#!/bin/bashcleariptables -F#-X : Delete chain.iptables -Xiptables -t f

1. #!/bin/bash
2. clear
3. iptables -F
4. #-X : Delete chain.
5. iptables -X
6. iptables -t filter -F
7. iptables -t filter -X
8. iptables -t nat -F
9. iptables -t nat -X
10. iptables -t mangle -F
11. iptables -t mangle -X
12.  
13. #flush ipset
14. ipset flush
15. ipset destroy
16.  
17. #variables:
18. DMZ_S=172.16.0.3
19. FW1_1=172.16.0.1
20. FW1_2=10.99.0.1
21. FW2_1=172.16.0.2
22. FW2_2=192.168.100.1
23. CORP_ADMIN=192.168.100.100
24. CORP_SN=192.168.0.0/16
25. PROD_SN=10.99.0.0/16
26. DMZ_SN=172.16.0.0/16
27.  
28. #ipsets:
29. #local subnets:
30. ipset -N LOCALNET nethash
31. ipset -A LOCALNET 192.168.0.0/16
32. ipset -A LOCALNET 172.16.0.0/16
33. ipset -A LOCALNET 10.99.0.0/16
34. #firewalls:
35. ipset -N FWS iphash
36. ipset -A FWS $FW1_1
37. ipset -A FWS $FW1_2
38. ipset -A FWS $FW2_1
39. ipset -A FWS $FW2_2
40.  
41. #-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
42. iptables -P INPUT DROP
43. iptables -P OUTPUT DROP
44. iptables -P FORWARD DROP
45.  
46. ####### Custom Chains #########
47. iptables -N INTERNAL
48. iptables -N EXTERNAL
49. iptables -N LOGGING
50.  
51. iptables -N IN_IN
52. iptables -N CORP_PROD
53. iptables -N CORP_DMZ
54. iptables -N PROD_CORP
55. iptables -N PROD_DMZ
56. iptables -N DMZ_PROD
57. iptables -N DMZ_CORP
58.  
59. iptables -N I_IN
60. iptables -N I_CORP
61. iptables -N I_PROD
62. iptables -N I_DMZ
63.  
64. iptables -N IN_I
65. iptables -N CORP_I
66. iptables -N PROD_I
67. iptables -N DMZ_I
68.  
69. iptables -N SANATIZE
70.  
71. ######## NAT + Accept ESTABLISHED/RELATED #####
72. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
73. iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
74. iptables -A FORWARD -j SANATIZE #TODO: SANATIZE
75. iptables -A FORWARD -m set --match-set LOCALNET dst -j INTERNAL
76. iptables -A FORWARD -m set ! --match-set LOCALNET dst -j EXTERNAL
77. iptables -A FORWARD -j LOGGING #TODO: LOGGING
78. iptables -A FORWARD -m pkttype --pkt-type multicast -o eth0 -j DROP #E7
79. iptables -A FORWARD -m pkttype --pkt-type multicast -j ACCEPT #E7
80. iptables -A INPUT -p tcp --dport 22 -s $CORP_ADMIN -j ACCEPT
81.  
82.  
83. ######### INTERNAL #############
84. iptables -A INTERNAL -m set --match-set LOCALNET src -j IN_IN
85. iptables -A INTERNAL -m set ! --match-set LOCALNET src -j I_IN
86. iptables -A INTERNAL -j LOGGING #TODO
87.  
88. ############ IN_IN ################
89. iptables -A IN_IN -s $PROD_SN -d $CORP_SN -j PROD_CORP
90. iptables -A IN_IN -s $PROD_SN -d $DMZ_SN -j PROD_DMZ
91. iptables -A IN_IN -s $CORP_SN -d $PROD_SN -j CORP_PROD
92. iptables -A IN_IN -s $CORP_SN -d $DMZ_SN -j CORP_DMZ
93. iptables -A IN_IN -s $DMZ_SN -d $CORP_SN -j DMZ_CORP
94. iptables -A IN_IN -s $DMZ_SN -d $PROD_SN -j DMZ_PROD
95.  
96. ########### PROD_CORP #################
97. iptables -A PROD_CORP -p tcp -s 10.99.0.0/16 -d 192.168.0.0/16 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
98. iptables -A PROD_CORP -p ICMP --icmp-type 0 -j ACCEPT
99. iptables -A PROD_CORP -j ACCEPT
100.  
101. ########### PROD_DMZ #################
102. iptables -A PROD_DMZ -p tcp --match multiport --dport 1,7,9,13,17,19,21,25,37,53,79,80,110,113,443,465,990,995,6667 -j ACCEPT
103. iptables -A PROD_DMZ -p udp --match multiport --dport 7,13,17,19,37,53,123,5353 -j ACCEPT
104. iptables -A PROD_DMZ -p ICMP --icmp-type 0 -j ACCEPT
105. itpables -A PROD_DMZ -p tcp --dport 25,80,443 -j ACCEPT
106. iptables -A PROD_DMZ -p tcp --dport 80 -m quota --quota 12582912 -j DROP
107. iptables -A PROD_DMZ -p tcp --syn -m connlimit --connlimit-above 4 -j DROP
108. iptables -A PROD_DMZ -p icmp --icmp-type 0,3,11,12 -j ACCEPT
109. iptables -A PROD_DMZ -p tcp --dport 22 -s 192.168.100.100 -j ACCEPT
110. iptables -A PROD_DMZ -limit 4/minute --limit-burst 6/minute -j LOGGING
111. iptables -A PROD_DMZ -p tcp --dport 22 -s $CORP_ADMIN -j ACCEPT
112. iptables -A PROD_DMZ -j ACCEPT
113.  
114. ########### CORP_PROD #################
115. iptables -A CORP_PROD -s 192.168.100/24 -d 10.99.0.0/16 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
116. iptables -A CORP_PROD -s 192.168.0.0/16 -d 10.99.0.0/16 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
117. iptables -A CORP_PROD -m pkttype --pkt-type multicast -m set --match-set LOCALNET src -j ACCEPT
118. iptables -A CORP_PROD -p icmp -m set --match-set LOCALNET src -j ACCEPT
119. iptables -A CORP_PROD -p tcp -j ACCEPT
120. iptables -A CORP_PROD -p icmp -j ACCEPT
121. iptables -A CORP_PROD -p udp --dport 53 -m pkttype -pkt-type unicast -j ACCEPT
122. iptables -A CORP_PROD -j ACCEPT
123.  
124. ########### CORP_DMZ #################
125. itpables -A CORP_DMZ -p tcp --dport 25,80,443 -j ACCEPT
126. iptables -A CORP_DMZ -p tcp --dport 80 -m quota --quota 12582912 -j DROP
127. iptables -A CORP_DMZ -p tcp --syn -m connlimit --connlimit-above 4 -j DROP
128. iptables -A CORP_DMZ -p icmp --icmp-type 0,3,11,12 -j ACCEPT
129. iptables -A CORP_DMZ -limit 4/minute --limit-burst 6/minute -j LOGGING
130. iptables -A CORP_DMZ -p tcp --dport 1:1024 -j ACCEPT
131. iptables -A CORP_DMZ -p udp --dport 1:1024 -j ACCEPT
132. iptables -A CORP_DMZ -p udp --dport 53 -m pkttype -pkt-type unicast -j ACCEPT
133. iptables -A CORP_DMZ -j ACCEPT
134.  
135. ########### DMZ_PROD #################
136. #iptables -t mangle -i DMZ_PROD -p tcp --dport 22 -s 172.16.0.0/16 -d 10.99.0.0/16 -j CLASSIFY --set-class 1:12
137. iptables -A DMZ_PROD -m pkttype --pkt-type multicast -j ACCEPT
138. iptables -A DMZ_PROD -p icmp -m set --match-set LOCALNET src -j ACCEPT
139. iptables -A DMZ_PROD -j LOG_DMZ
140. iptables -A DMZ_PROD -j ACCEPT
141.  
142. ########### DMZ_CORP #################
143. iptables -A DMZ_CORP -p TCP --dport 22 -d 192.168.100.100 -j ACCEPT
144. iptables -A DMZ_CORP -j LOG_DMZ
145. iptables -A DMZ_CORP -d $CORP_ADMIN --sport 22 -s 172.16.0.3 -j ACCEPT
146. iptables -A DMZ_CORP -j ACCEPT
147.  
148. ############ I_IN ################
149. iptables -A I_IN -d $CORP_SN -j I_CORP
150. iptables -A I_IN -d $PROD_SN -j I_PROD
151. iptables -A I_IN -d $DMZ_SN -j I_DMZ
152.  
153. ############ I_CORP ############
154. iptables -A I_CORP -d 192.168.100/28 -p tcp --dport 22 -j ACCEPT
155. iptables -A I_CORP -j ACCEPT
156.  
157. ############ I_PROD ############
158. iptables -A I_PROD -p icmp --icmp-type 0 -m set ! --match-set LOCALNET src -j ACCEPT
159. iptables -A I_PROD -j ACCEPT
160.  
161. ############ I_DMZ ############
162. iptables -A I_DMZ -p udp --dport 53 -j DROP
163. itpables -A I_DMZ -p tcp --dport 25,80,443 -j ACCEPT
164. iptables -A I_DMZ -p tcp --dport 80 -m quota --quota 12582912 -j DROP
165. iptables -A I_DMZ -p tcp --syn -m connlimit --connlimit-above 4 -j DROP
166. iptables -A I_DMZ -p icmp --icmp-type 3,11,12 -j ACCEPT
167. iptables -A I_DMZ -limit 4/minute --limit-burst 6/minute -j LOGGING
168. iptables -A I_DMZ -j ACCEPT
169.  
170. ######### EXTERNAL #############
171. iptables -A EXTERNAL -s $PROD_SN -j PROD_I
172. iptables -A EXTERNAL -s $CORP_SN -j CORP_I
173. iptables -A EXTERNAL -s $DMZ_SN -j DMZ_I
174.  
175. ########### PROD_I ############
176. iptables -A PROD_I -p udp --dport 53 -j ACCEPT
177. iptables -A PROD_I -p tcp --dport 1:1024 -j ACCEPT
178. iptables -A PROD_I -p ICMP --icmp-type 0 -j ACCEPT
179. iptables -A PROD_I -j LOGGING
180. iptables -A PROD_I -j ACCEPT
181.  
182. ########### CORP_I ############
183. iptables -A CORP_I -p tcp --dport 1025:65535 --sport 1025:65535 -j DENY
184. iptables -A CORP_I -p udp --dport 53 -m pkttype -pkt-type unicast -j ACCEPT
185. iptables -A CORP_I -j ACCEPT
186.  
187. ########### DMZ_I ############
188. iptables -A DMZ_I -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
189. iptables -A DMZ_I -j LOG_DMZ
190. iptables -A DMZ_I -j ACCEPT
191.  
192. watch -n 2 -d iptables -nvL