Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- sudo iptables -F
- sudo iptables -t nat -F
- sudo iptables -X
- sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
- sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- sudo iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
- sudo iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
- sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -m state --state NEW -m statistic --mode random --probability .25
- sudo iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 443 -m state --state NEW -m statistic --mode random --probability .33
- sudo iptables -t nat -A PREROUTING -i tun2 -p tcp --dport 443 -m state --state NEW -m statistic --mode random --probability .50
- sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
- =====================
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- # p4p1 is WAN interface, #p1p1 is LAN interface
- sudo iptables -A POSTROUTING -o eth1 -j MASQUERADE
- # NAT pinhole: HTTP from WAN to LAN
- sudo iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.15:80
- COMMIT
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- # Service rules
- # basic global accept rules - ICMP, loopback, traceroute, established all accepted
- sudo iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
- sudo iptables -A INPUT -p icmp -j ACCEPT
- sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
- # enable traceroute rejections to get sent out
- sudo iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
- # DNS - accept from LAN
- sudo iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
- sudo iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
- # SSH - accept from LAN
- sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
- # DHCP client requests - accept from LAN
- sudo iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
- # drop all other inbound traffic
- sudo iptables -A INPUT -j DROP
- # Forwarding rules
- # forward packets along established/related connections
- sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # forward from LAN (p1p1) to WAN (p4p1)
- sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
- # allow traffic from our NAT pinhole
- -A FORWARD -p tcp -d 192.168.0.15 --dport 80 -j ACCEPT
- # drop all other forwarded traffic
- -A FORWARD -j DROP
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement