Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- IPTABLES=/sbin/iptables
- MODPROBE=/sbin/modprobe
- INT_NET=192.168.10.0/24
- ### flush existing rules and set chain policy setting to DROP
- echo "[+] Flushing existing iptables rules..."
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -X
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- ### load connection-tracking modules
- $MODPROBE ip_conntrack
- $MODPROBE iptable_nat
- $MODPROBE ip_conntrack_ftp
- $MODPROBE ip_nat_ftp
- ###### INPUT chain ######
- echo "[+] Setting up INPUT chain..."
- ### state tracking rules
- $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID
- --log-ip-options --log-tcp-options
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ### anti-spoofing rules
- $IPTABLES -A INPUT -i eth0 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
- $IPTABLES -A INPUT -i eth0 -s ! $INT_NET -j DROP
- ### ACCEPT rules
- $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
- iptables -A INPUT -i eth0 -p tcp --dport 6789 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A INPUT -i eth0 -p tcp --dport 8899 -m state --state NEW,ESTABLISHED -j ACCEPT
- ### default INPUT LOG rule
- $IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
- ###### OUTPUT chain ######
- echo "[+] Setting up OUTPUT chain..."
- ### state tracking rules
- $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
- INVALID " --log-ip-options --log-tcp-options
- $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
- $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ### ACCEPT rules for allowing connections out
- iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --sport 6789 -m state --state ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --sport 8899 -m state --state ESTABLISHED -j ACCEPT
- ### default OUTPUT LOG rule
- $IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
- ###### FORWARD chain ######
- echo "[+] Setting up FORWARD chain..."
- ### state tracking rules
- $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
- INVALID " --log-ip-options --log-tcp-options
- $IPTABLES -A FORWARD -m state --state INVALID -j DROP
- $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- ### anti-spoofing rules
- $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
- $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
- ### ACCEPT rules
- iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
- iptables -A FORWARD -j REJECT
- ### default log rule
- $IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
- ###### NAT rules ######
- echo "[+] Setting up NAT rules..."
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 208.111.35.80
- ###### forwarding ######
- echo "[+] Enabling IP forwarding..."
- echo 1 > /proc/sys/net/ipv4/ip_forward
- #
- # List rules
- #
- iptables -L -v
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement