Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /bin/cp -f /etc/iptables.rules /etc/iptables.rules.old
- cat > /etc/iptables.rules <<EOF
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :ICMPALL - [0:0]
- :ZREJ - [0:0]
- -A INPUT -m conntrack --ctstate INVALID -j DROP
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p icmp --icmp-type 255 -j ICMPALL
- -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
- -A INPUT -p tcp --dport 22 -j ACCEPT
- -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
- -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
- -A INPUT -p udp --dport 1701 -j DROP
- -A INPUT -j ZREJ
- -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -i ppp+ -o eth+ -j ACCEPT
- -A FORWARD -j ZREJ
- -A ICMPALL -p icmp --fragment -j DROP
- -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
- -A ICMPALL -p icmp -j DROP
- -A ZREJ -p tcp -j REJECT --reject-with tcp-reset
- -A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
- -A ZREJ -j REJECT --reject-with icmp-proto-unreachable
- COMMIT
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
- COMMIT
- EOF
- cat > /etc/network/if-pre-up.d/iptablesload <<EOF
- #!/bin/sh
- /sbin/iptables-restore < /etc/iptables.rules
- exit 0
- EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement