Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@172275:~# cat iptables_load_v2
- #!/bin/bash
- #
- # declare VAR's
- export IPT="iptables"
- #active wan interface
- export WAN=eth0
- export WAN_IP=89.223.30.17
- # clean all chains iptables
- $IPT -F
- $IPT -F -t nat
- $IPT -F -t mangle
- $IPT -X
- $IPT -t nat -X
- $IPT -t mangle -X
- # policy for packets not fit any of rules
- $IPT -P INPUT DROP
- $IPT -P OUTPUT DROP
- $IPT -P FORWARD DROP
- # allow local traffic for loopback
- $IPT -A INPUT -i lo -j ACCEPT
- $IPT -A OUTPUT -o lo -j ACCEPT
- # allow ICMP
- $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
- $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
- $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
- $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- # allow OUT connections for server itself
- $IPT -A OUTPUT -o $WAN -j ACCEPT
- # established means the packet isn't first in connection
- # allow input of new and init by them
- $IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
- # allow establish new and init connections
- $IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
- # enable forwarding for init and daughter connections
- $IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
- # enable packet fragmentation | due diff MTU
- $IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- #drop all unidentified packets
- $IPT -A INPUT -m state --state INVALID -j DROP
- $IPT -A FORWARD -m state --state INVALID -j DROP
- #drops phys data flow
- $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
- # ssh port
- $IPT -A INPUT -i $WAN -p tcp --dport 8022 -j ACCEPT
- # https
- $IPT -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
- # SRCDS
- $IPT -A INPUT -i $WAN -p tcp --dport 27015 -j ACCEPT
- $IPT -A INPUT -i $WAN -p udp --dport 27015 -j ACCEPT
- $IPT -A INPUT -i $WAN -p udp --dport 27005 -j ACCEPT
- $IPT -A INPUT -i $WAN -p udp --dport 27006 -j ACCEPT
- $IPT -A INPUT -i $WAN -p udp --dport 27020 -j ACCEPT
- $IPT -A INPUT -i $WAN -p udp --dport 27021 -j ACCEPT
- #SRCDS revemu
- $IPT -A INPUT -i $WAN -p udp --dport 22015 -j ACCEPT
- #SRCDS PROXY
- $IPT -A FORWARD -m state -p udp -d 80.87.202.139 --dport 27015 --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -t nat -A PREROUTING -p udp --dport 27015 -j DNAT --to-destination 80.87.202.139:27015
- #$IPT -t nat -A PREROUTING -p udp -d $WAN_IP --dport 27015 -j DNAT --to-destination 80.87.202.139:27015
- #$IPT -A FORWARD -i $WAN -d 80.87.202.139 -p udp --dport 27015 -j ACCEPT
- #$IPT -t nat -A PREROUTING -p udp -d $WAN_IP --dport 27005 -j DNAT --to-destination 80.87.202.139:27005
- #$IPT -A FORWARD -i $WAN -d 80.87.202.139 -p udp --dport 27005 -j ACCEPT
- #$IPT -t nat -A PREROUTING -p udp -d $WAN_IP --dport 27006 -j DNAT --to-destination 80.87.202.139:27006
- #$IPT -A FORWARD -i $WAN -d 80.87.202.139 -p udp --dport 27006 -j ACCEPT
- #$IPT -t nat -A PREROUTING -p udp -d $WAN_IP --dport 27020 -j DNAT --to-destination 80.87.202.139:27020
- #$IPT -A FORWARD -i $WAN -d 80.87.202.139 -p udp --dport 27020 -j ACCEPT
- #IPT -t nat -A PREROUTING -p udp -d $WAN_IP --dport 27021 -j DNAT --to-destination 80.87.202.139:27021
- #$IPT -A FORWARD -i $WAN -d 80.87.202.139 -p udp --dport 27021 -j ACCEPT
- # router test
- $IPT -A FORWARD -m state -p tcp -d 80.87.202.139 --dport 9022 --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -t nat -A PREROUTING -p tcp --dport 9001 -j DNAT --to-destination 80.87.202.139:9022
- $IPT -t nat -A POSTROUTING -j MASQUERADE
- #$IPT -A INPUT -i $WAN -p tcp --dport 9090 -j ACCEPT
- # web
- $IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement