Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Firewall Script 2
- # Matt Beaudin (040-559-386)
- # Stateful Firewall Rules
- # Variables
- iptables="/sbin/iptables"
- # Flush firewall rules
- $iptables --flush
- $iptables -t nat --flush
- $iptables -t mangle --flush
- $iptables -X
- # Rules
- # ssh to the host and back
- $iptables -A FORWARD -p tcp -s 0/0 -d 192.168.159.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- $iptables -A FORWARD -p tcp -s 192.168.159.1 -d 0/0 --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- # ssh from host to VM2 (server)
- $iptables -A FORWARD -p tcp -s 192.168.159.1/24 -d 10.20.0.100/16 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- $iptables -A FORWARD -p tcp -s 10.20.0.100/16 -d 192.168.159.1/24 --dport 22 -m state --state ESTABLISHED -j ACCEPT
- # access web server from any host
- $iptables -A FORWARD -p tcp -s 0/0 -d 10.20.0.100 --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
- $iptables -A FORWARD -p tcp -s 10.20.0.100 -d 0/0 --dport 80 -m state --state ESTABLISHED -j ACCEPT
- $iptables -A OUTPUT -p tcp -s 10.20.0.1 -d 10.20.0.100 --sport 80 -m state --state NEW -j ACCEPT
- $iptables -A INPUT -p tcp -s 10.20.0.100 -d 10.20.0.1 --dport 80 -m state --state ESTABLISHED -j ACCEPT
- # DNS resolution
- $iptables -A FORWARD -p udp -s 0/0 -d 0/0 --sport 53 -m state --state NEW -j ACCEPT
- $iptables -A FORWARD -p udp -s 0/0 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT
- # Allow ping and traceroute to any host from internal network
- $iptables -A FORWARD -p icmp -s 10.20.0.0/16 -d 0/0 -m state --state NEW,ESTABLISHED -j ACCEPT
- # Allow host to ping and traceroute to VM2 only
- $iptables -A FORWARD -p icmp -s 192.168.159.1 -d 10.20.0.100 -m state --state NEW,ESTABLISHED -j ACCEPT
- #$iptables -A INPUT -p icmp -s 192.168.159.1 -d 192.168.159.129 -m state --state NEW,ESTABLISHED -j DROP
- #$iptables -A INPUT -p icmp -s 192.168.159.1 -d 10.20.0.1 -m state --state NEW,ESTABLISHED -j DROP
- # host can ftp to VM2 using FTP
- $iptables -A FORWARD -p tcp -s 192.168.159.1 -d 10.20.0.100 --sport 21 -m state --state NEW -j ACCEPT
Add Comment
Please, Sign In to add comment