Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- create firewall script:
- nano /root/fwrules.sh
- add below:
- ------------------------------------------------------------------------------------------------
- #!/bin/sh
- #server IP
- SERVERPRIV_IP="192.168.0.1"
- SERVERPUB_IP="10.10.10.1"
- # Interface connected to Internet
- INTERNET="eth0"
- # Interface connected to LAN
- LAN_IN="eth1"
- #network ip
- NETWORKIP="192.168.0.0/24"
- #remote desktop pc ip
- RDPCLIENTIP="192.168.0.200"
- # flush existing firewall rules
- iptables -F
- iptables -F -t nat
- # Load IPTABLES modules for NAT and IP conntrack support
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- # For win xp ftp client
- #modprobe ip_nat_ftp
- echo 1 > /proc/sys/net/ipv4/ip_forward
- #policies
- iptables -P OUTPUT ACCEPT
- iptables -P INPUT DROP
- iptables -P FORWARD ACCEPT
- iptables -t nat -P OUTPUT ACCEPT
- iptables -t nat -P PREROUTING ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- #masquerade
- iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
- iptables -A FORWARD -i $LAN_IN -o $INTERNET -j ACCEPT
- #drop spoofed packets
- iptables -A INPUT --source 127.0.0.0/8 ! --in-interface lo -j DROP
- #limit ping requests
- iptables -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
- #drop bogus packets
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A FORWARD -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- #allow responses
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #allow loopback
- iptables -A INPUT --in-interface lo -j ACCEPT
- #allow SSH
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- #allow http and https
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- #allow samba share
- iptables -A INPUT -p udp -m udp -s $NETWORKIP --dport 137 -j ACCEPT
- iptables -A INPUT -p udp -m udp -s $NETWORKIP --dport 138 -j ACCEPT
- iptables -A INPUT -m state --state NEW -m tcp -p tcp -s $NETWORKIP --dport 139 -j ACCEPT
- iptables -A INPUT -m state --state NEW -m tcp -p tcp -s $NETWORKIP --dport 445 -j ACCEPT
- #allow pptpd
- iptables -A INPUT -p gre -j ACCEPT
- iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
- #port forward remote desktop from public ip to private client ip inside the network
- iptables -t nat -A PREROUTING -i eth0 -d $SERVERPUB_IP -p tcp --dport 3390 -j DNAT --to $RDPCLIENTIP:3389
- iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3390 -j REDIRECT --to-port 3389
- iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
- iptables -A FORWARD -d $RDPCLIENTIP -p tcp --dport 3389 -j ACCEPT
- ------------------------------------------------------------------------------------------------
- run script on boot:
- nano /etc/rc.local
- add below:
- ------------------------------------------------------------------------------------------------
- sh /root/fwrules.sh
- ------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement