Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- LAN_IFACE=eth1
- LAN_IP=192.168.1.22
- LAN_IP_RANGE=192.168.1.0/24
- LAN_BCAST_ADRESS=192.168.1.255/24
- LAN2_IP=192.168.2.22
- LAN2_IP_RANGE=192.168.2.0/24
- LAN2_BCAST_ADRESS=192.168.2.255/24
- INET_IFACE=eth0
- STATIC_IP=192.168.100.1
- LO_IFACE=lo
- LOCALHOST_IP=127.0.0.1
- PPP0_IFACE=ppp0
- PPP0_IP=$(ifconfig $PPP0_IFACE | grep inet | cut -f2 -d ':' | cut -f1 -d ' ')
- echo $PPP0_IP
- IPTABLES="/usr/sbin/iptables"
- IPSET="/usr/sbin/ipset"
- /sbin/modprobe ip_tables
- /sbin/modprobe ip_nat
- /sbin/modprobe ip_conntrack
- /sbin/modprobe iptable_filter
- /sbin/modprobe iptable_mangle
- /sbin/modprobe iptable_nat
- /sbin/modprobe ipt_LOG
- /sbin/modprobe ipt_limit
- /sbin/modprobe ipt_state
- /sbin/modprobe ipt_owner
- /sbin/modprobe ipt_REJECT
- /sbin/modprobe ipt_MASQUERADE
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_conntrack_irc
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ip_nat_irc
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp
- $IPTABLES -F
- $IPTABLES -X
- $IPTABLES -t nat -F
- $IPSET -X
- $IPSET -N whitelist bitmap:ip,mac range $LAN_IP_RANGE
- $IPSET -N whitelistd bitmap:ip,mac range $LAN_IP_RANGE
- $IPSET -N ipwhite iphash
- for i in $(cat /home/scripts/iplist/ipmac.lst | cut -d '#' -f 1)
- do
- if [ ! a"$i" == a ]; then
- $IPSET add whitelist $i #
- fi
- done
- for i in $(cat /home/scripts/iplist/ipmac_dubles.lst | cut -d '#' -f 1)
- do
- if [ ! a"$i" == a ]; then
- $IPSET add whitelistd $i #
- fi
- done
- for i in $(cat /home/scripts/iplist/ip.lst | cut -d '#' -f 1)
- do
- if [ ! a"$i" == a ]; then
- $IPSET add ipwhite $i #
- fi
- done
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- $IPTABLES -N bad_tcp_packets
- $IPTABLES -N allowed
- $IPTABLES -N icmp_packets
- $IPTABLES -N tcp_packets
- $IPTABLES -N udpincoming_packets
- $IPTABLES -N fw_allow
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "Bad TCP packet: "
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- $IPTABLES -A allowed -p TCP --syn -j ACCEPT
- $IPTABLES -A allowed -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A allowed -p TCP -j DROP
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
- $IPTABLES -A fw_allow -j ACCEPT
- $IPTABLES -t nat -A POSTROUTING -o $PPP0_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $PPP0_IP
- $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
- $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 67 -j DROP
- $IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 68 -j DROP
- $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelist src,src -j fw_allow
- $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelistd src,src -j fw_allow
- $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set ipwhite src -j fw_allow
- $IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "
- $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
- $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
- $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
- $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
- $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d 255.255.255.255 -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $STATIC_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN2_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "
- $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
- $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
- $IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement