Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@gate:/home/scripts# cat iptables.sh
- #!/bin/bash
- IPT="/sbin/iptables"
- EC="/bin/echo"
- IPS="/usr/sbin/ipset"
- ### Administrative hosts
- ADMINS="10.21.44.44 10.21.45.45"
- ### TCP services ports
- ACCPOTCP="1122 22"
- ### UDP services ports
- ACCPOUDP="53"
- ### Call centre ports access TCP
- ACCFWDTCP="1540 631 80 443"
- ### Call centre ports access UDP
- ACCFWDUDP="53"
- #Allowed hosts for callcentre
- WHITELIST="8.8.8.8 80.79.252.162 80.93.50.41 213.180.204.0/24 93.158.134.0/24 213.180.193.0/24"
- case $1 in
- stop)
- $IPT --flush
- $IPT --delete-chain
- $IPT --table nat --flush
- $IPT --table nat --delete-chain
- $IPT --table filter --flush
- $IPT --table filter --delete-chain
- $IPT -t filter -P INPUT ACCEPT
- $IPT -t filter -P OUTPUT ACCEPT
- $IPT -t filter -P FORWARD ACCEPT
- $EC "Firewall stopped"
- ;;
- status)
- $IPT --list
- ;;
- restart|reload)
- $0 stop
- $0 start
- ;;
- start)
- $IPT --flush
- $IPT --delete-chain
- $IPT --table nat --flush
- $IPT --table nat --delete-chain
- $IPT --table filter --flush
- $IPT --table filter --delete-chain
- $IPT -P INPUT DROP
- $IPT -P FORWARD DROP
- $IPT -P OUTPUT ACCEPT
- $IPT -F INPUT
- $IPT -F FORWARD
- $IPT -F OUTPUT
- $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A INPUT -i lo -j ACCEPT
- ### Admins
- for admin_ips in $ADMINS;
- do
- $IPT -A INPUT -s $admin_ips -m state --state NEW -j ACCEPT
- done
- $IPT -A INPUT -p icmp --icmp-type timestamp-request -j DROP
- $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
- $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
- $IPT -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
- $IPT -A INPUT -p icmp --icmp-type 8 -j ACCEPT
- ### MTU
- $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- ### Nat
- $IPT -t nat -A POSTROUTING -s 192.168.21.0/24 -j SNAT --to-source 109.71.181.138
- ### ipset for access inet
- $IPS -N sluts iphash
- ### Sluts.Members of ipset
- $IPS -A sluts 192.168.21.2 # Boss
- $IPS -A sluts 192.168.21.3 # Boss Sakura
- $IPS -A sluts 192.168.21.4 # Boss SWmsk
- $IPS -A sluts 192.168.21.5 # Supervisor
- $IPS -A sluts 192.168.21.6 # Supervisor
- $IPS -A sluts 192.168.21.7 # Supervisor
- $IPS -A sluts 192.168.21.8 # Supervisor
- $IPS -A sluts 192.168.21.9 # Client manager
- $IPS -A sluts 192.168.21.10 # Client manager
- $IPS -A sluts 192.168.21.11 # Client manager
- $IPS -A sluts 192.168.21.12 # Analitycs
- $IPS -A sluts 192.168.21.13 # Analitycs
- $IPS -A sluts 192.168.21.14 # OD help
- #### Open ports
- ### TCP
- if [[ -n "$ACCPOTCP" ]];
- then
- for z in $ACCPOTCP;
- do
- $IPT -A INPUT -p tcp -m tcp --dport $z -j ACCEPT
- done
- fi
- ### UDP
- if [[ -n "$ACCPOUDP" ]];
- then
- for x in $ACCPOUDP;
- do
- $IPT -A INPUT -p udp -m udp --dport $x -j ACCEPT
- done
- fi
- ### Access forward callcentre UDP
- if [[ -n "$ACCFWDUDP" ]];
- then
- for b in $ACCFWDUDP;
- do
- $IPT -t filter -A FORWARD -p udp -m udp --dport $b -j ACCEPT
- done
- fi
- ### Whitelist for callcenre
- if [[ -n "$WHITELIST" ]];
- then
- for c in $WHITELIST;
- do
- $IPT -t filter -A FORWARD -s 192.168.21.0/24 -d $c -p udp -m udp --dport `for pt in $ACCFWDUDP; do echo $pt; done ` -j ACCEPT
- done
- fi
- if [[ -n "$WHITELIST" ]];
- then
- for c1 in $WHITELIST;
- do
- $IPT -t filter -A FORWARD -s 192.168.21.0/24 -d $c1 -p tcp -m multiport --dports 80,443,25 -j ACCEPT
- done
- fi
- ### Allow all inet traf to sluts
- $IPT -t filter -A FORWARD -m set --match-set sluts src -j ACCEPT
- ### Access forward callcentre TCP
- if [[ -n "$ACCFWDTCP" ]];
- then
- for a in $ACCFWDTCP;
- do
- $IPT -t filter -A FORWARD -p tcp -m tcp --dport $a -j ACCEPT
- done
- fi
- $IPT -t filter -A FORWARD -s 192.168.21.0/24 -j DROP
- $EC "Firewall started"
- ;;
- *)
- $EC "* Usage: $0 (start|stop|restart|status)"
- exit 1
- ;;
- esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement