daily pastebin goal
16%
SHARE
TWEET

Untitled

a guest Apr 16th, 2018 49 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #
  3. # Watch me mess this up.
  4. #
  5. # Topology ftw
  6. #
  7. #       +----------+
  8. #       | PC 1     +<---+                                      
  9. #       +----------+    |                                      
  10. #                       |                                       +------------------+
  11. #       +----------+    |       +-----------+  192.168.0.1:eth0 |                  |
  12. #       | PC 2     +<---+------>+ Switch    +<----------------->+ Linux Firewall   |                                            +--+pr0n
  13. #       +----------+    |       +-----------+           (LAN)   |                  | Ethernet   +-------+                       |
  14. #                       |                                       |         DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
  15. #       +----------+    |                                       |           (WAN)  |            +-------+                       |
  16. #       | PC 3     +<---+                                       +------------------+                                            +--+lolcatz
  17. #       +----------+
  18. #
  19. # /Topolgy ftl
  20. #      
  21. # Scripting ftw
  22. #
  23. # Flush tables
  24. #
  25. iptables -F
  26. iptables -t nat -F
  27. iptables -t mangle -F
  28. iptables -X
  29.  
  30. # Allow esdtablished connections
  31. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  32. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  33.  
  34.  
  35. # Allow loopback (127.0.01) traffic
  36. iptables -A INPUT -i lo -j ACCEPT
  37. iptables -A OUTPUT -o lo -j ACCEPT
  38.  
  39. # Allow established connections, and those not coming from the outside
  40.  
  41. #
  42. # WAN emergency stop
  43.  
  44. #iptables -A INPUT -i eth2 -j DROP
  45.  
  46. # Accept DHCP requests
  47. iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
  48.  
  49.  
  50. #
  51. #
  52. # Drops
  53. #
  54. #
  55.  
  56.  
  57. # Kazaa probes
  58. iptables -A INPUT -p tcp -m tcp --dport 1214 -j DROP
  59. iptables -A INPUT -p udp -m udp --dport 1214 -j DROP
  60.  
  61.  
  62. #
  63. #
  64. # Logs
  65. #
  66. #
  67.  
  68. # LOW/HIGH TCP/UDP CONNECTION (log'd)
  69. iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
  70. #iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
  71. #iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
  72. iptables -A INPUT -p udp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
  73. # IMPROPER TAG FRAME (log'd)
  74. #iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
  75.  
  76. # Log pings
  77. iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: "
  78.  
  79. #
  80. #
  81. # Accepts
  82. #
  83. #
  84.  
  85. # Accept DNS queries (hopefully)
  86. iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
  87.  
  88. # Accept ssh
  89. iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
  90.  
  91. # Accept ntp
  92. iptables -A INPUT -p udp --sport 123 -j ACCEPT
  93.  
  94. # Accept BitTorrent
  95. iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
  96. #iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
  97. iptables -A FORWARD -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
  98.  
  99.  
  100. # Set policy
  101. iptables -P INPUT DROP
  102. iptables -P FORWARD DROP
  103.  
  104. # NAT
  105. iptables -t nat -A POSTROUTING -s 192.168.1.0/25 -j MASQUERADE
  106. iptables -t nat -A PREROUTING -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
  107. iptables -t nat -A PREROUTING -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
  108.  
  109. # Ok forwarding with the system
  110. echo 1 > /proc/sys/net/ipv4/ip_forward
RAW Paste Data
Top