Skip to content

Patrick010/guest-fw-setup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
guest-fw-setup.sh
guest-fw-setup.sh
 
 

Repository files navigation

guest-fw-setup

guest-fw-setup is a Bash script designed to implement a strict and secure firewall policy for guest virtual machines (VMs) or containers running on Proxmox or similar platforms. Leveraging iptables and ipset, it enforces fine-grained network access control and logs dropped packets through ulogd2.

This script is not intended to replace a dedicated perimeter firewall. Instead, it serves as an additional layer of defense in scenarios where a guest system may be compromised. By allowing only the minimal traffic necessary for the application to function, it helps contain potential breaches, prevent lateral movement within the LAN, and mitigate further exposure. The script is intended as a customizable template for applying minimal and application-specific firewall rules with ease.

Features

  • Sets default DROP policies on all incoming and outgoing traffic.
  • Allows SSH access only from a trusted local subnet and the default gateway.
  • Restricts access to specified TCP ports from user-defined allowed IPs.
  • Supports a trusted reverse proxy IP for hybrid setups.
  • Permits DNS queries (UDP port 53) only to the default gateway.
  • Allows ICMP (ping) only to the default gateway and public IPs outside bogon/private ranges.
  • Enables outbound HTTP/HTTPS traffic.
  • Logs all dropped packets using NFLOG and ulogd2 for auditing and troubleshooting.
  • Uses ipset to efficiently manage allowed IP lists.
  • Includes options to apply, reset, preview, and display current firewall rules.

Requirements

  • iptables
  • iptables-persistent
  • ulogd2
  • ipset

The script checks for these packages and can prompt for installation if any are missing.

Usage

Run the script with one of the following options:

./guest-fw-setup.sh --apply         # Auto-detect network and apply firewall rules
./guest-fw-setup.sh --reset         # Reset firewall rules to default ACCEPT policy
./guest-fw-setup.sh --list-rules    # Show the iptables rules that would be applied
./guest-fw-setup.sh --show-rules    # Display currently active iptables rules
./guest-fw-setup.sh --help          # Show usage information

Configuration

Modify the script’s user-configurable section to suit your environment:

  • LAN_SUBNET: Local subnet trusted for SSH.
  • TRUSTED_REVERSE_PROXY: IP of a trusted reverse proxy (leave empty if unused).
  • PORT_WITH_ALLOWED_IPS: Bash associative array mapping service ports to allowed source IP addresses.

Example:

LAN_SUBNET="192.168.10.0/24"
TRUSTED_REVERSE_PROXY="192.168.20.1"
declare -A PORT_WITH_ALLOWED_IPS=(
  [8096]="192.168.30.9 192.168.30.13 192.168.30.14"
)

Logging

Dropped packets are logged via NFLOG and ulogd2 to /var/log/ulogd.log (or /var/log/ulogd.syslogemu.log if available). This facilitates monitoring of denied network traffic.

Notes

  • The script must be run with root privileges.
  • Designed for Debian-based systems (tested on Proxmox VE 8.4.1).
  • IP and gateway detection are automatic at runtime.
  • The script includes prompts before applying changes to prevent accidental misconfiguration.

License

This script is provided as-is under the GPL-3.0 License. See LICENSE file for details.

Feel free to customize the script and report issues or feature requests.

About

Sets up the local Linux fw in Proxmox VMs or LXCs based on simple rules.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages