Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/sbin/runscript
- # Main interfaces
- IF_WAN='eth0'
- IF_LAN='br0'
- IP_WAN=`ifconfig ${IF_WAN} | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
- IP_LAN='192.168.1.1'
- LAN='192.168.1.0/24'
- # Hosts for port forwarding
- caspair="192.168.1.2" # Desktop
- sachiel="192.168.1.4"
- iruel="192.168.1.10" # Windows Server 2003
- # Getting DNS server addresses
- DNS=`grep -i nameserver /etc/resolv.conf | cut -d' ' -f2`
- ################################################################
- depend() {
- use net.eth0 net.br0
- }
- start() {
- ebegin "Running Routing and Firewall configuration"
- /sbin/modprobe iptable_filter
- /sbin/modprobe xt_state
- # Firewall
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- # Routing and masquerade
- echo "1" > /proc/sys/net/ipv4/ip_forward
- iptables -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE
- iptables -A FORWARD -i $IF_LAN -j ACCEPT
- iptables -A FORWARD -f -j ACCEPT
- # ICMP Ping blocking
- #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
- # iptables -A INPUT -p icmp -j ACCEPT
- # SYN flooding protection
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
- # Smurf attack protection
- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- # Ignore ICMP errors
- echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- # Log wierd packets
- #echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
- # IP Conntrack
- /sbin/modprobe xt_conntrack
- /sbin/modprobe nf_conntrack_ftp
- # IRC
- #/sbin/modprobe nf_nat_irc
- #/sbin/modprobe nf_conntrack_irc
- #/sbin/modprobe ip_nat_irc
- #/sbin/modprobe ip_conntrack_irc
- # Local interface
- iptables -A INPUT -s 127.0.0.1 -j ACCEPT
- iptables -A FORWARD -s 127.0.0.1 -j ACCEPT
- # Local network
- iptables -A INPUT -s $LAN -j ACCEPT
- iptables -A INPUT -d $LAN -j ACCEPT
- iptables -A FORWARD -s $LAN -j ACCEPT
- # Blocked sites
- #iptables -A INPUT -s 4chan.org -j DROP
- #iptables -A OUTPUT -d 4chan.org -j DROP
- # Samba
- iptables -A INPUT -p tcp -s $LAN --dport 137:139 -j ACCEPT
- # Sane
- iptables -A INPUT -p tcp -s $LAN --dport 6566 -j ACCEPT
- # Passive ON
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- # DNS
- for SERVER in ${DNS}
- do
- iptables -A INPUT -s $SERVER -j ACCEPT
- iptables -A FORWARD -s $SERVER -j ACCEPT
- iptables -A FORWARD -d $SERVER -j ACCEPT
- done
- # rtorrent
- iptables -A INPUT -p TCP --dport 6881:6999 -i $IF_WAN -j ACCEPT
- iptables -A INPUT -p UDP --dport 6881 -i $IF_WAN -j ACCEPT
- iptables -A INPUT -p TCP --dport 7000:7100 -i $IF_WAN -j ACCEPT
- iptables -A INPUT -p UDP --dport 7101 -i $IF_WAN -j ACCEPT
- # HTTP
- port_open tcp 80
- port_open udp 80
- # PostgreSQL
- #port_open tcp 5432
- #port_open udp 5432
- # SSH
- port_open tcp 6666
- port_open udp 6666
- # Icecast
- port_open tcp 8000
- port_open udp 8000
- # MPD
- port_open tcp 6600 8000
- port_open udp 6600 8000
- # Team Speak
- #port_open tcp 51234 8767
- #port_open udp 51234 8767
- ########### Port Forwarding ###########
- # DNS
- #port_forward tcp $iruel 53
- #port_forward udp $iruel 53
- # HTTP
- port_forward tcp 80
- port_forward udp 80
- # FTP
- port_forward tcp $caspair 20 21
- port_forward udp $caspair 20 21
- /sbin/modprobe ip_nat_ftp
- # Poczta
- # SMTP POP3
- port_forward tcp 25 110
- port_forward udp 25 110
- # Kadu (https)
- port_forward tcp $caspair 442 8074
- port_forward udp $caspair 442 8074
- # Kadu - DCC
- port_forward tcp $caspair 1550
- # VNC Server
- #port_forward tcp $caspair 5666 5900
- #port_forward udp $caspair 5666 5900
- # Jabber
- #port_forward tcp $caspair 5222 5223
- #port_forward udp $caspair 5222 5223
- # Gnutella
- port_forward tcp $caspair 6346
- port_forward udp $caspair 6346
- # aMule
- port_forward tcp $caspair 4661 4663 4711
- port_forward udp $caspair 4661 4663 4672 4665
- # Skype
- port_forward tcp $caspair 6533
- port_forward udp $caspair 6533
- # Portal 2
- port_forward tcp $caspair 27015
- port_forward udp $caspair 27015
- # Supreme Commander
- port_forward tcp $caspair 2007
- port_forward udp $caspair 2007
- # Shogun
- port_forward tcp $caspair 8797 8793 18321
- port_forward udp $caspair 8797 8793 18321
- # Tzar
- port_forward tcp $caspair 23077 23078 23079
- port_forward udp $caspair 23077 23078 23079
- # Defcon Service
- port_forward tcp $caspair 5010 5011
- port_forward udp $caspair 5010 5011
- # Torrent
- port_forward tcp $caspair 6881
- port_forward udp $caspair 6881
- # sachiel
- port_forward tcp $sachiel 6882
- port_forward udp $sachiel 6882
- # Hamachi
- port_forward tcp $caspair 67 68 1358 2587
- port_forward udp $caspair 67 68 1358 2587
- eend $?
- }
- flush() {
- # Cleaning iptables
- ebegin Erasing Routing and Firewall configuration
- iptables -P INPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -t nat -F
- iptables -F
- iptables -X
- iptables -Z
- rmmod iptable_filter
- rmmod nf_nat_ftp
- rmmod xt_conntrack
- rmmod nf_conntrack_ftp
- rmmod xt_state
- eend $?
- }
- reset() {
- # reset all settings
- ebegin "Resetting Routing and Firewall configuration"
- flush
- start
- eend $?
- }
- save() {
- # Saving iptables rules
- if [ -n $2 ]; then
- ebegin "Saving Routing and Firewall configuration to $2"
- iptables-save > $2
- else
- ebegin "Saving Routing and Firewall configuration"
- iptbales-save > /etc/iptables/iptables_conf
- fi
- eend $?
- }
- load() {
- # Loading iptables rules
- if [ -n $2 ]; then
- ebegin "Saving Routing and Firewall configuration to $2"
- iptables-restore < $2
- else
- ebegin "Saving Routing and Firewall configuration"
- iptbales-restore < /etc/iptables/iptables_conf
- fi
- eend $?
- }
- restart() {
- # Full restart
- ebegin "Restarting Routing and Firewall configuration"
- stop
- start
- eend $?
- }
- stop() {
- # Stop
- ebegin "Stopping Routing and Firewall configuration"
- flush
- echo "0" > /proc/sys/net/ipv4/ip_forward
- echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
- echo "0" > /proc/sys/net/ipv4/tcp_syncookies
- echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
- eend $?
- }
- ########### Functions ###########
- function is_numeric {
- [ "$(echo $*|grep -v "[^0-9]")" ]
- }
- function port_forward {
- prot=$1
- shift
- dest=""
- if ! is_numeric $1; then
- dest=$1
- shift
- fi
- ports=$@
- for port in $ports; do
- iptables -A FORWARD -p $prot -i $IF_WAN -o $IF_LAN --dport $port -j ACCEPT
- if [ -n $dest ]; then
- iptables -t nat -A PREROUTING -p $prot -i $IF_WAN --dport $port -j DNAT --to $dest:$port
- fi
- #echo "Frowarding port $port to $dest"
- done
- }
- function port_open {
- prot=$1
- shift
- ports=$@
- for port in $ports; do
- #echo "Opening port $port"
- iptables -A INPUT -i $IF_WAN -p $prot -s 0.0.0.0/0 --dport $port -j ACCEPT
- done
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement