Advertisement
x1n53n

Untitled

Nov 20th, 2018
169
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 3.36 KB | None | 0 0
  1. ##Flush iptables
  2. #Delete empty chain
  3. iptables -X
  4. #Delete existing rules
  5. iptables -F
  6. #Delete table nat rules
  7. iptables -t nat -F
  8. #Delete table mangle rules
  9. iptables -t mangle -F
  10.  
  11. IP_LOG= 172.16.10.50
  12. PORT_LOG=514
  13. NET_CLIENTS= 172.16.20.0/24
  14. NET_ADMINS= 172.16.10.0/24
  15.  
  16. ##Set the default chain policies
  17. #Block Input traffic
  18. iptables -P INPUT DROP
  19. #Block Forward traffic
  20. iptables -P FORWARD DROP
  21. #Block Output traffic
  22. iptables -P OUTPUT DROP
  23.  
  24. #Input rule for accepting connections
  25. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  26. #Forword rule for accepting connection matching state
  27. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  28. #Output rule for accepting connection matching state
  29. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  30.  
  31. #Create a new channel named adminssh
  32. iptables -N adminssh
  33. #Add the rule to adminssh to log the source packages $NET_ADMINS on eth1 for the destination 20.0.0.100 mattcing state NEW
  34. iptables -A adminssh -i eth1 -s $NET_ADMINS -d 20.0.0.100 \
  35. -m state --state NEW -j LOG --log-prefix "SSH connexion to DMZ "
  36. #Add the rule to adminssh to accept source packets $NET_ADMINS on eth1 for destination 20.0.0.100 mattching state NEW
  37. iptables -A adminssh -i eth1 -s $NET_ADMINS -d 20.0.0.100 \
  38. -m state --state NEW -j ACCEPT
  39. #Add the rule to adminssh to log the source packages $NET_ADMINS on eth1 for the destination 172.16.0.11 mattching the state NEW
  40. iptables -A adminssh -i eth1 -s $NET_ADMINS -d 172.16.0.11 \
  41. -m state --state NEW -j LOG --log-prefix "SSH connexion to Firewall "
  42. #Add the rule to adminssh to accept $NET_ADMINS source packets on eth1 for destination 172.16.0.11 mattching state NEW
  43. iptables -A adminssh -i eth1 -s $NET_ADMINS -d 172.16.0.11 \
  44. -m state --state NEW -j ACCEPT
  45. #Add the rule to adminssh to log packets
  46. iptables -A adminssh -j LOG \
  47. --log-prefix "ATTENTION - SSH connexion attempt "
  48. #Add the rule to adminssh to drop all packets if match any rule
  49. iptables -A adminssh -j DROP
  50.  
  51. iptables -A FORWARD -i eth2 -o eth0 -s 20.0.0.100 \
  52. -m state --state NEW -p tcp --dport 80 -j ACCEPT
  53. iptables -A FORWARD -i eth2 -o eth0 -s 20.0.0.100 \
  54. -m state --state NEW -p udp --dport 53 -j ACCEPT
  55. iptables -A FORWARD -i eth1 -s 172.16.0.0/16 -d 20.0.0.100 \
  56. -m state --state NEW -p tcp --dport 8080 -j ACCEPT
  57. iptables -A FORWARD -i eth1 -s 172.16.0.0/16 -d 20.0.0.100 \
  58. -m state --state NEW -p udp --dport 53 -j ACCEPT
  59. iptables -A FORWARD -i eth1 -s 172.16.0.0/16 -d 20.0.0.100 \
  60. -m state --state NEW -p tcp --dport 110 -j ACCEPT
  61. iptables -A FORWARD -i eth0 -o eth2 -d 20.0.0.100 \
  62. -m state --state NEW -p tcp --dport 2025 -j ACCEPT
  63. iptables -A FORWARD -p tcp --dport 22 -j adminssh
  64. iptables -A INPUT -p tcp --dport 22 -j adminssh
  65. iptables -A FORWARD -i eth1 -o eth0 -s 172.16.0.0/16 -p icmp \
  66. --icmp-type echo-request -j ACCEPT
  67. iptables -A INPUT -i eth1 -s $NET_ADMINS -p icmp -j ACCEPT
  68. iptables -A FORWARD -i eth1 -o eth2 -s $NET_ADMINS -p icmp -j ACCEPT
  69. iptables -A FORWARD -i eth2 -o eth1 -s 20.0.0.100 -d $IP_LOG -p udp \
  70. --dport $PORT_LOG -j ACCEPT
  71. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  72. iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 20.0.0.12
  73. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT \
  74. --to-destination 20.0.0.100:2025
  75. iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT \
  76. --to-destination 20.0.0.100:8080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement