API tools faq
paste
Guest User

firewall.sh

a guest
May 30th, 2021
177
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.01 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
  4.  
  5. # syn check
  6.  
  7. apt install tor
  8.  
  9. # ---
  10.  
  11. iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
  12.  
  13. # ---
  14.  
  15. iptables -A INPUT -m state --state INVALID -j DROP
  16. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  17. iptables -A INPUT -i lo -j ACCEPT
  18. iptables -A INPUT -j DROP
  19.  
  20. # ---
  21.  
  22. iptables -A FORWARD -j DROP
  23.  
  24. # ---
  25.  
  26. iptables -A OUTPUT -m state --state INVALID -j DROP
  27. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
  28.  
  29. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
  30. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
  31.  
  32. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
  33. iptables -A OUTPUT -o lo -j ACCEPT
  34.  
  35. for special_addr in $SPECIAL_ADDRS; do
  36.   iptables -A OUTPUT -d $special_addr -j DROP
  37. done
  38.  
  39. iptables -A OUTPUT -j DROP
  40.  
  41. # ---
  42.  
  43. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
  44. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
  45.  
  46. iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
  47. iptables -t nat -A OUTPUT -o lo -j RETURN
  48.  
  49. for special_addr in $SPECIAL_ADDRS; do
  50.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
  51. done
  52.  
  53. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
  54.  
  55. # ---
  56.  
  57. ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
  58. ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
  59.  
  60. # ---
  61.  
  62. {
  63.   echo DNSPort 127.0.0.1:9053
  64.   echo AutomapHostsOnResolve 1
  65.   echo AutomapHostsSuffixes .onion
  66.   echo
  67.   echo TransPort 127.0.0.1:9040
  68.   echo VirtualAddrNetwork 10.192.0.0/10
  69. } > /etc/tor/torrc
  70.  
  71. # ---
  72.  
  73. systemctl restart tor
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!