if [[ $sshBlockRange =~ ("n"|"N") ]]; then + if [[ "$sshBlockRange" =~ ("n"|"N") ]]; then - printf "+ OK, working on next bit\n" - ipList="" + printf "If you want input your own IP range [N/range]\n" + read sshRange - elif [[ $sshBlockRange =~ ("y"|"Y") || -z $sshBlockRange ]]; then - - #Pipes all informations about ip interfaces - ipList=$(ip -o -4 a show tailscale0) + if [[ "$sshRange" =~ ("n"|"N") || -z $sshRange ]]; then + printf "+ Making your SSH connections wide and open. Think about it. /n" + ipList="*" + else + printf "+ Accepting SSH connections only on these ip's: $sshRange\n" + ipList="$sshRange" + fi - #Founds data in pattern - ipList=$(echo $ipList | grep -Eo "([0-9]*\.){3}[0-9]*/[0-9]*") - - #substitues space for coma - ipList=$(echo $ipList | tr " " ",") - - printf "+ Accepting SSH connections only on these ip's: $ipList\n" - - - else - printf "\nHope you know what you are doing, I am not checking these :]" - - printf "\nSubmit your IP range to acces SSH in format 192.168.1.1/24 - \nYour IP range: " - read ipList - printf "\n+ Allowing SSH on this range: $ipList \n" - fi + fi -### Update ### +### Update sleep 2 @@ -66,14 +51,14 @@ if [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z $ansFirewallSetup ]]; then apt install iptables -y fi -### User managment ### needs update +### User managment -groupadd minecraft +groupadd velocity -useradd --system --shell /usr/sbin/nologin --home /opt/minecraft -g minecraft minecraft +useradd --system --shell /usr/sbin/nologin --home /opt/velocity -g velocity velocity -### File structure ### +### File structure mkdir /opt/velocity @@ -82,19 +67,14 @@ mv data/velocity*.jar start.sh /opt/velocity/ mkdir /opt/velocity/plugins mv data/Ambassador*.jar /opt/velocity/plugins -### Nestopne se samo, mozna lepsi vytvorit strukturu za nej vlozit config a spustit az pres systemD -./start.sh -end -### Screen usige alert - -rm /opt/velocity/velocity.toml mv data/velocity.toml /opt/velocity/ +mv data/forwarding.secret /opt/velocity/ -### Permisions ### needs update +### Permisions -chown -R godot:godot /opt/velocity/ +chown -R velocity:velocity /opt/velocity/ @@ -116,7 +96,20 @@ if [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z "$ansFirewallSetup" ]]; then iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow continuing connections - iptables -A INPUT -p tcp --dport 25577 -j ACCEPT #Allow MC port + iptables -A INPUT -p tcp --dport 25577 -j ACCEPT #Allow Velocity port + + if [[ "$ipList" = "*" ]]; then + + ### Wide and open + + iiptables -A INPUT -p tcp --dport 22 j ACCEPT + + elif [[! "$ipList" -z ]]; then + + ### Manual IP range + + iptables -A INPUT -p tcp --dport 22 --source $ipList -j ACCEPT + fi iptables -L ### Good place to paste a manual check to not lock yourself out @@ -154,4 +147,4 @@ systemctl enable mc-forge ### needs update printf "\nsystemctl status mc-forge" -printf "\nsu minecraft -s /bin/bash" +printf "\nsu velocity -s /bin/bash"