API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 25th, 2015
268
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 18.82 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh -x
  2. ###
  3. echo "FIREWALL SETUP BEGIN:"
  4. ###
  5. # 1. VARIABLES SETUP
  6. ##
  7. echo " preparing variables"
  8. # 1.1. Internet - public address space
  9. #INET_IP="212.71.168.43"
  10. #INET_IP="194.228.14.26"
  11. INET_IP="195.39.10.74"
  12. INET_IP_JG="195.168.22.82"
  13. MAIL_IP_JG="195.168.22.83"
  14. #INET_IP_MAIL="194.228.14.27"
  15. INET_IFACE="eth0"
  16. #INET_BROADCAST="194.228.14.31"
  17. INET_BROADCAST="195.39.10.255"
  18. INET_HTTP_PORT="80"
  19. INET_IMAP_PORT="143"
  20. INET_IMAPS_PORT="993"
  21. INET_POP3_PORT="110"
  22. INET_SMTP_PORT="25"
  23. #T-mobile mm
  24. ET="195.91.0.0/16"
  25. ##
  26. # 1.2 Local LAN
  27. LAN_IP="10.30.0.1"
  28. LAN_IP_RANGE="10.30.0.0/8"
  29. LAN_BROADCAST="10.30.0.255"
  30. LAN_IFACE="eth1"
  31. ##
  32. # 1.2.1 Local LAN servers
  33. HTTP_IP="10.30.0.2"
  34. HTTP_PORT="80"
  35. MAIL_IP="10.30.0.4"
  36. MAIL_IMAP_PORT="143"
  37. MAIL_IMAPS_PORT="993"
  38. MAIL_POP3_PORT="110"
  39. MAIL_SMTP_PORT="25"
  40. MAIL_SMTPS_PORT="465"
  41. MAIL_SMTP_PORT2="2255"
  42. ##
  43. # 1.3 Local loopback
  44. LO_IFACE="lo"
  45. LO_IP="127.0.0.1"
  46. ##
  47. # 1.4 Binaries variables
  48. IPTABLES="/sbin/iptables"
  49. DEPMOD="/sbin/depmod"
  50. MODPROBE="/sbin/modprobe"
  51. ##
  52. # 2. MODULES LOADING
  53. ##
  54. echo " loading modules"
  55. # 2.1 Refresh modules depencies
  56. $DEPMOD -a
  57. ##
  58. # 2.2 Load filtering modules, if they are not linked in kernel
  59. ##
  60.  
  61. ###
  62. # 3. CLEAN UP
  63. ##
  64. echo -n " cleaning previous setting("
  65. # 3.1 Stop any routing on this box
  66. echo -n "traffic stopped"
  67. echo "0" > /proc/sys/net/ipv4/ip_forward
  68.  
  69. ##
  70. # 3.2 Flush all filtering chains
  71. echo -n ",flushing chains"
  72. /usr/local/bin/iptables_flush
  73. ##
  74. # 3.3 Drop any routes
  75. /usr/local/bin/routes_drop
  76. echo -n ",dropping routes"
  77. echo  ")"
  78. ###
  79. # 4. SETUP RULES
  80. ##
  81. echo -n " setting up new rules("
  82. # 4.1 Setup routes
  83. /usr/local/bin/routes_setup
  84. echo -n "routes"
  85. ##
  86. # 4.2 Setup default policies
  87. echo -n ",default is DROP"
  88. $IPTABLES -P INPUT DROP
  89. $IPTABLES -P OUTPUT ACCEPT
  90. $IPTABLES -P FORWARD DROP
  91. ##
  92. # 4.3 Setup NAT for outgoing traffic
  93. echo -n ",SNAT"
  94. $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
  95.  
  96. ##
  97. # 4.4 Setup NAT for incomming traffic
  98. echo -n ",DNAT"
  99. #disabled due to file server failure
  100. $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $INET_SMTP_PORT -j DNAT --to-destination $MAIL_IP:$MAIL_SMTP_PORT
  101. $IPTABLES -t nat -A INPUT -p tcp -d $INET_IP --dport 25 -j DNAT --to-destination 10.30.0.4:25
  102. $IPTABLES -t nat -A OUTPUT -p tcp -d $INET_IP --dport $INET_SMTP_PORT -j DNAT --to-destination $MAIL_IP:$MAIL_SMTP_PORT
  103. #routing to SMTP internal mail server
  104. $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_SMTP_PORT -j DNAT --to-destination $MAIL_IP
  105. #$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_SMTPS_PORT -j DNAT --to-destination $MAIL_IP
  106. $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_SMTP_PORT2 -j DNAT --to-destination $MAIL_IP:25
  107. #IMAPS from inet to internal mail server
  108. $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_IMAPS_PORT -j DNAT --to-destination $MAIL_IP
  109. #SSH2 transfers incomming to port 5163 to port 22 on fileserver - used for files synchronisation and remote connection to console
  110. $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 5163 -s $INET_IP_JG -j DNAT --to-destination 10.30.0.2:22
  111. #pristup na JM webmail z internetu (iba https)
  112. $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 443 -j DNAT --to-destination 10.30.0.4:443
  113. #pristup VNC na VB notebook
  114.  
  115. echo ")"
  116. ##
  117. # 4.5 Filtering rules
  118. echo -n " filtering rules("
  119. # 4.5.1 Creating new chains
  120. echo -n "adding chains"
  121. $IPTABLES -N allowed
  122. $IPTABLES -N icmp_packets
  123. $IPTABLES -N bad_packets
  124. $IPTABLES -N log_drop
  125.  
  126. # 4.5.2 ALLOWED chain
  127. echo -n ",allowed chain"
  128. #accept SYN packets
  129. $IPTABLES -t filter -A allowed -p tcp --syn -j ACCEPT
  130. #accept established,related packets
  131. $IPTABLES -t filter -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
  132. #drop the rest
  133. $IPTABLES -t filter -A allowed -p tcp -j DROP
  134.  
  135. # 4.5.3 ICMP_PACKETS chain
  136. echo -n ",icmp_packets chain"
  137. $IPTABLES -t filter -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
  138. $IPTABLES -t filter -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
  139.  
  140. # 4.5.4 BAD_PACKETS chain
  141. echo -n ",bad_packets chain"
  142. #drop new not SYN packets - ACK port scan
  143. $IPTABLES -t filter -A bad_packets -p tcp ! --syn -m state --state NEW -j DROP
  144.  
  145. # LOG_DROP chain
  146. $IPTABLES -A log_drop -m limit --limit 5/s --limit-burst 8 -j LOG --log-ip-options --log-tcp-options --log-prefix fw-drop__ --log-level debug
  147. $IPTABLES -A log_drop -m recent --set -j DROP
  148. $IPTABLES -A log_drop -j DROP
  149.  
  150. # 4.5.5 INPUT chain
  151. echo -n ",INPUT chain"
  152. # drop bad tcp packets
  153. $IPTABLES -t filter -A INPUT -p tcp -j bad_packets
  154. # allow only several icmp from INET to this box
  155. $IPTABLES -t filter -A INPUT -p icmp -i $INET_IFACE -j icmp_packets
  156. # accept incomming ntop from jaga.sk
  157. #$IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 3000 -s $INET_IP_JG -j ACCEPT
  158. # accept incomming ntop from mondy netlab
  159. #$IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 3000 -s 84.245.71.69 -j ACCEPT
  160. # accept incomming SSH2 connection from local net
  161. #$IPTABLES -t filter -A INPUT -p tcp -d 10.100.1.2 --dport 22 -s 10.0.0.0/8 -j ACCEPT
  162. # accept incomming SSH2 connection from jaga.sk
  163. $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 2222 -s $INET_IP_JG -j ACCEPT
  164. $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 2222 -s 87.197.118.84 -j ACCEPT
  165. $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 2222 -j ACCEPT
  166. $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 5900 -s $INET_IP_JG -j ACCEPT
  167. # accept everything from local network interface
  168. $IPTABLES -t filter -A INPUT -p all -i $LAN_IFACE -j ACCEPT
  169. # accept local interface
  170. $IPTABLES -t filter -A INPUT -p all -i $LO_IFACE -s $LO_IP -j ACCEPT
  171. $IPTABLES -t filter -A INPUT -p all -i $LO_IFACE -s $LAN_IP -j ACCEPT
  172. $IPTABLES -t filter -A INPUT -p all -i $LO_IFACE -s $INET_IP -j ACCEPT
  173. #accept established and related packets from internet
  174. $IPTABLES -t filter -A INPUT -p all -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
  175.  
  176.  
  177.  
  178. ################
  179. # BLOCK chains #
  180. ################
  181. #WWW: ALLOWED USERS
  182. $IPTABLES -t filter -N block_www
  183. $IPTABLES -t filter -A block_www -s 10.30.0.20 -j RETURN #brutovsky
  184. $IPTABLES -t filter -A block_www -s 10.30.0.36 -j RETURN #mm
  185. $IPTABLES -t filter -A block_www -s 10.30.0.11 -d 69.63.0.0/16 -j RETURN #sisolak FB
  186. $IPTABLES -t filter -A block_www -s 10.30.0.16 -d 69.63.0.0/16 -j RETURN #hoskova FB
  187. $IPTABLES -t filter -A block_www -s 10.30.0.23 -d 69.63.0.0/16 -j RETURN #kotalova FB
  188. #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 208.65.153.238 -s $LAN_IP_RANGE --dport 80 -j DROP
  189. #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 208.65.153.251 -s $LAN_IP_RANGE --dport 80 -j DROP
  190. #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 208.65.153.253 -s $LAN_IP_RANGE --dport 80 -j DROP
  191. #block www.hry.cz for all
  192. #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 88.86.109.80 -s $LAN_IP_RANGE --dport 80 -j DROP
  193. #----------------------------------------------------------------------------------------------------------------------------
  194. #WWW: BLOCKED SITES
  195. #youtube.com
  196. $IPTABLES -t filter -A block_www -d 208.65.153.0/24 -j DROP
  197. $IPTABLES -t filter -A block_www -d 208.117.236.0/24 -j DROP
  198. #facebook.com
  199. $IPTABLES -t filter -A block_www -d 69.63.184.0/24 -j DROP
  200. $IPTABLES -t filter -A block_www -d 69.63.186.0/24 -j DROP
  201. #hry.cz
  202. $IPTABLES -t filter -A block_www -d 88.86.109.80 -j DROP
  203. #----------------------------------------------------------------------------------------------------------------------------
  204. $IPTABLES -A block_www -j RETURN
  205.  
  206. #PORTS: ALLOWED
  207. $IPTABLES -t filter -N block_ports
  208. $IPTABLES -t filter -A block_ports -s $MAIL_IP -j RETURN    #allow from mailserver
  209. $IPTABLES -t filter -A block_ports -d $MAIL_IP_JG -j RETURN #mail.jaga.sk
  210. #-------------------------------------------------------------------------------------------------
  211. #$IPTABLES -t filter -A block_ports -p tcp --dport 25 -j DROP   #SMTP
  212. #$IPTABLES -t filter -A block_ports -p tcp --dport 587 -j DROP  #SMTP
  213. #----------------------------------------------------------------------------------------------------------------------------
  214. $IPTABLES -A block_ports -j RETURN
  215.  
  216.  
  217. # accept incomming SMTP connection
  218. #added due to file server failure
  219. #$IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport $INET_SMTP_PORT -j ACCEPT
  220. # SNMP z Jagy
  221. $IPTABLES -t filter -A INPUT -p udp -s $INET_IP_JG --dport snmp -j ACCEPT
  222.  
  223. # 4.5.6 FORWARD chain
  224. echo -n ",FORWARD chain"
  225. #drop bad tcp packets
  226. $IPTABLES -t filter -A FORWARD -p tcp -j bad_packets
  227.  
  228. #accept forwarding from INTERNAL NETWORK to INET: adding block_www chain
  229. $IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j block_www
  230. $IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j block_ports
  231.  
  232. #accept forwarding from INTERNAL NETWORK to INET
  233. $IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT
  234. #accept forwarding from INET to INTERNAL NETWORK when established or related
  235. $IPTABLES -t filter -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
  236. #accept forwarding of HTTP from INET to INTERNAL NETWORK
  237. #currently we do not have internal web server
  238. #to fscz01
  239. #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $HTTP_IP --dport $HTTP_PORT -j allowed
  240. #to webmail
  241. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport 443 -j allowed
  242. #to mscz01
  243. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport $HTTP_PORT -j allowed
  244. #accept forwarding of SMTP from INET to INTERNAL NETWORK
  245. #disabled due to file server failure
  246. #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTP_PORT -j allowed
  247. #accept SMTP from INET to INTERNAL NETWORK
  248. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTP_PORT -j allowed
  249. #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTPS_PORT -j allowed
  250. #accept forwarding of IMAPS from INET to INTERNAL NETWORK
  251. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_IMAPS_PORT -j allowed
  252. #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTP_PORT -j allowed
  253. #$IPTABLES -t filter -A FORWARD -p icmp -i $INET_IFACE -o $LAN_IFACE -d $HTTP_IP -j ACCEPT
  254. #accept forwarding of all established,related
  255. $IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  256. #accept forwarding to fileserver SSH2 for filesync
  257. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.2 --dport 22 -j allowed
  258. #accept forwarding to my server SSH2
  259. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.3 --dport 22 -j allowed
  260. #accept forwarding to mailserver SSH2
  261. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport 22 -j allowed
  262.  
  263.  
  264. #VB - VNC
  265. $IPTABLES -t nat -A PREROUTING -d $INET_IP -p tcp --dport 5220 -j DNAT --to-destination 10.30.0.29:5900
  266.  
  267. #accept forwarding from Prague to fileserver MySQL2 for replication
  268. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.2 --dport 3306 -j allowed
  269.  
  270. #accept forwarding to mailserver MySQL2
  271. $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport 3306 -j allowed
  272.  
  273. # 4.5.7 OUTPUT chain
  274. echo -n ",OUTPUT chain"
  275. # drop bad tcp packets
  276. ###$IPTABLES -t filter -A OUTPUT -p tcp -j bad_packets
  277. # output is not filtered
  278. #$IPTABLES -t filter -A OUTPUT -p all -s $LO_IP -j ACCEPT
  279. #$IPTABLES -t filter -A OUTPUT -p all -s $INET_IP -j ACCEPT
  280. #$IPTABLES -t filter -A OUTPUT -p all -s $LAN_IP -j ACCEPT
  281. $IPTABLES -t filter -A OUTPUT -p all -o eth0 -j ACCEPT
  282. $IPTABLES -t filter -A OUTPUT -p all -o eth1 -j ACCEPT
  283. $IPTABLES -t filter -A OUTPUT -p all -o tun0 -j ACCEPT
  284. $IPTABLES -t filter -A OUTPUT -p all -o tun1 -j ACCEPT
  285.  
  286.  
  287. echo ")"
  288.  
  289.  
  290.  
  291. ### VPN ###
  292.     #####AA<->BA offices tunnel
  293.     $IPTABLES -t filter -A INPUT -p udp -s 195.168.22.82 -d $INET_IP --dport 1196 -j ACCEPT
  294.     $IPTABLES -t filter -A INPUT -p tcp -s 195.168.22.82 -d $INET_IP --dport 1196 -j ACCEPT
  295.     #$IPTABLES -t filter -A INPUT -p udp -s 195.168.22.82 -d $INET_IP --dport 1194 -j ACCEPT
  296.     #$IPTABLES -t filter -A INPUT -p tcp -s 195.168.22.82 -d $INET_IP --dport 1194 -j ACCEPT
  297.     $IPTABLES -t filter -A INPUT -i tun0 -j ACCEPT
  298.     #$IPTABLES -t filter -A INPUT -i br0 -j ACCEPT
  299.     #$IPTABLES -t filter -A INPUT -i tap0 -j ACCEPT
  300.    
  301.     $IPTABLES -t filter -A FORWARD -i tun0 -o eth1 -j ACCEPT
  302.     $IPTABLES -t filter -A FORWARD -i eth1 -o tun0 -j ACCEPT
  303.     #$IPTABLES -t filter -A FORWARD -i br0 -j ACCEPT
  304.     #$IPTABLES -t filter -A FORWARD -i br0 -o eth1 -j ACCEPT
  305.     #$IPTABLES -t filter -A FORWARD -i eth1 -o br0 -j ACCEPT
  306.  
  307.     ###INPUT block unacceptable traffic trough bridge
  308.     ##block DHCP
  309.     #$IPTABLES -A INPUT -p tcp -i tap0 --dport 67:68 -j DROP
  310.     #$IPTABLES -A INPUT -p udp -i tap0 --dport 67:68 -j DROP
  311.     ###FORWARD block unacceptable traffic trough bridge
  312.     ##block DHCP
  313.     #$IPTABLES -A FORWARD -p tcp -i tap0 -o eth1 --dport 67:68 -j DROP
  314.     #$IPTABLES -A FORWARD -p tcp -i eth1 -o tap0 --dport 67:68 -j DROP
  315.     #$IPTABLES -A FORWARD -p udp -i tap0 -o eth1 --dport 67:68 -j DROP
  316.     #$IPTABLES -A FORWARD -p udp -i eth1 -o tap0 --dport 67:68 -j DROP
  317.    
  318.     $IPTABLES -t nat -A POSTROUTING -o tun0 -s 10.30.0.0/24 -d ! 10.1.1.0/24 -j MASQUERADE
  319.     #$IPTABLES -t nat -A POSTROUTING -o tun0 -s 10.30.0.0/24 -d ! 100.1.1.0/24 -j MASQUERADE
  320.     #$IPTABLES -t nat -A POSTROUTING -o tun0 -s 10.30.0.0/24 -j MASQUERADE
  321.    
  322.    
  323.     #####CLIENT<->SERVER TUNNEL
  324.     ####INPUT chain
  325.     ##GLOBAL
  326.     $IPTABLES -A INPUT -p udp -d $INET_IP --dport 1195 -j ACCEPT
  327.     #allow input to fw only for administrators
  328.     $IPTABLES -I INPUT -i tun1 -s 10.40.1.0/24 -j ACCEPT
  329.    
  330.     $IPTABLES -I FORWARD -i eth1 -o tun1 -j ACCEPT
  331.     $IPTABLES -t nat -A POSTROUTING -o tun1 -s 10.30.0.0/24 -j MASQUERADE
  332.    
  333.     ####FORWARD chain
  334.     ##allow ping for all clients
  335.     #JAGAMEDIA network
  336.     $IPTABLES -I FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec --limit-burst 8 -i tun1 -o eth1 -j ACCEPT
  337.     #JAGA network
  338.     $IPTABLES -I FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec --limit-burst 8 -i tun1 -o tun0 -j ACCEPT
  339.     $IPTABLES -I FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec --limit-burst 8 -i tun0 -o tun1 -j ACCEPT
  340.     #-----------------------------------------------------------------------------------------------------------------
  341.     ###allowing access for administrators (subnet 10.40.1.0-CZ and 10.3.1.0-SK) to servers and services
  342.     ##GLOBAL
  343.     $IPTABLES -I FORWARD -i tun1 -o eth1 -s 10.40.1.0/24 -j ACCEPT
  344.     $IPTABLES -I FORWARD -i tun0 -o tun1 -s 10.3.1.0/24 -j ACCEPT
  345.     #allow all trafic between two tunnel ifaces (providing connection from JAGAMEDIA VPN tunnel to JAGA network)
  346.     $IPTABLES -I FORWARD -i tun0 -o tun1 -d 10.40.1.0/24 -j ACCEPT
  347.     $IPTABLES -I FORWARD -i tun1 -o tun0 -s 10.40.1.0/24 -j ACCEPT
  348.     #-----------------------------------------------------------------------------------------------------------------
  349.     ###allowing access for employees (subnet 10.40.2.0) only to these servers and services
  350.     ##GLOBAL
  351.     #primary dns server
  352.     $IPTABLES -I FORWARD -p udp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 53 -j ACCEPT
  353.     #file server (service: netbios-ss, smb, #netbios-ns)
  354.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.2 --dport 139 -j ACCEPT
  355.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.2 --dport 445 -j ACCEPT
  356.     #$IT -I FORWARD -p udp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.2 --dport 137 -j ACCEPT
  357.     #SK intranet server (service: http)
  358.     $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.9 --dport 80 -j ACCEPT
  359.     $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.9 --dport 80 -j ACCEPT
  360.     #SK naxos server (service: http, https)
  361.     $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.15 --dport 80 -j ACCEPT
  362.     $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.15 --dport 80 -j ACCEPT
  363.     $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.15 --dport 443 -j ACCEPT
  364.     $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.15 --dport 443 -j ACCEPT
  365.     #SK contract server (service: http, olap, kalkulacie)
  366.     $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.11 --dport 80 -j ACCEPT
  367.     $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.11 --dport 80 -j ACCEPT
  368.     $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.11 -m multiport --dports 2382,2383 -j ACCEPT
  369.     $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.11 -m multiport --dports 2382,2383 -j ACCEPT
  370.     $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.11 --dport 1433 -j ACCEPT
  371.     $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.11 --dport 1433 -j ACCEPT
  372.     #vb wifi
  373. #   $IPTABLES -I FORWARD -p tcp -i eth1 -o tun0 -s 192.168.1.0/24 -d 10.1.1.11 --dport 80 -j ACCEPT
  374. #   $IPTABLES -I FORWARD -p tcp -i tun0 -o eth1 -d 192.168.1.0/24 -s 10.1.1.11 --dport 80 -j ACCEPT
  375.     $IPTABLES -I FORWARD -p tcp -i eth1 -o tun0 -s 10.30.0.0/24 -d 10.1.1.11 -m multiport --dports 2393,2394 -j ACCEPT
  376.     $IPTABLES -I FORWARD -p tcp -i tun0 -o eth1 -d 10.30.0.0/24 -s 10.1.1.11 -m multiport --dports 2393,2394 -j ACCEPT
  377. #   $IPTABLES -I FORWARD -p tcp -i eth1 -o tun0 -s 192.168.1.0/24 -d 10.1.1.11 --dport 1433 -j ACCEPT
  378. #   $IPTABLES -I FORWARD -p tcp -i tun0 -o eth1 -d 192.168.1.0/24 -s 10.1.1.11 --dport 1433 -j ACCEPT
  379.  
  380.  
  381.     #mail server (service: imap, imaps, smtp, webmail)
  382.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 143 -j ACCEPT
  383.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 993 -j ACCEPT
  384.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 25 -j ACCEPT
  385.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 80 -j ACCEPT
  386.     $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 443 -j ACCEPT
  387.     #-----------------------------------------------------------------------------------------------------------------
  388.     ###allowing specific access (subnet 10.40.3.0) only to these servers and services
  389.     ##GLOBAL
  390.     #primary dns server
  391.     $IPTABLES -I FORWARD -p udp -i tun1 -o eth1 -s 10.40.3.0/24 -d 10.30.0.4 --dport 53 -j ACCEPT
  392.     #-----------------------------------------------------------------------------------------------------------------
  393.    
  394.  
  395. #$IT -t nat -A PREROUTING -d $INET_IP -s $VERSITY -p tcp --dport 24500 -j DNAT --to-destination $JG_KENNY2:3389
  396.  
  397.  
  398. ###
  399. #DEFAULT, log all dropped traffic
  400. for CHAIN in INPUT FORWARD; do
  401.     $IPTABLES -A $CHAIN -j log_drop
  402. done
  403.  
  404.  
  405. ###
  406. # 5. RESTORE TRAFFIC
  407. ##
  408. # 5.1 Allow routing on this box
  409. echo  " restoring traffic"
  410. echo "1" > /proc/sys/net/ipv4/ip_forward
  411. echo "FIREWALL SETUP COMPLETED"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!