root@gate:/home/scripts# cat iptables.sh#!/bin/bashIPT="/sbin/iptables"EC=

1. root@gate:/home/scripts# cat iptables.sh
2. #!/bin/bash
3. IPT="/sbin/iptables"
4. EC="/bin/echo"
5. IPS="/usr/sbin/ipset"
6. ### Administrative hosts
7. ADMINS="10.21.44.44 10.21.45.45"
8. ### TCP services ports
9. ACCPOTCP="1122 22"
10. ### UDP services ports
11. ACCPOUDP="53"
12. ### Call centre ports access TCP
13. ACCFWDTCP="1540 631 80 443"
14. ### Call centre ports access UDP
15. ACCFWDUDP="53"
16. #Allowed hosts for callcentre
17. WHITELIST="8.8.8.8 80.79.252.162 80.93.50.41 213.180.204.0/24 93.158.134.0/24 213.180.193.0/24"
18.  
19. case $1 in
20. stop)
21.     $IPT --flush
22.     $IPT --delete-chain
23.     $IPT --table nat --flush
24.     $IPT --table nat --delete-chain
25.     $IPT --table filter --flush
26.     $IPT --table filter --delete-chain
27.     $IPT -t filter -P INPUT ACCEPT
28.     $IPT -t filter -P OUTPUT ACCEPT
29.     $IPT -t filter -P FORWARD ACCEPT
30.     $EC "Firewall stopped"
31. ;;
32.  
33. status)
34.     $IPT --list
35. ;;
36.  
37. restart|reload)
38.     $0 stop
39.     $0 start
40. ;;
41.  
42. start)
43.     $IPT --flush
44.     $IPT --delete-chain
45.     $IPT --table nat --flush
46.     $IPT --table nat --delete-chain
47.     $IPT --table filter --flush
48.     $IPT --table filter --delete-chain
49.     $IPT -P INPUT DROP
50.     $IPT -P FORWARD DROP
51.     $IPT -P OUTPUT ACCEPT
52.     $IPT -F INPUT
53.     $IPT -F FORWARD
54.     $IPT -F OUTPUT
55.     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
56.     $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
57.     $IPT -A INPUT -i lo -j ACCEPT
58.  
59. ### Admins
60.     for admin_ips in $ADMINS;
61.     do
62.         $IPT -A INPUT -s $admin_ips -m state --state NEW -j ACCEPT
63.     done
64.  
65.     $IPT -A INPUT -p icmp --icmp-type timestamp-request -j DROP
66.     $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
67.     $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
68.     $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
69.     $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
70.     $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
71.     $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
72.     $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
73.     $IPT -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
74.     $IPT -A INPUT -p icmp --icmp-type 8 -j ACCEPT
75. ### MTU
76.  
77.     $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
78.  
79. ### Nat
80.     $IPT -t nat -A POSTROUTING -s 192.168.21.0/24 -j SNAT --to-source 109.71.181.138
81. ### ipset for access inet
82.     $IPS -N sluts iphash
83. ### Sluts.Members of ipset
84.     $IPS -A sluts 192.168.21.2   # Boss
85.     $IPS -A sluts 192.168.21.3   # Boss Sakura
86.     $IPS -A sluts 192.168.21.4   # Boss SWmsk
87.     $IPS -A sluts 192.168.21.5   # Supervisor
88.     $IPS -A sluts 192.168.21.6   # Supervisor
89.     $IPS -A sluts 192.168.21.7   # Supervisor
90.     $IPS -A sluts 192.168.21.8   # Supervisor
91.     $IPS -A sluts 192.168.21.9   # Client manager
92.     $IPS -A sluts 192.168.21.10  # Client manager
93.     $IPS -A sluts 192.168.21.11  # Client manager
94.     $IPS -A sluts 192.168.21.12  # Analitycs
95.     $IPS -A sluts 192.168.21.13  # Analitycs
96.     $IPS -A sluts 192.168.21.14  # OD help
97.  
98. #### Open ports
99. ### TCP
100.     if [[ -n "$ACCPOTCP" ]];
101.     then
102.         for z in $ACCPOTCP;
103.         do
104.             $IPT -A INPUT -p tcp -m tcp --dport $z -j ACCEPT
105.         done
106.     fi
107. ### UDP
108.     if [[ -n "$ACCPOUDP" ]];
109.     then
110.         for x in $ACCPOUDP;
111.         do
112.             $IPT -A INPUT -p udp -m udp --dport $x -j ACCEPT
113.         done
114.     fi
115.  
116. ### Access forward callcentre UDP
117.  
118.     if [[ -n "$ACCFWDUDP" ]];
119.     then
120.         for b in $ACCFWDUDP;
121.         do
122.             $IPT -t filter -A FORWARD -p udp -m udp --dport $b -j ACCEPT
123.         done
124.     fi
125.  
126. ### Whitelist for callcenre
127.  
128. if [[ -n "$WHITELIST" ]];
129.     then
130.         for c in $WHITELIST;
131.         do
132.             $IPT -t filter -A FORWARD -s 192.168.21.0/24 -d $c -p udp -m udp --dport `for pt in $ACCFWDUDP; do echo $pt; done ` -j ACCEPT
133.         done
134.     fi
135. if [[ -n "$WHITELIST" ]];
136.     then
137.     for c1 in $WHITELIST;
138.         do
139.          $IPT -t filter -A FORWARD -s 192.168.21.0/24 -d $c1 -p tcp -m multiport --dports 80,443,25 -j ACCEPT
140.         done
141.     fi
142. ### Allow all inet traf to sluts
143.     $IPT -t filter -A FORWARD -m set --match-set sluts src -j ACCEPT
144.  
145. ### Access forward callcentre TCP
146.  
147.     if [[ -n "$ACCFWDTCP" ]];
148.     then
149.         for a in $ACCFWDTCP;
150.         do
151.             $IPT -t filter -A FORWARD -p tcp -m tcp --dport $a -j ACCEPT
152.         done
153.     fi
154.  
155.  
156.     $IPT -t filter -A FORWARD -s 192.168.21.0/24 -j DROP
157.  
158.     $EC "Firewall started"
159. ;;
160.  
161. *)
162.     $EC "* Usage: $0 (start|stop|restart|status)"
163.     exit 1
164. ;;
165. esac
166.  
167. exit 0