Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh -x
- ###
- echo "FIREWALL SETUP BEGIN:"
- ###
- # 1. VARIABLES SETUP
- ##
- echo " preparing variables"
- # 1.1. Internet - public address space
- #INET_IP="212.71.168.43"
- #INET_IP="194.228.14.26"
- INET_IP="195.39.10.74"
- INET_IP_JG="195.168.22.82"
- MAIL_IP_JG="195.168.22.83"
- #INET_IP_MAIL="194.228.14.27"
- INET_IFACE="eth0"
- #INET_BROADCAST="194.228.14.31"
- INET_BROADCAST="195.39.10.255"
- INET_HTTP_PORT="80"
- INET_IMAP_PORT="143"
- INET_IMAPS_PORT="993"
- INET_POP3_PORT="110"
- INET_SMTP_PORT="25"
- #T-mobile mm
- ET="195.91.0.0/16"
- ##
- # 1.2 Local LAN
- LAN_IP="10.30.0.1"
- LAN_IP_RANGE="10.30.0.0/8"
- LAN_BROADCAST="10.30.0.255"
- LAN_IFACE="eth1"
- ##
- # 1.2.1 Local LAN servers
- HTTP_IP="10.30.0.2"
- HTTP_PORT="80"
- MAIL_IP="10.30.0.4"
- MAIL_IMAP_PORT="143"
- MAIL_IMAPS_PORT="993"
- MAIL_POP3_PORT="110"
- MAIL_SMTP_PORT="25"
- MAIL_SMTPS_PORT="465"
- MAIL_SMTP_PORT2="2255"
- ##
- # 1.3 Local loopback
- LO_IFACE="lo"
- LO_IP="127.0.0.1"
- ##
- # 1.4 Binaries variables
- IPTABLES="/sbin/iptables"
- DEPMOD="/sbin/depmod"
- MODPROBE="/sbin/modprobe"
- ##
- # 2. MODULES LOADING
- ##
- echo " loading modules"
- # 2.1 Refresh modules depencies
- $DEPMOD -a
- ##
- # 2.2 Load filtering modules, if they are not linked in kernel
- ##
- ###
- # 3. CLEAN UP
- ##
- echo -n " cleaning previous setting("
- # 3.1 Stop any routing on this box
- echo -n "traffic stopped"
- echo "0" > /proc/sys/net/ipv4/ip_forward
- ##
- # 3.2 Flush all filtering chains
- echo -n ",flushing chains"
- /usr/local/bin/iptables_flush
- ##
- # 3.3 Drop any routes
- /usr/local/bin/routes_drop
- echo -n ",dropping routes"
- echo ")"
- ###
- # 4. SETUP RULES
- ##
- echo -n " setting up new rules("
- # 4.1 Setup routes
- /usr/local/bin/routes_setup
- echo -n "routes"
- ##
- # 4.2 Setup default policies
- echo -n ",default is DROP"
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD DROP
- ##
- # 4.3 Setup NAT for outgoing traffic
- echo -n ",SNAT"
- $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
- ##
- # 4.4 Setup NAT for incomming traffic
- echo -n ",DNAT"
- #disabled due to file server failure
- $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $INET_SMTP_PORT -j DNAT --to-destination $MAIL_IP:$MAIL_SMTP_PORT
- $IPTABLES -t nat -A INPUT -p tcp -d $INET_IP --dport 25 -j DNAT --to-destination 10.30.0.4:25
- $IPTABLES -t nat -A OUTPUT -p tcp -d $INET_IP --dport $INET_SMTP_PORT -j DNAT --to-destination $MAIL_IP:$MAIL_SMTP_PORT
- #routing to SMTP internal mail server
- $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_SMTP_PORT -j DNAT --to-destination $MAIL_IP
- #$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_SMTPS_PORT -j DNAT --to-destination $MAIL_IP
- $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_SMTP_PORT2 -j DNAT --to-destination $MAIL_IP:25
- #IMAPS from inet to internal mail server
- $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $MAIL_IMAPS_PORT -j DNAT --to-destination $MAIL_IP
- #SSH2 transfers incomming to port 5163 to port 22 on fileserver - used for files synchronisation and remote connection to console
- $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 5163 -s $INET_IP_JG -j DNAT --to-destination 10.30.0.2:22
- #pristup na JM webmail z internetu (iba https)
- $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 443 -j DNAT --to-destination 10.30.0.4:443
- #pristup VNC na VB notebook
- echo ")"
- ##
- # 4.5 Filtering rules
- echo -n " filtering rules("
- # 4.5.1 Creating new chains
- echo -n "adding chains"
- $IPTABLES -N allowed
- $IPTABLES -N icmp_packets
- $IPTABLES -N bad_packets
- $IPTABLES -N log_drop
- # 4.5.2 ALLOWED chain
- echo -n ",allowed chain"
- #accept SYN packets
- $IPTABLES -t filter -A allowed -p tcp --syn -j ACCEPT
- #accept established,related packets
- $IPTABLES -t filter -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
- #drop the rest
- $IPTABLES -t filter -A allowed -p tcp -j DROP
- # 4.5.3 ICMP_PACKETS chain
- echo -n ",icmp_packets chain"
- $IPTABLES -t filter -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
- $IPTABLES -t filter -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
- # 4.5.4 BAD_PACKETS chain
- echo -n ",bad_packets chain"
- #drop new not SYN packets - ACK port scan
- $IPTABLES -t filter -A bad_packets -p tcp ! --syn -m state --state NEW -j DROP
- # LOG_DROP chain
- $IPTABLES -A log_drop -m limit --limit 5/s --limit-burst 8 -j LOG --log-ip-options --log-tcp-options --log-prefix fw-drop__ --log-level debug
- $IPTABLES -A log_drop -m recent --set -j DROP
- $IPTABLES -A log_drop -j DROP
- # 4.5.5 INPUT chain
- echo -n ",INPUT chain"
- # drop bad tcp packets
- $IPTABLES -t filter -A INPUT -p tcp -j bad_packets
- # allow only several icmp from INET to this box
- $IPTABLES -t filter -A INPUT -p icmp -i $INET_IFACE -j icmp_packets
- # accept incomming ntop from jaga.sk
- #$IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 3000 -s $INET_IP_JG -j ACCEPT
- # accept incomming ntop from mondy netlab
- #$IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 3000 -s 84.245.71.69 -j ACCEPT
- # accept incomming SSH2 connection from local net
- #$IPTABLES -t filter -A INPUT -p tcp -d 10.100.1.2 --dport 22 -s 10.0.0.0/8 -j ACCEPT
- # accept incomming SSH2 connection from jaga.sk
- $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 2222 -s $INET_IP_JG -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 2222 -s 87.197.118.84 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 2222 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport 5900 -s $INET_IP_JG -j ACCEPT
- # accept everything from local network interface
- $IPTABLES -t filter -A INPUT -p all -i $LAN_IFACE -j ACCEPT
- # accept local interface
- $IPTABLES -t filter -A INPUT -p all -i $LO_IFACE -s $LO_IP -j ACCEPT
- $IPTABLES -t filter -A INPUT -p all -i $LO_IFACE -s $LAN_IP -j ACCEPT
- $IPTABLES -t filter -A INPUT -p all -i $LO_IFACE -s $INET_IP -j ACCEPT
- #accept established and related packets from internet
- $IPTABLES -t filter -A INPUT -p all -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
- ################
- # BLOCK chains #
- ################
- #WWW: ALLOWED USERS
- $IPTABLES -t filter -N block_www
- $IPTABLES -t filter -A block_www -s 10.30.0.20 -j RETURN #brutovsky
- $IPTABLES -t filter -A block_www -s 10.30.0.36 -j RETURN #mm
- $IPTABLES -t filter -A block_www -s 10.30.0.11 -d 69.63.0.0/16 -j RETURN #sisolak FB
- $IPTABLES -t filter -A block_www -s 10.30.0.16 -d 69.63.0.0/16 -j RETURN #hoskova FB
- $IPTABLES -t filter -A block_www -s 10.30.0.23 -d 69.63.0.0/16 -j RETURN #kotalova FB
- #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 208.65.153.238 -s $LAN_IP_RANGE --dport 80 -j DROP
- #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 208.65.153.251 -s $LAN_IP_RANGE --dport 80 -j DROP
- #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 208.65.153.253 -s $LAN_IP_RANGE --dport 80 -j DROP
- #block www.hry.cz for all
- #$IPTABLES -t filter -I FORWARD -p tcp -i $LAN_IFACE -o $INET_IFACE -d 88.86.109.80 -s $LAN_IP_RANGE --dport 80 -j DROP
- #----------------------------------------------------------------------------------------------------------------------------
- #WWW: BLOCKED SITES
- #youtube.com
- $IPTABLES -t filter -A block_www -d 208.65.153.0/24 -j DROP
- $IPTABLES -t filter -A block_www -d 208.117.236.0/24 -j DROP
- #facebook.com
- $IPTABLES -t filter -A block_www -d 69.63.184.0/24 -j DROP
- $IPTABLES -t filter -A block_www -d 69.63.186.0/24 -j DROP
- #hry.cz
- $IPTABLES -t filter -A block_www -d 88.86.109.80 -j DROP
- #----------------------------------------------------------------------------------------------------------------------------
- $IPTABLES -A block_www -j RETURN
- #PORTS: ALLOWED
- $IPTABLES -t filter -N block_ports
- $IPTABLES -t filter -A block_ports -s $MAIL_IP -j RETURN #allow from mailserver
- $IPTABLES -t filter -A block_ports -d $MAIL_IP_JG -j RETURN #mail.jaga.sk
- #-------------------------------------------------------------------------------------------------
- #$IPTABLES -t filter -A block_ports -p tcp --dport 25 -j DROP #SMTP
- #$IPTABLES -t filter -A block_ports -p tcp --dport 587 -j DROP #SMTP
- #----------------------------------------------------------------------------------------------------------------------------
- $IPTABLES -A block_ports -j RETURN
- # accept incomming SMTP connection
- #added due to file server failure
- #$IPTABLES -t filter -A INPUT -p tcp -d $INET_IP --dport $INET_SMTP_PORT -j ACCEPT
- # SNMP z Jagy
- $IPTABLES -t filter -A INPUT -p udp -s $INET_IP_JG --dport snmp -j ACCEPT
- # 4.5.6 FORWARD chain
- echo -n ",FORWARD chain"
- #drop bad tcp packets
- $IPTABLES -t filter -A FORWARD -p tcp -j bad_packets
- #accept forwarding from INTERNAL NETWORK to INET: adding block_www chain
- $IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j block_www
- $IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j block_ports
- #accept forwarding from INTERNAL NETWORK to INET
- $IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT
- #accept forwarding from INET to INTERNAL NETWORK when established or related
- $IPTABLES -t filter -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
- #accept forwarding of HTTP from INET to INTERNAL NETWORK
- #currently we do not have internal web server
- #to fscz01
- #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $HTTP_IP --dport $HTTP_PORT -j allowed
- #to webmail
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport 443 -j allowed
- #to mscz01
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport $HTTP_PORT -j allowed
- #accept forwarding of SMTP from INET to INTERNAL NETWORK
- #disabled due to file server failure
- #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTP_PORT -j allowed
- #accept SMTP from INET to INTERNAL NETWORK
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTP_PORT -j allowed
- #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTPS_PORT -j allowed
- #accept forwarding of IMAPS from INET to INTERNAL NETWORK
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_IMAPS_PORT -j allowed
- #$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d $MAIL_IP --dport $MAIL_SMTP_PORT -j allowed
- #$IPTABLES -t filter -A FORWARD -p icmp -i $INET_IFACE -o $LAN_IFACE -d $HTTP_IP -j ACCEPT
- #accept forwarding of all established,related
- $IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- #accept forwarding to fileserver SSH2 for filesync
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.2 --dport 22 -j allowed
- #accept forwarding to my server SSH2
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.3 --dport 22 -j allowed
- #accept forwarding to mailserver SSH2
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport 22 -j allowed
- #VB - VNC
- $IPTABLES -t nat -A PREROUTING -d $INET_IP -p tcp --dport 5220 -j DNAT --to-destination 10.30.0.29:5900
- #accept forwarding from Prague to fileserver MySQL2 for replication
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.2 --dport 3306 -j allowed
- #accept forwarding to mailserver MySQL2
- $IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE -d 10.30.0.4 --dport 3306 -j allowed
- # 4.5.7 OUTPUT chain
- echo -n ",OUTPUT chain"
- # drop bad tcp packets
- ###$IPTABLES -t filter -A OUTPUT -p tcp -j bad_packets
- # output is not filtered
- #$IPTABLES -t filter -A OUTPUT -p all -s $LO_IP -j ACCEPT
- #$IPTABLES -t filter -A OUTPUT -p all -s $INET_IP -j ACCEPT
- #$IPTABLES -t filter -A OUTPUT -p all -s $LAN_IP -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p all -o eth0 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p all -o eth1 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p all -o tun0 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p all -o tun1 -j ACCEPT
- echo ")"
- ### VPN ###
- #####AA<->BA offices tunnel
- $IPTABLES -t filter -A INPUT -p udp -s 195.168.22.82 -d $INET_IP --dport 1196 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp -s 195.168.22.82 -d $INET_IP --dport 1196 -j ACCEPT
- #$IPTABLES -t filter -A INPUT -p udp -s 195.168.22.82 -d $INET_IP --dport 1194 -j ACCEPT
- #$IPTABLES -t filter -A INPUT -p tcp -s 195.168.22.82 -d $INET_IP --dport 1194 -j ACCEPT
- $IPTABLES -t filter -A INPUT -i tun0 -j ACCEPT
- #$IPTABLES -t filter -A INPUT -i br0 -j ACCEPT
- #$IPTABLES -t filter -A INPUT -i tap0 -j ACCEPT
- $IPTABLES -t filter -A FORWARD -i tun0 -o eth1 -j ACCEPT
- $IPTABLES -t filter -A FORWARD -i eth1 -o tun0 -j ACCEPT
- #$IPTABLES -t filter -A FORWARD -i br0 -j ACCEPT
- #$IPTABLES -t filter -A FORWARD -i br0 -o eth1 -j ACCEPT
- #$IPTABLES -t filter -A FORWARD -i eth1 -o br0 -j ACCEPT
- ###INPUT block unacceptable traffic trough bridge
- ##block DHCP
- #$IPTABLES -A INPUT -p tcp -i tap0 --dport 67:68 -j DROP
- #$IPTABLES -A INPUT -p udp -i tap0 --dport 67:68 -j DROP
- ###FORWARD block unacceptable traffic trough bridge
- ##block DHCP
- #$IPTABLES -A FORWARD -p tcp -i tap0 -o eth1 --dport 67:68 -j DROP
- #$IPTABLES -A FORWARD -p tcp -i eth1 -o tap0 --dport 67:68 -j DROP
- #$IPTABLES -A FORWARD -p udp -i tap0 -o eth1 --dport 67:68 -j DROP
- #$IPTABLES -A FORWARD -p udp -i eth1 -o tap0 --dport 67:68 -j DROP
- $IPTABLES -t nat -A POSTROUTING -o tun0 -s 10.30.0.0/24 -d ! 10.1.1.0/24 -j MASQUERADE
- #$IPTABLES -t nat -A POSTROUTING -o tun0 -s 10.30.0.0/24 -d ! 100.1.1.0/24 -j MASQUERADE
- #$IPTABLES -t nat -A POSTROUTING -o tun0 -s 10.30.0.0/24 -j MASQUERADE
- #####CLIENT<->SERVER TUNNEL
- ####INPUT chain
- ##GLOBAL
- $IPTABLES -A INPUT -p udp -d $INET_IP --dport 1195 -j ACCEPT
- #allow input to fw only for administrators
- $IPTABLES -I INPUT -i tun1 -s 10.40.1.0/24 -j ACCEPT
- $IPTABLES -I FORWARD -i eth1 -o tun1 -j ACCEPT
- $IPTABLES -t nat -A POSTROUTING -o tun1 -s 10.30.0.0/24 -j MASQUERADE
- ####FORWARD chain
- ##allow ping for all clients
- #JAGAMEDIA network
- $IPTABLES -I FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec --limit-burst 8 -i tun1 -o eth1 -j ACCEPT
- #JAGA network
- $IPTABLES -I FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec --limit-burst 8 -i tun1 -o tun0 -j ACCEPT
- $IPTABLES -I FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec --limit-burst 8 -i tun0 -o tun1 -j ACCEPT
- #-----------------------------------------------------------------------------------------------------------------
- ###allowing access for administrators (subnet 10.40.1.0-CZ and 10.3.1.0-SK) to servers and services
- ##GLOBAL
- $IPTABLES -I FORWARD -i tun1 -o eth1 -s 10.40.1.0/24 -j ACCEPT
- $IPTABLES -I FORWARD -i tun0 -o tun1 -s 10.3.1.0/24 -j ACCEPT
- #allow all trafic between two tunnel ifaces (providing connection from JAGAMEDIA VPN tunnel to JAGA network)
- $IPTABLES -I FORWARD -i tun0 -o tun1 -d 10.40.1.0/24 -j ACCEPT
- $IPTABLES -I FORWARD -i tun1 -o tun0 -s 10.40.1.0/24 -j ACCEPT
- #-----------------------------------------------------------------------------------------------------------------
- ###allowing access for employees (subnet 10.40.2.0) only to these servers and services
- ##GLOBAL
- #primary dns server
- $IPTABLES -I FORWARD -p udp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 53 -j ACCEPT
- #file server (service: netbios-ss, smb, #netbios-ns)
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.2 --dport 139 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.2 --dport 445 -j ACCEPT
- #$IT -I FORWARD -p udp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.2 --dport 137 -j ACCEPT
- #SK intranet server (service: http)
- $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.9 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.9 --dport 80 -j ACCEPT
- #SK naxos server (service: http, https)
- $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.15 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.15 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.15 --dport 443 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.15 --dport 443 -j ACCEPT
- #SK contract server (service: http, olap, kalkulacie)
- $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.11 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.11 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.11 -m multiport --dports 2382,2383 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.11 -m multiport --dports 2382,2383 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o tun0 -s 10.40.2.0/24 -d 10.1.1.11 --dport 1433 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o tun1 -d 10.40.2.0/24 -s 10.1.1.11 --dport 1433 -j ACCEPT
- #vb wifi
- # $IPTABLES -I FORWARD -p tcp -i eth1 -o tun0 -s 192.168.1.0/24 -d 10.1.1.11 --dport 80 -j ACCEPT
- # $IPTABLES -I FORWARD -p tcp -i tun0 -o eth1 -d 192.168.1.0/24 -s 10.1.1.11 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i eth1 -o tun0 -s 10.30.0.0/24 -d 10.1.1.11 -m multiport --dports 2393,2394 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun0 -o eth1 -d 10.30.0.0/24 -s 10.1.1.11 -m multiport --dports 2393,2394 -j ACCEPT
- # $IPTABLES -I FORWARD -p tcp -i eth1 -o tun0 -s 192.168.1.0/24 -d 10.1.1.11 --dport 1433 -j ACCEPT
- # $IPTABLES -I FORWARD -p tcp -i tun0 -o eth1 -d 192.168.1.0/24 -s 10.1.1.11 --dport 1433 -j ACCEPT
- #mail server (service: imap, imaps, smtp, webmail)
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 143 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 993 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 25 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 80 -j ACCEPT
- $IPTABLES -I FORWARD -p tcp -i tun1 -o eth1 -s 10.40.2.0/24 -d 10.30.0.4 --dport 443 -j ACCEPT
- #-----------------------------------------------------------------------------------------------------------------
- ###allowing specific access (subnet 10.40.3.0) only to these servers and services
- ##GLOBAL
- #primary dns server
- $IPTABLES -I FORWARD -p udp -i tun1 -o eth1 -s 10.40.3.0/24 -d 10.30.0.4 --dport 53 -j ACCEPT
- #-----------------------------------------------------------------------------------------------------------------
- #$IT -t nat -A PREROUTING -d $INET_IP -s $VERSITY -p tcp --dport 24500 -j DNAT --to-destination $JG_KENNY2:3389
- ###
- #DEFAULT, log all dropped traffic
- for CHAIN in INPUT FORWARD; do
- $IPTABLES -A $CHAIN -j log_drop
- done
- ###
- # 5. RESTORE TRAFFIC
- ##
- # 5.1 Allow routing on this box
- echo " restoring traffic"
- echo "1" > /proc/sys/net/ipv4/ip_forward
- echo "FIREWALL SETUP COMPLETED"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement