Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- IF_EXT="eth0"
- IF_VPN="tap_softether"
- VPN_PORT="443"
- IPT="/sbin/iptables"
- IPT6="/sbin/ip6tables"
- IP_EXT=<cut_out>
- # flush
- $IPT --flush
- $IPT -t nat --flush
- $IPT -t mangle --flush
- $IPT -X
- $IPT6 --flush
- # loopback
- $IPT -A INPUT -i lo -j ACCEPT
- $IPT -A OUTPUT -o lo -j ACCEPT
- # default
- $IPT -P INPUT DROP
- $IPT -P OUTPUT DROP
- $IPT -P FORWARD DROP
- $IPT6 -P INPUT DROP
- $IPT6 -P OUTPUT DROP
- $IPT6 -P FORWARD DROP
- # allow forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # NAT
- # #########################################
- # SNAT - local users to out internet
- $IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source $IP_EXT
- # INPUT chain
- # #########################################
- $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # ssh
- $IPT -A INPUT -i $IF_EXT -p tcp --dport 22 -j ACCEPT
- # DNS
- $IPT -A INPUT -i $IF_VPN -p udp --dport 53 -s 10.8.0.0/24 -j ACCEPT
- # vpn
- $IPT -A INPUT -i $IF_VPN -p icmp -s 10.8.0.0/24 -j ACCEPT
- $IPT -A INPUT -i $IF_EXT -p tcp --dport $VPN_PORT -j ACCEPT
- $IPT -A INPUT -p udp --dport 500 -j ACCEPT
- $IPT -A INPUT -p udp --dport 4500 -j ACCEPT
- $IPT -N syn_flood
- $IPT -A INPUT -p tcp --syn -j syn_flood
- $IPT -A syn_flood -m limit --limit 500/s --limit-burst 2000 -j RETURN
- $IPT -A syn_flood -j DROP
- # FORWARD chain
- # #########################################
- $IPT -A FORWARD -i $IF_VPN -o $IF_EXT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPT -A FORWARD -i $IF_EXT -o $IF_VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A FORWARD -s 10.8.0.0/24 -d 10.8.0.0/24 -j ACCEPT
- # OUTPUT chain
- # #########################################
- $IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement