Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##Flush iptables
- #Delete empty chain
- iptables -X
- #Delete existing rules
- iptables -F
- #Delete table nat rules
- iptables -t nat -F
- #Delete table mangle rules
- iptables -t mangle -F
- IP_LOG= 172.16.10.50
- PORT_LOG=514
- NET_CLIENTS= 172.16.20.0/24
- NET_ADMINS= 172.16.10.0/24
- ##Set the default chain policies
- #Block Input traffic
- iptables -P INPUT DROP
- #Block Forward traffic
- iptables -P FORWARD DROP
- #Block Output traffic
- iptables -P OUTPUT DROP
- #Input rule for accepting connections
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #Forword rule for accepting connection matching state
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- #Output rule for accepting connection matching state
- iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #Create a new channel named adminssh
- iptables -N adminssh
- #Add the rule to adminssh to log the source packages $NET_ADMINS on eth1 for the destination 20.0.0.100 mattcing state NEW
- iptables -A adminssh -i eth1 -s $NET_ADMINS -d 20.0.0.100 \
- -m state --state NEW -j LOG --log-prefix "SSH connexion to DMZ "
- #Add the rule to adminssh to accept source packets $NET_ADMINS on eth1 for destination 20.0.0.100 mattching state NEW
- iptables -A adminssh -i eth1 -s $NET_ADMINS -d 20.0.0.100 \
- -m state --state NEW -j ACCEPT
- #Add the rule to adminssh to log the source packages $NET_ADMINS on eth1 for the destination 172.16.0.11 mattching the state NEW
- iptables -A adminssh -i eth1 -s $NET_ADMINS -d 172.16.0.11 \
- -m state --state NEW -j LOG --log-prefix "SSH connexion to Firewall "
- #Add the rule to adminssh to accept $NET_ADMINS source packets on eth1 for destination 172.16.0.11 mattching state NEW
- iptables -A adminssh -i eth1 -s $NET_ADMINS -d 172.16.0.11 \
- -m state --state NEW -j ACCEPT
- #Add the rule to adminssh to log packets
- iptables -A adminssh -j LOG \
- --log-prefix "ATTENTION - SSH connexion attempt "
- #Add the rule to adminssh to drop all packets if match any rule
- iptables -A adminssh -j DROP
- iptables -A FORWARD -i eth2 -o eth0 -s 20.0.0.100 \
- -m state --state NEW -p tcp --dport 80 -j ACCEPT
- iptables -A FORWARD -i eth2 -o eth0 -s 20.0.0.100 \
- -m state --state NEW -p udp --dport 53 -j ACCEPT
- iptables -A FORWARD -i eth1 -s 172.16.0.0/16 -d 20.0.0.100 \
- -m state --state NEW -p tcp --dport 8080 -j ACCEPT
- iptables -A FORWARD -i eth1 -s 172.16.0.0/16 -d 20.0.0.100 \
- -m state --state NEW -p udp --dport 53 -j ACCEPT
- iptables -A FORWARD -i eth1 -s 172.16.0.0/16 -d 20.0.0.100 \
- -m state --state NEW -p tcp --dport 110 -j ACCEPT
- iptables -A FORWARD -i eth0 -o eth2 -d 20.0.0.100 \
- -m state --state NEW -p tcp --dport 2025 -j ACCEPT
- iptables -A FORWARD -p tcp --dport 22 -j adminssh
- iptables -A INPUT -p tcp --dport 22 -j adminssh
- iptables -A FORWARD -i eth1 -o eth0 -s 172.16.0.0/16 -p icmp \
- --icmp-type echo-request -j ACCEPT
- iptables -A INPUT -i eth1 -s $NET_ADMINS -p icmp -j ACCEPT
- iptables -A FORWARD -i eth1 -o eth2 -s $NET_ADMINS -p icmp -j ACCEPT
- iptables -A FORWARD -i eth2 -o eth1 -s 20.0.0.100 -d $IP_LOG -p udp \
- --dport $PORT_LOG -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 20.0.0.12
- iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT \
- --to-destination 20.0.0.100:2025
- iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT \
- --to-destination 20.0.0.100:8080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement