tolikpunkoff

IPTABLES settings on slackware linux server #2

Oct 25th, 2019
1,009
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Delete all rules
  2. echo "Delete firewall rules..."
  3. iptables -F
  4. iptables -F  -t nat
  5. iptables -F  -t mangle
  6. iptables -X
  7. iptables -t nat -X
  8. iptables -t mangle -X
  9.  
  10. # Drop all traffic
  11. echo "Set main policy..."
  12. iptables -P INPUT DROP
  13. iptables -P OUTPUT DROP
  14. iptables -P FORWARD DROP
  15.  
  16. #prinimat' vse ustanovlennye vhodashie soedineniya
  17. echo "Accepts all established inbound connections..."
  18. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  19.  
  20. #open VPN ports and GRE
  21. echo "Open VPN ports and GRE..."
  22. #to computer
  23. iptables -A INPUT  -p tcp --dport 1723 -j ACCEPT
  24. iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
  25.  
  26. iptables -A INPUT -p gre -j ACCEPT
  27. iptables -A OUTPUT -p gre -j ACCEPT
  28.  
  29. #accept all traffic an lo interface
  30. echo "Accept all lo interface traffic..."
  31. iptables -A INPUT -i lo -j ACCEPT
  32. iptables -A OUTPUT -o lo -j ACCEPT
  33.  
  34. #open ports for VPN clients (to computer)
  35. # ssh (22 port)
  36. echo "Open 22 port (ssh) for VPN clients..."
  37. iptables -A INPUT  -s 172.16.1.0/24  -p tcp --dport 22 -j ACCEPT
  38. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp --sport 22 -j ACCEPT
  39. # XDMCP
  40. echo "Open 177 port UDP (XDMCP) for VPN clients..."
  41. iptables -A INPUT  -s 172.16.1.0/24  -p udp --dport 177 -j ACCEPT
  42. iptables -A OUTPUT -s 172.16.1.0/24  -p udp --sport 177 -j ACCEPT
  43.  
  44. echo "Open 6000:6005 ports (Windows XDMCP) in both directions for VPN clients..."
  45. iptables -A INPUT  -s 172.16.1.0/24  -p tcp -m multiport --dports 6000:6005 -j ACCEPT
  46. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp -m multiport --sports 6000:6005 -j ACCEPT
  47.  
  48. iptables -A INPUT  -s 172.16.1.0/24  -p tcp -m multiport --sports 6000:6005 -j ACCEPT
  49. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp -m multiport --dports 6000:6005 -j ACCEPT
  50.  
  51. echo "Open DNS for VPN clients..."
  52. iptables -A INPUT  -s 172.16.1.0/24  -p udp --dport 53 -j ACCEPT
  53. iptables -A OUTPUT -s 172.16.1.0/24  -p udp --sport 53 -j ACCEPT
  54.  
  55. iptables -A INPUT  -s 172.16.1.0/24  -p tcp --dport 53 -j ACCEPT
  56. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp --sport 53 -j ACCEPT
  57.  
  58.  
  59. #  Allow ICMP
  60. echo "Allow ICMP and ports for TRACEROUTE..."
  61. iptables -A INPUT  -p icmp -j ACCEPT
  62. iptables -A OUTPUT -p icmp -j ACCEPT
  63. #open ports from traceroute
  64. iptables -A OUTPUT -p udp -m multiport --dports 33434:33534 -j ACCEPT
  65.  
  66. #Open standart ports (from computer)
  67. echo "Open standart ports (DNS,WWW, email) from server"
  68. # 53-DNS,80 8080/tcp - WWW, 443/tcp - https, 110,443,25,587 - e-mail 873/tcp - rsync (for sbopkg)
  69. iptables -A OUTPUT -p udp -m multiport --dports 53,443 -j ACCEPT
  70. iptables -A OUTPUT -p tcp -m multiport --dports 53,80,8080,443,110,443,25,587,873 -j ACCEPT
  71.  
  72. #start VPN server
  73. echo "Starting PPTD VPN server..."
  74. pptpd &
  75.  
  76. echo "Final firewall settings for VPN clients..."
  77. #NAT for VPN clients
  78. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
  79. #popravlaem pakety (bez etogo visnut nekotorye soedinenia)
  80. iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
RAW Paste Data