Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- ## Export Interfaces Variables ##
- export LO=lo
- export LAN=eth1
- export WAN=eth0
- #export WAN=ppp0
- ## Export IPv4 Address Variables ##
- #export IP_LO_GROUP=127.0.0.0/8
- #export IP_LO=127.0.0.1/32
- #export IP_LAN_GROUP=192.168.0.0/24
- #export IP_LAN1=192.168.0.1/32
- #export IP_LAN2=192.168.0.2/32
- #export IP_LAN3=192.168.0.3/32
- #export IP_LAN4=192.168.0.4/32
- #export IP_LAN5=192.168.0.5/32
- #export IP_LAN6=192.168.0.6/32
- #export IP_LAN7=192.168.0.7/32
- #export IP_LAN8=192.168.0.8/32
- #export IP_LAN5=192.168.0.9/32
- #export IP_LAN6=192.168.0.10/32
- #export IP_LAN7=192.168.0.11/32
- #export IP_LAN8=192.168.0.12/32
- #export IP_WAN_GROUP=192.168.1.0/24
- #export IP_WAN1=192.168.1.1/32
- #export IP_WAN2=192.168.1.2/32
- ## Export IPv6 Variables ##
- #export IP6_LO=::1/128
- #export IP6_GROUP=fe80::/64
- #export IP6_LAN1=fe80::208:54ff:fe2c:cf01/64
- #export IP6_LAN2=fe80::219:66ff:feed:fa5f/64
- #export IP6_LAN3=fe80::225:22ff:fe3d:96e0/64
- #export IP6_WAN2=fe80::219:21ff:fe54:ea2f/64
- ## Clear All NAT Tables ##
- iptables -t nat -F
- iptables -t nat -X
- iptables -t nat -Z
- ## Setup NAT Build-in Policy Tables ##
- #iptables -t nat -P PREROUTING ACCEPT
- #iptables -t nat -P INPUT ACCEPT
- #iptables -t nat -P OUTPUT ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- ## PREROUTING TO THE ASTERISK, APACHE, POSTFIX AND RFACTOR SERVER
- # SMTP/TLS
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 25 -j DNAT --to-destination 192.168.0.253
- # Web server
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.0.253
- # POP3
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 110 -j DNAT --to-destination 192.168.0.253
- # IMAP
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 143 -j DNAT --to-destination 192.168.0.253
- # SMTP/SSL
- #iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 465 -j DNAT --to-destination 192.168.0.253
- #IMAPS
- #iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 993 -j DNAT --to-destination 192.168.0.253
- #POP3S
- #iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 995 -j DNAT --to-destination 192.168.0.253
- # IAX Asterisk
- #iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 4569 -j DNAT --to-destination 192.168.0.254
- # SIP Asterisk
- #iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 5060 -j DNAT --to-destination 192.168.0.254
- # RTP Asterisk
- #iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 10000:20000 -j DNAT --to-destination 192.168.0.254
- # RFACTOR SERVER (WEBSITE RESULTS)
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 27012 -j DNAT --to-destination 192.168.0.252
- iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 27012 -j DNAT --to-destination 192.168.0.252
- # RFACTOR SERVER (GAME PORT TCP AND UDP)
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 34000:35000 -j DNAT --to-destination 192.168.0.252
- iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 34000:35000 -j DNAT --to-destination 192.168.0.252
- # RFACTOR SERVER (MATCHMAKER PORT)
- iptables -t nat -A PREROUTING -i ${WAN} -m tcp -p tcp --dport 39001 -j DNAT --to-destination 192.168.0.252
- iptables -t nat -A PREROUTING -i ${WAN} -m udp -p udp --dport 39002 -j DNAT --to-destination 192.168.0.252
- ## Configuring NAT POSTROUTING Build-in Chain Table ##
- iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
- ## Clear All IPv4 Filter Tables ##
- iptables -F
- iptables -X
- iptables -Z
- ## Setup IPv4 Filter Build-in Policy Tables ##
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- ## FORWARDS to Asterisk, Apache, Postfix and rFactor Server
- # SMTP/TLS
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 25 -d 192.168.0.253 -j ACCEPT
- # Web server
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 80 -d 192.168.0.253 -j ACCEPT
- # POP3
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 110 -d 192.168.0.253 -j ACCEPT
- # IMAP
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 143 -d 192.168.0.253 -j ACCEPT
- # SMTP/SSL
- #iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 465 -d 192.168.0.253 -j ACCEPT
- # IMAPS
- #iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 993 -d 192.168.0.253 -j ACCEPT
- # POP3S
- #iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 995 -d 192.168.0.253 -j ACCEPT
- # IAX
- #iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 4569 -d 192.168.0.254 -j ACCEPT
- # SIP
- #iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 5060 -d 192.168.0.254 -j ACCEPT
- # RTP
- #iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 10000:20000 -d 192.168.0.254 -j ACCEPT
- # Rfactor Server (WEBSITE RESULTS)
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 27012 -d 192.168.0.252 -j ACCEPT
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 27012 -d 192.168.0.252 -j ACCEPT
- # Rfactor Server (GAME PORT)
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 34000:35000 -d 192.168.0.252 -j ACCEPT
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 34000:35000 -d 192.168.0.252 -j ACCEPT
- # Rfactor Server (MATCHMAKER PORT)
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m tcp -p tcp --dport 39001 -d 192.168.0.252 -j ACCEPT
- iptables -A FORWARD -i ${WAN} -o ${LAN} -m udp -p udp --dport 39002 -d 192.168.0.252 -j ACCEPT
- ## Create New IPv4 Filter Chains Tables ##
- iptables -N icmp_allowed
- iptables -N check-flags
- iptables -N allow-local-traffic-in
- iptables -N allow-ftp-traffic-in
- iptables -N allow-ftp-traffic-out
- iptables -N allow-ssh-traffic-in
- iptables -N allow-ssh-traffic-out
- iptables -N allow-smtp-traffic-in
- iptables -N allow-smtp-traffic-out
- iptables -N allow-dns-traffic-in
- iptables -N allow-dns-traffic-out
- iptables -N allow-http-traffic-in
- iptables -N allow-http-traffic-out
- iptables -N allow-pop3-traffic-in
- iptables -N allow-pop3-traffic-out
- iptables -N allow-ntp-traffic-in
- iptables -N allow-ntp-traffic-out
- iptables -N allow-imap-traffic-in
- iptables -N allow-imap-traffic-out
- iptables -N allow-https-traffic-in
- iptables -N allow-https-traffic-out
- iptables -N allow-smtps-traffic-in
- iptables -N allow-smtps-traffic-out
- iptables -N allow-rsync-traffic-in
- iptables -N allow-rsync-traffic-out
- iptables -N allow-imaps-traffic-in
- iptables -N allow-imaps-traffic-out
- iptables -N allow-pop3s-traffic-in
- iptables -N allow-pop3s-traffic-out
- iptables -N allow-fb-traffic-in
- iptables -N allow-fb-traffic-out
- iptables -N allow-amsn-traffic-out
- iptables -N allow-streaming-traffic-in
- iptables -N allow-streaming-traffic-out
- iptables -N allow-svn-traffic-in
- iptables -N allow-svn-traffic-out
- iptables -N allow-irc-traffic-in
- iptables -N allow-irc-traffic-out
- iptables -N allow-noip-traffic-out
- iptables -N allow-git-traffic-in
- iptables -N allow-git-traffic-out
- iptables -N allow-teamspeak-traffic-in
- iptables -N allow-teamspeak-traffic-out
- iptables -N allow-quake-traffic-out
- iptables -N allow-quake3-traffic-out
- iptables -N allow-rfactor-traffic-in
- iptables -N allow-rfactor-traffic-out
- iptables -N allow-hw-traffic-in
- iptables -N allow-hw-traffic-out
- iptables -N allowed-connection
- ## Configuring IPv4 Filter INPUT Build-in Chain Table ##
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A INPUT -p icmp -j icmp_allowed
- iptables -A INPUT -j check-flags
- #iptables -A INPUT -i ${WAN} -j ACCEPT
- #iptables -A INPUT -i ${WAN} -j allow-ftp-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-ssh-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-smtp-traffic-in
- iptables -A INPUT -i ${WAN} -j allow-dns-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-http-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-pop3-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-ntp-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-imap-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-https-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-smtps-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-rsync-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-imaps-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-pop3s-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-streaming-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-irc-traffic-in
- #iptables -A INPUT -i ${WAN} -j allow-http-traffic-in
- #iptables -A INPUT -i ${WAN} -j DROP
- iptables -A INPUT -i ${LO} -j ACCEPT
- iptables -A INPUT -i ${LAN} -j ACCEPT
- iptables -A INPUT -j allowed-connection
- ## Configuring IPv4 Filter FORWARD Build-in Chain Table ##
- iptables -A FORWARD -m state --state INVALID -j DROP
- iptables -A FORWARD -p icmp -j icmp_allowed
- iptables -A FORWARD -j check-flags
- #iptables -A FORWARD -i ${WAN} -j ACCEPT
- #iptables -A FORWARD -o ${WAN} -j ACCEPT
- #iptables -A FORWARD -i ${WAN} -j allow-ftp-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-smtp-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-smtp-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-dns-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-dns-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-http-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-http-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-pop3-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-pop3-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-ntp-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-imap-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-imap-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-https-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-https-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-smtps-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-smtps-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-rsync-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-rsync-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-imaps-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-imaps-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-pop3s-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-pop3s-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-fb-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-fb-traffic-out
- iptables -A FORWARD -o ${WAN} -j allow-amsn-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-streaming-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-streaming-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-svn-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-svn-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-irc-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-irc-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-git-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-git-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-teamspeak-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-teamspeak-traffic-out
- iptables -A FORWARD -o ${WAN} -j allow-quake-traffic-out
- iptables -A FORWARD -o ${WAN} -j allow-quake3-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-rfactor-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-rfactor-traffic-out
- #iptables -A FORWARD -i ${WAN} -j allow-hw-traffic-in
- iptables -A FORWARD -o ${WAN} -j allow-hw-traffic-out
- #iptables -A FORWARD -i ${WAN} -j DROP
- #iptables -A FORWARD -o ${WAN} -j DROP
- #iptables -A FORWARD -i ${LO} -j ACCEPT
- #iptables -A FORWARD -o ${LO} -j ACCEPT
- iptables -A FORWARD -j allowed-connection
- ## Configuring IPv4 Filter OUTPUT Build-in Chain Table ##
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -A OUTPUT -p icmp -j icmp_allowed
- iptables -A OUTPUT -j check-flags
- #iptables -A OUTPUT -o ${WAN} -j ACCEPT
- iptables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-smtp-traffic-out
- iptables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out
- iptables -A OUTPUT -o ${WAN} -j allow-http-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-pop3-traffic-out
- iptables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-imap-traffic-out
- iptables -A OUTPUT -o ${WAN} -j allow-https-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-smtps-traffic-out
- iptables -A OUTPUT -o ${WAN} -j allow-rsync-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-imaps-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-pop3s-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-svn-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-irc-traffic-out
- iptables -A OUTPUT -o ${WAN} -j allow-noip-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j allow-git-traffic-out
- #iptables -A OUTPUT -o ${WAN} -j DROP
- iptables -A OUTPUT -o ${LO} -j ACCEPT
- iptables -A OUTPUT -o ${LAN} -j ACCEPT
- iptables -A OUTPUT -j allowed-connection
- ## Configuring IPv4 Filter "icmp_allowed" Chain Table ##
- iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
- iptables -A icmp_allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
- iptables -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
- iptables -A icmp_allowed -p icmp -j DROP
- ## Configuring IPv4 Filter "check-flags" Chain Table ##
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5
- iptables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5
- iptables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- ## Configuring IPv4 Filter "allow-local-traffic-in" Chain Table ##
- iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- iptables -A allow-local-traffic-in -p tcp -m limit --limit 1/sec -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- iptables -A allow-local-traffic-in -m state --state RELATED,ESTABLISHED -j ACCEPT
- ## Configuring IPv4 Filter "allow-ftp-traffic-in" Chain Table ##
- #iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-ftp-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 21 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-ftp-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
- ## Configuring IPv4 Filter "allow-ftp-traffic-out" Chain Table ##
- iptables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT
- ## Configuring IPv4 Filter "allow-ssh-traffic-in" Chain Table ##
- iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- iptables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- iptables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
- ## Configuring IPv4 Filter "allow-ssh-traffic-out" Chain Table ##
- iptables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT
- ## Configuring IPv4 Filter "allow-smtp-traffic-out" Chain Table ##
- iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 25 -j ACCEPT
- ## Configuring IPv4 Filter "allow-dns-traffic-in" Chain Table ##
- iptables -A allow-dns-traffic-in -p udp -m limit --limit 1/sec -m udp --dport 53 -j ACCEPT
- iptables -A allow-dns-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT
- iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- iptables -A allow-dns-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 53 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- iptables -A allow-dns-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT
- ## Configuring IPv4 Filter "allow-dns-traffic-out" Chain Table ##
- iptables -A allow-dns-traffic-out -p udp -m udp --dport 53 -j ACCEPT
- iptables -A allow-dns-traffic-out -p tcp -m tcp --dport 53 -j ACCEPT
- ## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##
- #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 80 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
- ## Configuring IPv4 Filter "allow-http-traffic-out" Chain Table ##
- iptables -A allow-http-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT
- ## Configuring IPv4 Filter "allow-pop3-traffic-out" Chain Table ##
- iptables -A allow-pop3-traffic-out -p udp -m udp --dport 110 -j ACCEPT
- ## Configuring IPv4 Filter "allow-ntp-traffic-in" Chain Table ##
- #iptables -A allow-ntp-traffic-in -p udp -m limit --limit 1/sec -m udp --dport 123 -j ACCEPT
- #iptables -A allow-ntp-traffic-in -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 123 -j ACCEPT
- ## Configuring IPv4 Filter "allow-ntp-traffic-out" Chain Table ##
- iptables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT
- ## Configuring IPv4 Filter "allow-imap-traffic-out" Chain Table ##
- iptables -A allow-imap-traffic-out -p udp -m udp --dport 143 -j ACCEPT
- ## Configuring IPv4 Filter "allow-https-traffic-in" Chain Table ##
- #iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-https-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-https-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT
- ## Configuring IPv4 Filter "allow-https-traffic-out" Chain Table ##
- iptables -A allow-https-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT
- ## Configuring IPv4 Filter "allow-smtps-traffic-out" Chain Table ##
- iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 465 -j ACCEPT
- iptables -A allow-smtp-traffic-out -p tcp -m tcp --dport 587 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rsync-traffic-in" Chain Table ##
- #iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-rsync-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 873 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-rsync-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 873 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rsync-traffic-out" Chain Table ##
- iptables -A allow-rsync-traffic-out -p tcp -m tcp --dport 873 -j ACCEPT
- ## Configuring IPv4 Filter "allow-imaps-traffic-out" Chain Table ##
- iptables -A allow-imap-traffic-out -p tcp -m tcp --dport 993 -j ACCEPT
- ## Configuring IPv4 Filter "allow-pop3s-traffic-out" Chain Table ##
- iptables -A allow-pop3-traffic-out -p tcp -m tcp --dport 995 -j ACCEPT
- ## Configuring IPv4 Filter "allow-fb-traffic-out" Chain Table ##
- iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1511 -j ACCEPT
- iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1512 -j ACCEPT
- iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1514 -j ACCEPT
- iptables -A allow-fb-traffic-out -p tcp -m tcp --dport 1515 -j ACCEPT
- ## Configuring IPv4 Filter "allow-amsn-traffic-out" Chain Table ##
- iptables -A allow-amsn-traffic-out -p tcp -m tcp --dport 1863 -j ACCEPT
- ## Configuring IPv4 Filter "allow-streaming-traffic-out" Chain Table ##
- iptables -A allow-streaming-traffic-out -p tcp -m tcp --dport 1935 -j ACCEPT
- ## Configuring IPv4 Filter "allow-svn-traffic-out" Chain Table ##
- iptables -A allow-svn-traffic-out -p tcp -m tcp --dport 3690 -j ACCEPT
- ## Configuring IPv4 Filter "allow-irc-traffic-out" Chain Table ##
- #iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 194 -j ACCEPT
- #iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 529 -j ACCEPT
- #iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 994 -j ACCEPT
- iptables -A allow-irc-traffic-out -p tcp -m tcp --dport 6667 -j ACCEPT
- ## Configuring IPv4 Filter "allow-http-traffic-in" Chain Table ##
- #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-http-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-http-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
- ## Configuring IPv4 Filter "allow-noip-traffic-out" Chain Table ##
- iptables -A allow-noip-traffic-out -p tcp -m tcp --dport 8245 -j ACCEPT
- ## Configuring IPv4 Filter "allow-git-traffic-out" Chain Table ##
- iptables -A allow-git-traffic-out -p tcp -m tcp --dport 9418 -j ACCEPT
- ## Opening IPv4 Filter "allow-teamspeak-traffic-out" Chain Table ##
- iptables -A allow-teamspeak-traffic-out -p udp -m udp --dport 9987 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rfactor-traffic-in" Chain Table ##
- #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 34000:35000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 34000:35000 -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 34000:35000 -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 34000:35000 -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 39001 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 39001 -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p tcp -m tcp --dport 39001 -j ACCEPT
- #iptables -A allow-rfactor-traffic-in -p udp -m udp --dport 39002 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (UNDER OBSERVATION) ##
- ## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 1900 -j ACCEPT
- ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 3484 -j ACCEPT
- ## iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 3544 -j ACCEPT
- ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 31000:31002 -j ACCEPT
- ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 32000:32002 -j ACCEPT
- ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34384 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (IF RFACTOR HAVE PROBLEMS TO CONNECT) ##
- ## iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34000:35000 -j ACCEPT
- ## Configuring IPv4 Filter "allow-quake-traffic-out" rFactor Hotlaps Chain Table ##
- iptables -A allow-quake-traffic-out -p udp -m udp --dport 26000 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rfactor-traffic-out" rFactor Hotlaps Chain Table ##
- iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 27011:27015 -j ACCEPT
- ## Configuring IPv4 Filter "allow-quake-traffic-out" rFactor Hotlaps Chain Table ##
- iptables -A allow-quake3-traffic-out -p udp -m udp --dport 27950 -j ACCEPT
- ## Configuring IPv4 Filter "allow-rfactor-traffic-out" Chain Table (CHECK OK) ##
- ## Opening F1SR 1993 mod ports ##
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34297 -j ACCEPT
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34397 -j ACCEPT
- iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 34447:34450 -j ACCEPT
- ## Opening FSONE 2009 mod ports ##
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34298 -j ACCEPT
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34398 -j ACCEPT
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34299 -j ACCEPT
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 34399:34400 -j ACCEPT
- ## Opening Matchmaker ports ##
- iptables -A allow-rfactor-traffic-out -p tcp -m tcp --dport 39001 -j ACCEPT
- iptables -A allow-rfactor-traffic-out -p udp -m udp --dport 39002 -j ACCEPT
- ## Opening IPv4 Filter "allow-hw-traffic-out" Chain Table ##
- iptables -A allow-hw-traffic-out -p tcp -m tcp --dport 46631 -j ACCEPT
- ## Configuring IPv4 Filter "allowed-wan-connection" Chain Table ##
- iptables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"
- iptables -A allowed-connection -j DROP
- ## Clear All IPv6 Filter Tables ##
- ip6tables -F
- ip6tables -X
- ip6tables -Z
- ## Setup IPv6 Filter Build-in Policy Tables ##
- ip6tables -P INPUT DROP
- ip6tables -P FORWARD DROP
- ip6tables -P OUTPUT DROP
- ## Create New IPv6 Filter Chains Tables ##
- ip6tables -N allow-dns-traffic-out
- ip6tables -N allow-ftp-traffic-out
- ip6tables -N allow-ntp-traffic-out
- ip6tables -N allow-ssh-traffic-in
- ip6tables -N allow-ssh-traffic-out
- ip6tables -N allow-www-traffic-out
- ip6tables -N allowed-connection
- ip6tables -N check-flags
- ip6tables -N icmpv6_allowed
- ## Configuring IPv6 Filter INPUT Build-in Chain Table ##
- ip6tables -A INPUT -m state --state INVALID -j DROP
- ip6tables -A INPUT -p icmpv6 -j icmpv6_allowed
- ip6tables -A INPUT -j check-flags
- #ip6tables -A INPUT -i ${WAN} -j allow-ssh-traffic-in
- ip6tables -A INPUT -i ${WAN} -j DROP
- ip6tables -A INPUT -i ${LO} -j ACCEPT
- ip6tables -A INPUT -i ${LAN} -j ACCEPT
- ip6tables -A INPUT -j allowed-connection
- ## Configuring IPv6 Filter FORWARD Build-in Chain Table ##
- ip6tables -A FORWARD -m state --state INVALID -j DROP
- ip6tables -A FORWARD -p icmpv6 -j icmpv6_allowed
- ip6tables -A FORWARD -j check-flags
- #ip6tables -A FORWARD -i ${WAN} -j ACCEPT
- #ip6tables -A FORWARD -o ${WAN} -j ACCEPT
- #ip6tables -A FORWARD -i ${WAN} -j allow-ssh-traffic-in
- #ip6tables -A FORWARD -o ${WAN} -j allow-ssh-traffic-out
- #ip6tables -A FORWARD -o ${WAN} -j allow-dns-traffic-out
- #ip6tables -A FORWARD -o ${WAN} -j allow-ftp-traffic-out
- #ip6tables -A FORWARD -o ${WAN} -j allow-ntp-traffic-out
- #ip6tables -A FORWARD -o ${WAN} -j allow-www-traffic-out
- ip6tables -A FORWARD -i ${WAN} -j DROP
- ip6tables -A FORWARD -o ${WAN} -j DROP
- #ip6tables -A FORWARD -i ${LO} -j ACCEPT
- #ip6tables -A FORWARD -o ${LO} -j ACCEPT
- ip6tables -A FORWARD -j allowed-connection
- ## Configuring IPv6 Filter OUTPUT Build-in Chain Table ##
- ip6tables -A OUTPUT -m state --state INVALID -j DROP
- ip6tables -A OUTPUT -p icmpv6 -j icmpv6_allowed
- ip6tables -A OUTPUT -j check-flags
- #ip6tables -A OUTPUT -o ${WAN} -j ACCEPT
- #ip6tables -A OUTPUT -o ${WAN} -j allow-ssh-traffic-out
- #ip6tables -A OUTPUT -o ${WAN} -j allow-dns-traffic-out
- #ip6tables -A OUTPUT -o ${WAN} -j allow-ftp-traffic-out
- #ip6tables -A OUTPUT -o ${WAN} -j allow-ntp-traffic-out
- #ip6tables -A OUTPUT -o ${WAN} -j allow-www-traffic-out
- ip6tables -A OUTPUT -o ${WAN} -j DROP
- ip6tables -A OUTPUT -o ${LO} -j ACCEPT
- ip6tables -A OUTPUT -o ${LAN} -j ACCEPT
- ip6tables -A OUTPUT -j allowed-connection
- ## Configuring IPv6 Filter "allow-dns-traffic-out" Chain Table ##
- #ip6tables -A allow-dns-traffic-out -d ${DNS1_V6} -p udp -m udp --dport 53 -j ACCEPT
- #ip6tables -A allow-dns-traffic-out -d ${DNS2_V6} -p udp -m udp --dport 53 -j ACCEPT
- #ip6tables -A allow-dns-traffic-out -d ${DNS3_V6} -p udp -m udp --dport 53 -j ACCEPT
- #ip6tables -A allow-dns-traffic-out -d ${DNS4_V6} -p udp -m udp --dport 53 -j ACCEPT
- ## Configuring IPv6 Filter "allow-ftp-traffic-out" Chain Table ##
- ip6tables -A allow-ftp-traffic-out -p tcp -m tcp --dport 21 -j ACCEPT
- ## Configuring IPv6 Filter "allow-ntp-traffic-out" Chain Table ##
- ip6tables -A allow-ntp-traffic-out -p udp -m udp --dport 123 -j ACCEPT
- ## Configuring IPv6 Filter "allow-ssh-traffic-in" Chain Table ##
- ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
- ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j ACCEPT
- ip6tables -A allow-ssh-traffic-in -p tcp -m limit --limit 1/sec -m tcp --dport 22 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
- ip6tables -A allow-ssh-traffic-in -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
- ## Configuring IPv6 Filter "allow-ssh-traffic-out" Chain Table ##
- ip6tables -A allow-ssh-traffic-out -p tcp -m tcp --dport 22 -j ACCEPT
- ## Configuring IPv6 Filter "allow-www-traffic-out" Chain Table ##
- ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 80 -j ACCEPT
- ip6tables -A allow-www-traffic-out -p tcp -m tcp --dport 443 -j ACCEPT
- ## Configuring IPv6 Filter "allowed-connection" Chain Table ##
- ip6tables -A allowed-connection -m state --state RELATED,ESTABLISHED -j ACCEPT
- ip6tables -A allowed-connection -i ${WAN} -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:"
- ip6tables -A allowed-connection -j DROP
- ## Configuring IPv6 Filter "check-flags" Chain Table ##
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "NMAP-XMAS:" --log-level 1
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS:" --log-level 1
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 5/min -j LOG --log-prefix "XMAS-PSH:" --log-level 1
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min -j LOG --log-prefix "NULL_SCAN:" --log-level 1
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "SYN/RST:" --log-level 5
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "SYN/FIN:" --log-level 5
- ip6tables -A check-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- ## Configuring IPv6 Filter "icmp_allowed" Chain Table ##
- ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmpv6 --icmpv6-type 3 -j ACCEPT
- ip6tables -A icmpv6_allowed -p icmpv6 -m state --state NEW -m icmpv6 --icmpv6-type 1 -j ACCEPT
- ip6tables -A icmpv6_allowed -p icmpv6 -j LOG --log-prefix "Bad ICMPv6 traffic:"
- ip6tables -A icmpv6_allowed -p icmpv6 -j DROP
- ## Setting IPv4 Forward and RP Filter Linux Kernel ##
- #echo 1 > /proc/sys/net/ipv4/ip_forward
- for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
- ## Save And Restart IPv4 Tables ##
- /etc/init.d/iptables save
- /etc/init.d/iptables restart
- ## Save And Restart IPv6 Tables ##
- /etc/init.d/ip6tables save
- /etc/init.d/ip6tables restart
- ## List IPv4 Tables ##
- #iptables -t nat -L -v
- #iptables -L -v
- ## List IPv6 Tables ##
- #iptables -L -v
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement