Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # Watch me mess this up.
- #
- # Topology ftw
- #
- # +----------+
- # | PC 1 +<---+
- # +----------+ |
- # | +------------------+
- # +----------+ | +-----------+ 192.168.0.1:eth0 | |
- # | PC 2 +<---+------>+ Switch +<----------------->+ Linux Firewall | +--+pr0n
- # +----------+ | +-----------+ (LAN) | | Ethernet +-------+ |
- # | | DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
- # +----------+ | | (WAN) | +-------+ |
- # | PC 3 +<---+ +------------------+ +--+lolcatz
- # +----------+
- #
- # /Topolgy ftl
- #
- # Scripting ftw
- #
- # Flush tables
- #
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- # Allow esdtablished connections
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allow loopback (127.0.01) traffic
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # Allow established connections, and those not coming from the outside
- #
- # WAN emergency stop
- #iptables -A INPUT -i eth2 -j DROP
- # Accept DHCP requests
- iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
- #
- #
- # Drops
- #
- #
- # Kazaa probes
- iptables -A INPUT -p tcp -m tcp --dport 1214 -j DROP
- iptables -A INPUT -p udp -m udp --dport 1214 -j DROP
- #
- #
- # Logs
- #
- #
- # LOW/HIGH TCP/UDP CONNECTION (log'd)
- iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
- #iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
- #iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
- iptables -A INPUT -p udp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
- # IMPROPER TAG FRAME (log'd)
- #iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
- # Log pings
- iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: "
- #
- #
- # Accepts
- #
- #
- # Accept DNS queries (hopefully)
- iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
- # Accept ssh
- iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
- # Accept ntp
- iptables -A INPUT -p udp --sport 123 -j ACCEPT
- # Accept BitTorrent
- iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
- #iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
- iptables -A FORWARD -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
- # Set policy
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- # NAT
- iptables -t nat -A POSTROUTING -s 192.168.1.0/25 -j MASQUERADE
- iptables -t nat -A PREROUTING -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
- iptables -t nat -A PREROUTING -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
- # Ok forwarding with the system
- echo 1 > /proc/sys/net/ipv4/ip_forward
Add Comment
Please, Sign In to add comment