msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f8b13063a8922388463d5af1f0ad20359f30309ce788dd3ac210416e944d270c
CISS.debian.installer/includes/target/etc/initramfs-tools/files/dropbear_fw.sh
Marc S. Weidner 45ff672479
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m0s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-31 23:04:30 +02:00

67 lines
2.1 KiB
Bash
Raw Blame History

#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# shellcheck shell=sh
# Firewall script for Dropbear SSH inside initramfs.
# This script runs at the "init-bottom" stage of the early boot process.
#
# It configures basic iptables rules to restrict SSH access to Dropbear
# while the system is in the pre-boot phase (before root is decrypted).
#
# IPv6 is not supported in initramfs at this stage due to complexity.
# Only trusted IPv4 addresses are allowed.
PREREQ="dropbear"
prereqs() { echo "${PREREQ}"; }
case "$1" in
prereqs) prereqs; exit 0 ;;
esac
### Check if the firewall is enabled via the config file.
DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
if [ -f "${DROPBEAR_FW_CONF}" ]; then
# shellcheck disable=SC1090
. "${DROPBEAR_FW_CONF}"
else
DROPBEAR_FIREWALL_ENABLED=0
fi
### Abort if the firewall flag is not set or disabled.
if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
exit 0
fi
### Ensure iptables is available.
if command -v iptables >/dev/null 2>&1; then
### Reset any existing rules.
iptables -F
iptables -X
### Default policy: block everything unless explicitly allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
### Allow local loopback.
iptables -A INPUT -i lo -j ACCEPT
### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink