tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.

Browse Source
This commit is contained in:
Samson-W 2023-06-16 02:43:44 +08:00
parent f0d0f65467
commit 1b4337464a
6 changed files with 253 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
bin/hardening/7.7.2_ensure_set_firewall_rules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -17,27 +17,43 @@ HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
# Quick note here : CIS recommends your iptables rules to be persistent. # Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then is_pkg_installed $PACKAGE_NFT
crit "Iptables/Ip6tables is not set rule!" if [ $FNRET != 0 ]; then
FNRET=1 if [ $(${IPS4} -S | grep -Ec "^-A|^-I") -eq 0 -o $(${IPS6} -S | grep -Ec "^-A|^-I") -eq 0 ]; then
else crit "Iptables/Ip6tables is not set rule!"
ok "Iptables/Ip6tables rules are set!" FNRET=1
FNRET=0 else
fi ok "Iptables/Ip6tables rules are set!"
FNRET=0
fi
else
if [ $(nft list ruleset 2>/dev/null | grep -v '^table' | grep -v 'chain.*{' | grep -v '}' | grep -v 'policy' | grep -v '^$' | wc -l) -gt 0 ]; then
ok "nftables rules are set!"
FNRET=10
else
crit "Nftables is not set rule!"
FNRET=2
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Iptables/Ip6tables rules are set!" ok "Iptables/Ip6tables rules are set!"
else elif [ $FNRET = 10 ]; then
ok "Nftables rules are set!"
elif [ $FNRET = 1 ]; then
warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it." warn "Iptables/Ip6tables rules are not set, need the administrator to manually add it."
elif [ $FNRET = 2 ]; then
warn "Nftables rules are not set, need the administrator to manually add it."
fi fi
} }

78
bin/hardening/7.7.3_ensure_firewall_set_protect_dos_attacks.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -17,6 +17,7 @@ HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
IPS6=$(which ip6tables) IPS6=$(which ip6tables)
PACKAGE_NFT='nftables'
IPV4_RET=1 IPV4_RET=1
IPV6_RET=1 IPV6_RET=1
@ -27,48 +28,63 @@ IPV6_ISENABLE=1
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# ipv4 is_pkg_installed $PACKAGE_NFT
if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then if [ $FNRET != 0 ]; then
info "Iptables is not set rules of protect DOS attacks!" # ipv4
IPV4_RET=1 if [ $(${IPS4} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
else info "Iptables is not set rules of protect DOS attacks!"
info "Iptables has set rules for protect DOS attacks!" IPV4_RET=1
IPV4_RET=0
fi
# ipv6
check_ipv6_is_enable
IPV6_ISENABLE=$FNRET
if [ $IPV6_ISENABLE = 0 ]; then
if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else else
info "Ip6tables has set rules for protect DOS attacks!" info "Iptables has set rules for protect DOS attacks!"
IPV6_RET=0 IPV4_RET=0
fi fi
fi # ipv6
if [ $IPV6_ISENABLE -eq 0 ]; then check_ipv6_is_enable
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then IPV6_ISENABLE=$FNRET
crit "Iptables/ip6tables is not set rules of protect DOS attacks!" if [ $IPV6_ISENABLE = 0 ]; then
FNRET=1 if [ $(${IPS6} -S | grep -E "\-m.*limit" | grep -Ec "\-\-limit-burst") -eq 0 ]; then
info "Ip6tables is not set rules of protect DOS attacks!"
IPV6_RET=1
else
info "Ip6tables has set rules for protect DOS attacks!"
IPV6_RET=0
fi
fi
if [ $IPV6_ISENABLE -eq 0 ]; then
if [ $IPV4_RET -eq 1 -o $IPV6_RET -eq 1 ]; then
crit "Iptables/ip6tables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables/ip6tables has set rules for protect DOS attacks!"
FNRET=0
fi
else else
ok "Iptables/ip6tables has set rules for protect DOS attacks!" if [ $IPV4_RET -eq 1 ]; then
FNRET=0 crit "Iptables is not set rules of protect DOS attacks!"
FNRET=1
else
ok "Iptables has set rules for protect DOS attacks!"
FNRET=0
fi
fi fi
else else
if [ $IPV4_RET -eq 1 ]; then if [ $(nft list ruleset 2>/dev/null | grep -v '^$' | grep -c 'limit.*burst') -gt 0 ]; then
crit "Iptables is not set rules of protect DOS attacks!" FNRET=10
FNRET=1 ok "nftables has set rules for protect DOS attacks!"
else else
ok "Iptables has set rules for protect DOS attacks!" FNRET=11
FNRET=0 crit "nftables is not set rules for protect DOS attacks!"
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 10 ]; then
ok "nftables has set rules for protect DOS attacks!"
elif [ $FNRET = 11 ]; then
crit "nftables is not set rules for protect DOS attacks!"
elif [ $FNRET = 0 ]; then
if [ $IPV6_ISENABLE -eq 0 ]; then if [ $IPV6_ISENABLE -eq 0 ]; then
ok "Iptables/Ip6tables has set rules for protect DOS attacks!" ok "Iptables/Ip6tables has set rules for protect DOS attacks!"
else else

32
bin/hardening/7.7.4.1_ensure_default_deny_firewall_policy.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -16,21 +16,37 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then is_pkg_installed $PACKAGE_NFT
crit "Iptables: Firewall policy is not default deny!" if [ $FNRET != 0 ]; then
FNRET=1 if [ $(${IPS4} -S | grep -c "\-P INPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P OUTPUT DROP") -eq 0 -o $(${IPS4} -S | grep -c "\-P FORWARD DROP") -eq 0 ]; then
crit "Iptables: Firewall policy is not default deny!"
FNRET=1
else
ok "Iptables has set default deny for firewall policy!"
FNRET=0
fi
else else
ok "Iptables has set default deny for firewall policy!" if [ $(nft list ruleset | grep -c 'input.*policy drop') -eq 0 -o $(nft list ruleset | grep -c 'output.*policy drop') -eq 0 -o $(nft list ruleset | grep -c 'forward.*policy drop') -eq 0 ]; then
FNRET=0 crit "nftables: Firewall policy is not default deny!"
fi FNRET=11
else
ok "nftables has set default deny for firewall policy!"
FNRET=10
fi
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 10 ]; then
ok "nftables has set default deny for firewall policy!"
elif [ $FNRET = 11 ]; then
warn "nftables is not set default deny for firewall policy! need the administrator to manually add it."
elif [ $FNRET = 0 ]; then
ok "Iptables has set default deny for firewall policy!" ok "Iptables has set default deny for firewall policy!"
else else
warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP." warn "Iptables is not set default deny for firewall policy! need the administrator to manually add it. Howto set: iptables -P INPUT DROP; iptables -P OUTPUT DROP; iptables -P FORWARD DROP."

106
bin/hardening/7.7.4.2_ensure_loopback_traffic_is_configured.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
@ -19,61 +19,79 @@ INPUT_ACCEPT=1
OUTPUT_ACCEPT=1 OUTPUT_ACCEPT=1
INPUT_DENY=1 INPUT_DENY=1
IP4VERSION="IPS4" IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# Check the loopback interface to accept INPUT traffic. is_pkg_installed $PACKAGE_NFT
ensure_lo_traffic_input_is_accept "$IP4VERSION" if [ $FNRET != 0 ]; then
if [ $FNRET = 0 ]; then # Check the loopback interface to accept INPUT traffic.
INPUT_ACCEPT=0 ensure_lo_traffic_input_is_accept "$IP4VERSION"
info "Iptables loopback traffic INPUT has configured!" if [ $FNRET = 0 ]; then
INPUT_ACCEPT=0
info "Iptables loopback traffic INPUT has configured!"
else
INPUT_ACCEPT=1
info "Iptables: loopback traffic INPUT is not configured!"
fi
# Check the loopback interface to accept OUTPUT traffic.
ensure_lo_traffic_output_is_accept "$IP4VERSION"
if [ $FNRET = 0 ]; then
OUTPUT_ACCEPT=0
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi
else else
INPUT_ACCEPT=1 if [ $(nft list chain ip filter INPUT | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter OUTPUT | grep -c 'lo.*accept') -gt 0 -a $(nft list chain ip filter INPUT | grep -c 'saddr.*127.0.0.0/8.*drop') -gt 0 ]; then
info "Iptables: loopback traffic INPUT is not configured!" ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
fi FNRET=10
# Check the loopback interface to accept OUTPUT traffic. else
ensure_lo_traffic_output_is_accept "$IP4VERSION" crit "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured!"
if [ $FNRET = 0 ]; then FNRET=11
OUTPUT_ACCEPT=0 fi
info "Iptables loopback traffic OUTPUT has configured!"
else
OUTPUT_ACCEPT=1
info "Iptables: loopback traffic OUTPUT is not configured!"
fi
# all other interfaces to deny traffic to the loopback network.
ensure_lo_traffic_other_if_input_is_deny "$IP4VERSION"
if [ $FNRET = 0 ]; then
INPUT_DENY=0
info "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else
INPUT_DENY=1
info "Iptables: loopback traffic INPUT deny from other interfaces is not configured!"
fi
if [ $INPUT_ACCEPT -eq 0 -a $OUTPUT_ACCEPT -eq 0 -a $INPUT_DENY -eq 0 ]; then
ok "Loopback traffic rules are configured!"
else
crit "Loopback traffic rules are not configured!"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ $INPUT_ACCEPT = 0 ]; then if [ $FNRET = 10 ]; then
ok "Iptables loopback traffic INPUT has configured!" ok "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces has configured!"
elif [ $FNRET = 11 ]; then
warn "nftables loopback traffic INPUT/OUTPUT/deny-other-loopback-interfaces is not configured! Need the administrator to manually add it. "
else else
warn "Iptables loopback traffic INPUT is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT" if [ $INPUT_ACCEPT = 0 ]; then
fi ok "Iptables loopback traffic INPUT has configured!"
else
warn "Iptables loopback traffic INPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -i lo -j ACCEPT"
fi
if [ $OUTPUT_ACCEPT = 0 ]; then if [ $OUTPUT_ACCEPT = 0 ]; then
ok "Iptables loopback traffic OUTPUT has configured!" ok "Iptables loopback traffic OUTPUT has configured!"
else else
warn "Iptables loopback traffic OUTPUT is not configured! need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT" warn "Iptables loopback traffic OUTPUT is not configured! Need the administrator to manually add it. Howto set: iptables -A OUTPUT -o lo -j ACCEPT"
fi fi
if [ $INPUT_DENY = 0 ]; then if [ $INPUT_DENY = 0 ]; then
ok "Iptables loopback traffic INPUT deny from other interfaces has configured!" ok "Iptables loopback traffic INPUT deny from other interfaces has configured!"
else else
warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP" warn "Iptables loopback traffic INPUT deny from 127.0.0.0/8 is not configured! Need the administrator to manually add it. Howto set: iptables -A INPUT -s 127.0.0.0/8 -j DROP"
fi
fi fi
} }

58
bin/hardening/7.7.4.3_ensure_firewall_rules_exist_for_all_open_ports.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
# 7.7.4.3 Ensure default deny firewall policy (Scored) # 7.7.4.3 Ensure firewall rules exist for all open ports (Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com> # Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -16,12 +15,19 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
IPS4=$(which iptables) IPS4=$(which iptables)
PACKAGE_NFT='nftables'
NETLISTENLIST="/dev/shm/7.7.4.3" NETLISTENLIST="/dev/shm/7.7.4.3"
PROTO_PORT="/dev/shm/proto_port_pair" PROTO_PORT="/dev/shm/proto_port_pair"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
ISNFTABLES=1
else
ISNFTABLES=0
fi
# For ipv4 # For ipv4
rm -f $NETLISTENLIST rm -f $NETLISTENLIST
rm -f $PROTO_PORT rm -f $PROTO_PORT
@ -30,18 +36,36 @@ audit () {
do do
PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}') PROTO_TYPE=$(echo ${LISTENING} | awk '{print $1}')
LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}') LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $2}')
if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then if [ $ISNFTABLES = 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules." if [ $($IPS4 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
else info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall rules."
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT else
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules." echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules."
fi
else
if [ $(nft list chain ip filter INPUT | grep -c "dport.*$LISTEN_PORT.*new.*accept") -ge 1 ]; then
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set firewall(nft) rules."
else
echo "${PROTO_TYPE} ${LISTEN_PORT}" >> $PROTO_PORT
info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall(nft) rules."
fi
fi fi
done done
rm -f $NETLISTENLIST rm -f $NETLISTENLIST
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!" if [ $ISNFTABLES = 1 ]; then
if [ -f $PROTO_PORT ]; then
crit "Iptables is not set firewall rules exist for all open ports!"
else
ok "Iptables has set firewall rules exist for all open ports!"
fi
else else
ok "Iptables has set firewall rules exist for all open ports!" if [ -f $PROTO_PORT ]; then
crit "Nftables is not set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi fi
} }
@ -52,11 +76,19 @@ apply () {
do do
PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}') PROTO_TYPE=$(echo ${NOSETPAIR} | awk '{print $1}')
LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}') LISTEN_PORT=$(echo ${NOSETPAIR} | awk '{print $2}')
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT" if [ $ISNFTABLES = 1 ]; then
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. Howto set: iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT"
else
warn "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT is not set firewall rules, need the administrator to manually add it. "
fi
done done
rm -f $PROTO_PORT rm -f $PROTO_PORT
else else
ok "Iptables has set firewall rules exist for all open ports!" if [ $ISNFTABLES = 1 ]; then
ok "Iptables has set firewall rules exist for all open ports!"
else
ok "Nftables has set firewall rules exist for all open ports!"
fi
fi fi
} }

81
bin/hardening/7.7.4.4_ensure_outbound_and_established_connections_are_configured.sh
View File

@ -1,12 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 9 Hardening # harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
# #
# #
# 7.7.4.4 Ensure outbound and established connections are configured (Not Scored) # 7.7.4.4 Ensure outbound and established connections are configured (Not Scored)
# For ipv4
# Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com> # Add this feature:Author : Samson wen, Samson <sccxboy@gmail.com>
# #
@ -20,52 +19,72 @@ RET_VALUE2=1
PROTOCOL_LIST="tcp udp icmp" PROTOCOL_LIST="tcp udp icmp"
IP4VERSION="IPS4" IP4VERSION="IPS4"
PACKAGE_NFT='nftables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE_NFT
if [ $FNRET != 0 ]; then
IS_NFT=1
else
IS_NFT=0
fi
for protocol in $PROTOCOL_LIST for protocol in $PROTOCOL_LIST
do do
# Check INPUT with ESTABLISHED is config if [ $IS_NFT = 1 ]; then
check_input_with_established_is_accept "${protocol}" "$IP4VERSION" # Check INPUT with ESTABLISHED is config
if [ $FNRET = 0 ]; then check_input_with_established_is_accept "${protocol}" "$IP4VERSION"
RET_VALUE1=0 if [ $FNRET = 0 ]; then
info "Portocol $protocol INPUT is conf" RET_VALUE1=0
info "Portocol $protocol INPUT is conf"
else
RET_VALUE1=1
info "Portocol $protocol INPUT is not conf"
break
fi
# Check outbound is config
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION"
if [ $FNRET = 0 ]; then
RET_VALUE2=0
info "Portocol $protocol outbound is conf"
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
break
fi
else else
RET_VALUE1=1 if [ $(nft list chain ip filter INPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 -a $(nft list chain ip filter OUTPUT 2>/dev/null | grep -c "${protocol}.*established.*accept") -ge 1 ]; then
info "Portocol $protocol INPUT is not conf" ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
fi FNRET=10
# Check outbound is config else
check_outbound_connect_is_accept "${protocol}" "$IP4VERSION" crit "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
if [ $FNRET = 0 ]; then FNRET=11
RET_VALUE2=0 fi
info "Portocol $protocol outbound is conf" return
else
RET_VALUE2=1
info "Portocol $protocol outbound is not conf"
fi fi
done done
if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then if [ $RET_VALUE1 -eq 0 -a $RET_VALUE2 -eq 0 ]; then
ok "Outbound and established connections are configured!" ok "Outbound and established connections are configured!"
FNRET=0
else else
crit "Outbound and established connections are not configured!" crit "Outbound and established connections are not configured!"
FNRET=1
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for protocol in $PROTOCOL_LIST if [ $FNRET = 0 ]; then
do ok "Portocol $protocol INPUT was conf. Outbound and established connections are configured!"
# Apply INPUT with ESTABLISHED elif [ $FNRET = 11 ]; then
check_input_with_established_is_accept "${protocol}" $IP4VERSION warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
if [ $FNRET = 1 ]; then elif [ $FNRET = 10 ]; then
warn "Portocol $protocol INPUT is not set, need the administrator to manually add it. Howto apply: iptables -A INPUT -p $protocol -m state --state ESTABLISHED -j ACCEPT" ok "Portocol $protocol INPUT was conf(nft). Outbound and established connections are configured!"
fi elif [ $FNRET = 1 ]; then
# Apply outbound warn "Portocol $protocol INPUT is not conf(nft). Outbound and established connections are not configured!"
check_outbound_connect_is_accept "${protocol}" $IP4VERSION else
if [ $FNRET = 1 ]; then :
warn "Portocol $protocol outbound is not set, need the administrator to manually add it. Howto apply: iptables -A OUTPUT -p $protocol -m state --state NEW,ESTABLISHED -j ACCEPT" fi
fi
done
} }
# This function will check config parameters required # This function will check config parameters required