API tools faq
paste
Advertisement
tuxmartin

Untitled

tuxmartin
May 28th, 2016
82
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.56 KB | None | 0 0
raw download clone embed print report
  1. root@AP66:~# cat /etc/firewall_MK
  2. #!/bin/sh
  3.  
  4. LAN="br-lan"
  5. WAN="eth0"
  6.  
  7. echo 1 > /proc/sys/net/ipv4/ip_forward
  8.  
  9. iptables -F
  10. iptables -t nat -F
  11. iptables -t mangle -F
  12.  
  13. iptables -P INPUT DROP
  14. iptables -P OUTPUT ACCEPT
  15. iptables -P FORWARD DROP
  16.  
  17. iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 77.78.90.200
  18.  
  19. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  20. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  21.  
  22. iptables -I INPUT -i $LAN -p tcp --dport 22 -j ACCEPT
  23.  
  24. iptables -I INPUT -p tcp --dport 80 -j ACCEPT
  25.  
  26. iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 80 -j DNAT --to-destination 10.123.1.1
  27. iptables -A FORWARD -p tcp --dport 80 -d 10.123.1.1 -j ACCEPT
  28.  
  29. iptables -A INPUT -i $LAN -j ACCEPT
  30. iptables -A FORWARD -i $LAN -j ACCEPT
  31.  
  32. iptables -A INPUT -i lo -j ACCEPT
  33. iptables -A OUTPUT -o lo -j ACCEPT
  34.  
  35. iptables -A INPUT -p icmp -j ACCEPT
  36. iptables -A OUTPUT -p icmp -j ACCEPT
  37. iptables -A FORWARD -p icmp -j ACCEPT
  38.  
  39. iptables -A INPUT -i $WAN -j REJECT
  40.  
  41. iptables -A INPUT -m state --state INVALID -j DROP
  42.  
  43. iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
  44.  
  45. root@AP66:~#
  46.  
  47.  
  48. root@AP66:~# ip a s
  49. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
  50. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  51. inet 127.0.0.1/8 scope host lo
  52. valid_lft forever preferred_lft forever
  53. inet 77.78.90.200/32 brd 255.255.255.255 scope global lo
  54. valid_lft forever preferred_lft forever
  55. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
  56. link/ether 00:15:6d:c3:7f:c1 brd ff:ff:ff:ff:ff:ff
  57. inet 172.16.14.13/29 brd 172.16.14.15 scope global eth0
  58. valid_lft forever preferred_lft forever
  59. 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
  60. link/ether 02:15:6d:c3:7f:c1 brd ff:ff:ff:ff:ff:ff
  61. 4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
  62. link/ether 02:15:6d:c3:7f:c1 brd ff:ff:ff:ff:ff:ff
  63. inet 10.123.1.2/24 brd 10.123.1.255 scope global br-lan
  64. valid_lft forever preferred_lft forever
  65. root@AP66:~#
  66.  
  67.  
  68.  
  69. root@AP66:~# ip r s
  70. default via 172.16.14.9 dev eth0 proto static
  71. 10.123.1.0/24 dev br-lan proto kernel scope link src 10.123.1.2
  72. 172.16.14.8/29 dev eth0 proto kernel scope link src 172.16.14.13
  73. root@AP66:~#
  74.  
  75.  
  76.  
  77. root@AP66:~# iptables -t nat -nvL
  78. Chain PREROUTING (policy ACCEPT 77 packets, 11687 bytes)
  79. pkts bytes target prot opt in out source destination
  80. 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.123.1.1
  81.  
  82. Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
  83. pkts bytes target prot opt in out source destination
  84.  
  85. Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  86. pkts bytes target prot opt in out source destination
  87.  
  88. Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  89. pkts bytes target prot opt in out source destination
  90. 74 11294 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 to:77.78.90.200
  91. root@AP66:~#
  92.  
  93.  
  94. root@AP66:~# iptables -nvL
  95. Chain INPUT (policy DROP 0 packets, 0 bytes)
  96. pkts bytes target prot opt in out source destination
  97. 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  98. 169 12376 ACCEPT tcp -- br-lan * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
  99. 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  100. 6 1358 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
  101. 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
  102. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
  103. 2 315 rejectLog all -- eth0 * 0.0.0.0/0 0.0.0.0/0
  104. 0 0 dropLog all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
  105. 2 315 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-admin-prohibited
  106.  
  107. Chain FORWARD (policy DROP 0 packets, 0 bytes)
  108. pkts bytes target prot opt in out source destination
  109. 1727 377K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  110. 0 0 ACCEPT tcp -- lo * 0.0.0.0/0 10.123.1.1 tcp dpt:80
  111. 115 18637 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
  112. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
  113.  
  114. Chain OUTPUT (policy ACCEPT 103 packets, 14900 bytes)
  115. pkts bytes target prot opt in out source destination
  116. 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
  117. 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
  118.  
  119. Chain dropLog (1 references)
  120. pkts bytes target prot opt in out source destination
  121.  
  122. Chain rejectLog (1 references)
  123. pkts bytes target prot opt in out source destination
  124.  
  125. Chain syn_flood (0 references)
  126. pkts bytes target prot opt in out source destination
  127. root@AP66:~#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!