Advertisement
Guest User

Untitled

a guest
Jun 26th, 2012
132
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.17 KB | None | 0 0
  1. #!/bin/sh
  2. IPTABLES=/sbin/iptables
  3. MODPROBE=/sbin/modprobe
  4. INT_NET=192.168.10.0/24
  5.  
  6. ### flush existing rules and set chain policy setting to DROP
  7.  
  8. echo "[+] Flushing existing iptables rules..."
  9. $IPTABLES -F
  10. $IPTABLES -F -t nat
  11. $IPTABLES -X
  12. $IPTABLES -P INPUT DROP
  13. $IPTABLES -P OUTPUT DROP
  14. $IPTABLES -P FORWARD DROP
  15.  
  16. ### load connection-tracking modules
  17.  
  18. $MODPROBE ip_conntrack
  19. $MODPROBE iptable_nat
  20. $MODPROBE ip_conntrack_ftp
  21. $MODPROBE ip_nat_ftp
  22.  
  23. ###### INPUT chain ######
  24.  
  25. echo "[+] Setting up INPUT chain..."
  26.  
  27. ### state tracking rules
  28.  
  29. $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID
  30. --log-ip-options --log-tcp-options
  31. $IPTABLES -A INPUT -m state --state INVALID -j DROP
  32. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  33.  
  34. ### anti-spoofing rules
  35.  
  36. $IPTABLES -A INPUT -i eth0 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
  37. $IPTABLES -A INPUT -i eth0 -s ! $INT_NET -j DROP
  38.  
  39. ### ACCEPT rules
  40.  
  41. $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  42. iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
  43. iptables -A INPUT -i eth0 -p tcp --dport 6789 -m state --state NEW,ESTABLISHED -j ACCEPT
  44. iptables -A INPUT -i eth0 -p tcp --dport 8899 -m state --state NEW,ESTABLISHED -j ACCEPT
  45.  
  46. ### default INPUT LOG rule
  47.  
  48. $IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
  49.  
  50. ###### OUTPUT chain ######
  51.  
  52. echo "[+] Setting up OUTPUT chain..."
  53.  
  54. ### state tracking rules
  55.  
  56. $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
  57. INVALID " --log-ip-options --log-tcp-options
  58. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  59. $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  60.  
  61. ### ACCEPT rules for allowing connections out
  62.  
  63. iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
  64. iptables -A OUTPUT -o eth0 -p tcp --sport 6789 -m state --state ESTABLISHED -j ACCEPT
  65. iptables -A OUTPUT -o eth0 -p tcp --sport 8899 -m state --state ESTABLISHED -j ACCEPT
  66.  
  67. ### default OUTPUT LOG rule
  68.  
  69. $IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
  70.  
  71. ###### FORWARD chain ######
  72.  
  73. echo "[+] Setting up FORWARD chain..."
  74.  
  75. ### state tracking rules
  76.  
  77. $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
  78. INVALID " --log-ip-options --log-tcp-options
  79. $IPTABLES -A FORWARD -m state --state INVALID -j DROP
  80. $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  81.  
  82. ### anti-spoofing rules
  83.  
  84. $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
  85. $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
  86.  
  87. ### ACCEPT rules
  88.  
  89. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  90. iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
  91. iptables -A FORWARD -j REJECT
  92.  
  93. ### default log rule
  94.  
  95. $IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
  96.  
  97. ###### NAT rules ######
  98.  
  99. echo "[+] Setting up NAT rules..."
  100.  
  101. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 208.111.35.80
  102.  
  103. ###### forwarding ######
  104.  
  105. echo "[+] Enabling IP forwarding..."
  106.  
  107. echo 1 > /proc/sys/net/ipv4/ip_forward
  108.  
  109. #
  110. # List rules
  111. #
  112. iptables -L -v
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement