135 lines
5.1 KiB
Bash
Executable File
135 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
IPT='/sbin/iptables'
|
|
EXTIF='eth0'
|
|
INTIF='br0'
|
|
LOIF='lo'
|
|
PRIVTUNIF='tun0'
|
|
PUBTUNIF='tun1'
|
|
|
|
ONEILL=192.168.42.3
|
|
|
|
function getIP
|
|
{
|
|
hostx $1 | grep ^$1 | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'
|
|
}
|
|
function getIFIP
|
|
{
|
|
ip addr show dev "$1" | grep -Eo 'inet *[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -e 's/.*inet *//'
|
|
}
|
|
|
|
eth0_ip=$(getIFIP ${EXTIF})
|
|
|
|
# Flush/delete chains
|
|
$IPT -F
|
|
$IPT -X
|
|
$IPT -t nat -F
|
|
$IPT -t nat -X
|
|
|
|
# Policies
|
|
$IPT -P INPUT DROP
|
|
$IPT -P FORWARD DROP
|
|
|
|
# Set up NAT
|
|
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
|
|
$IPT -t nat -A POSTROUTING -o $PUBTUNIF -j MASQUERADE
|
|
#$IPT -t nat -A POSTROUTING -o $PRIVTUNIF -j MASQUERADE
|
|
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
|
|
$IPT -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
|
|
$IPT -A FORWARD -i $INTIF -o $PUBTUNIF -j ACCEPT
|
|
$IPT -A FORWARD -i $PUBTUNIF -o $INTIF -d 192.168.42.3 -j ACCEPT
|
|
$IPT -A FORWARD -i $PUBTUNIF -o $INTIF -d 192.168.42.4 -j ACCEPT
|
|
#$IPT -A FORWARD -i $INTIF -o $PRIVTUNIF -j ACCEPT
|
|
$IPT -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT
|
|
|
|
# Allows
|
|
# Established/Related
|
|
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
# all loopback
|
|
$IPT -A INPUT -i $LOIF -j ACCEPT
|
|
# all intranet input
|
|
$IPT -A INPUT -i $INTIF -j ACCEPT
|
|
# external pings - rate limited
|
|
$IPT -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
|
# external HTTP - rate limited
|
|
#$IPT -A INPUT -i $EXTIF -p tcp --dport 80 -m state --state NEW -m limit --limit 3/second --limit-burst 6 -j ACCEPT
|
|
# external SVN - rate limited
|
|
#$IPT -A INPUT -i $EXTIF -p tcp --dport 3690 -m state --state NEW -m limit --limit 2/second --limit-burst 4 -j ACCEPT
|
|
# external OpenVPN connection requests
|
|
#$IPT -A INPUT -i $EXTIF -p udp --dport 1194 -m state --state NEW -m limit --limit 2/minute --limit-burst 2 -j ACCEPT
|
|
$IPT -A INPUT -i $EXTIF -p tcp --dport 443 -m state --state NEW -m limit --limit 2/minute --limit-burst 2 -j ACCEPT
|
|
# ICMP fragmentation needed messages
|
|
$IPT -A INPUT -i $EXTIF -p icmp --icmp-type fragmentation-needed -m limit --limit 10/second --limit-burst 20 -j ACCEPT
|
|
|
|
# VPN pings
|
|
$IPT -A INPUT -i $PUBTUNIF -p icmp --icmp-type echo-request -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
|
# VPN subversion
|
|
#$IPT -A INPUT -i $PUBTUNIF -p tcp --dport 3690 -j ACCEPT
|
|
# VPN NFS
|
|
$IPT -A INPUT -i $PUBTUNIF -p udp -m multiport --dports 111,2049,4000:4003 -j ACCEPT
|
|
$IPT -A INPUT -i $PUBTUNIF -p tcp -m multiport --dports 111,2049,4000:4003 -j ACCEPT
|
|
# VPN squid proxy
|
|
$IPT -A INPUT -i $PUBTUNIF -p tcp --dport 3128 -j ACCEPT
|
|
# VPN rsync
|
|
$IPT -A INPUT -i $PUBTUNIF -p tcp --dport 873 -j ACCEPT
|
|
|
|
## VPN pings
|
|
#$IPT -A INPUT -i $PRIVTUNIF -p icmp --icmp-type echo-request -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
|
## VPN subversion
|
|
#$IPT -A INPUT -i $PRIVTUNIF -p tcp --dport 3690 -j ACCEPT
|
|
## VPN ssh
|
|
#$IPT -A INPUT -i $PRIVTUNIF -p tcp --dport 22 -j ACCEPT
|
|
## VPN NFS
|
|
#$IPT -A INPUT -i $PRIVTUNIF -p udp -m multiport --dports 111,2049,44444:44446 -j ACCEPT
|
|
#$IPT -A INPUT -i $PRIVTUNIF -p tcp -m multiport --dports 111,2049,44444:44446 -j ACCEPT
|
|
## VPN squid proxy
|
|
##$IPT -A INPUT -i $PRIVTUNIF -p tcp --dport 3128 -j ACCEPT
|
|
## VPN rsync
|
|
#$IPT -A INPUT -i $PRIVTUNIF -p tcp --dport 873 -j ACCEPT
|
|
|
|
# Samba
|
|
#$IPT -A INPUT -p udp --sport 137 -j ACCEPT
|
|
#$IPT -A INPUT -p udp --sport 139 -j ACCEPT
|
|
#$IPT -A INPUT -p udp --sport 445 -j ACCEPT
|
|
|
|
# Log dropped
|
|
#$IPT -A INPUT -j LOG --log-prefix "IPTABLES_WOULD_DROP "
|
|
|
|
# DNATs
|
|
# http
|
|
$IPT -t nat -A PREROUTING -d $eth0_ip -p tcp --dport 80 -j DNAT --to-destination $ONEILL
|
|
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $ONEILL -p tcp --dport 80 -j ACCEPT
|
|
#$IPT -t nat -A POSTROUTING -s 192.168.42.0/24 -d $ONEILL -p tcp --dport 80 -j MASQUERADE
|
|
|
|
# ssh for git
|
|
$IPT -t nat -A PREROUTING -d $eth0_ip -p tcp --dport 22 -j DNAT --to-destination $ONEILL
|
|
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $ONEILL -p tcp --dport 22 -j ACCEPT
|
|
|
|
# git
|
|
$IPT -t nat -A PREROUTING -d $eth0_ip -p tcp --dport 9418 -j DNAT --to-destination $ONEILL
|
|
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $ONEILL -p tcp --dport 9418 -j ACCEPT
|
|
|
|
# squid
|
|
#$IPT -t nat -A PREROUTING -i $PUBTUNIF -p tcp --dport 3128 -j DNAT --to-destination $ONEILL
|
|
#$IPT -A FORWARD -i $PUBTUNIF -o $INTIF -p tcp --dport 3128 -j ACCEPT
|
|
#$IPT -t nat -A PREROUTING -i $PRIVTUNIF -p tcp --dport 3128 -j DNAT --to-destination $ONEILL
|
|
#$IPT -A FORWARD -i $PRIVTUNIF -o $INTIF -p tcp --dport 3128 -j ACCEPT
|
|
|
|
# old https vpn
|
|
#$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j DNAT --to-destination 192.168.42.11
|
|
#$IPT -A FORWARD -i $EXTIF -o $INTIF -d 192.168.42.11 -p tcp --dport 443 -j ACCEPT
|
|
|
|
# old udp vpn
|
|
#$IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 1194 -j DNAT --to-destination 192.168.42.11
|
|
#$IPT -A FORWARD -i $EXTIF -o $INTIF -d 192.168.42.11 -p udp --dport 1194 -j ACCEPT
|
|
|
|
# SNATs
|
|
#$IPT -t nat -A PREROUTING -i $INTIF -d $eth0_ip -p udp --dport 1194 -j DNAT --to-destination 192.168.42.1:1194
|
|
#$IPT -t nat -A POSTROUTING -o $INTIF -s 192.168.42.1 -p udp --sport 1194 -j SNAT --to-source $eth0_ip:1194
|
|
|
|
# Drop any other new connection
|
|
#$IPT -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
|
|
#$IPT -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
|
|