SHARE
TWEET

IPTABLES settings on slackware linux server #2

tolikpunkoff Oct 25th, 2019 71 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Delete all rules
  2. echo "Delete firewall rules..."
  3. iptables -F
  4. iptables -F  -t nat
  5. iptables -F  -t mangle
  6. iptables -X
  7. iptables -t nat -X
  8. iptables -t mangle -X
  9.  
  10. # Drop all traffic
  11. echo "Set main policy..."
  12. iptables -P INPUT DROP
  13. iptables -P OUTPUT DROP
  14. iptables -P FORWARD DROP
  15.  
  16. #prinimat' vse ustanovlennye vhodashie soedineniya
  17. echo "Accepts all established inbound connections..."
  18. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  19.  
  20. #open VPN ports and GRE
  21. echo "Open VPN ports and GRE..."
  22. #to computer
  23. iptables -A INPUT  -p tcp --dport 1723 -j ACCEPT
  24. iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
  25.  
  26. iptables -A INPUT -p gre -j ACCEPT
  27. iptables -A OUTPUT -p gre -j ACCEPT
  28.  
  29. #accept all traffic an lo interface
  30. echo "Accept all lo interface traffic..."
  31. iptables -A INPUT -i lo -j ACCEPT
  32. iptables -A OUTPUT -o lo -j ACCEPT
  33.  
  34. #open ports for VPN clients (to computer)
  35. # ssh (22 port)
  36. echo "Open 22 port (ssh) for VPN clients..."
  37. iptables -A INPUT  -s 172.16.1.0/24  -p tcp --dport 22 -j ACCEPT
  38. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp --sport 22 -j ACCEPT
  39. # XDMCP
  40. echo "Open 177 port UDP (XDMCP) for VPN clients..."
  41. iptables -A INPUT  -s 172.16.1.0/24  -p udp --dport 177 -j ACCEPT
  42. iptables -A OUTPUT -s 172.16.1.0/24  -p udp --sport 177 -j ACCEPT
  43.  
  44. echo "Open 6000:6005 ports (Windows XDMCP) in both directions for VPN clients..."
  45. iptables -A INPUT  -s 172.16.1.0/24  -p tcp -m multiport --dports 6000:6005 -j ACCEPT
  46. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp -m multiport --sports 6000:6005 -j ACCEPT
  47.  
  48. iptables -A INPUT  -s 172.16.1.0/24  -p tcp -m multiport --sports 6000:6005 -j ACCEPT
  49. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp -m multiport --dports 6000:6005 -j ACCEPT
  50.  
  51. echo "Open DNS for VPN clients..."
  52. iptables -A INPUT  -s 172.16.1.0/24  -p udp --dport 53 -j ACCEPT
  53. iptables -A OUTPUT -s 172.16.1.0/24  -p udp --sport 53 -j ACCEPT
  54.  
  55. iptables -A INPUT  -s 172.16.1.0/24  -p tcp --dport 53 -j ACCEPT
  56. iptables -A OUTPUT -s 172.16.1.0/24  -p tcp --sport 53 -j ACCEPT
  57.  
  58.  
  59. #  Allow ICMP
  60. echo "Allow ICMP and ports for TRACEROUTE..."
  61. iptables -A INPUT  -p icmp -j ACCEPT
  62. iptables -A OUTPUT -p icmp -j ACCEPT
  63. #open ports from traceroute
  64. iptables -A OUTPUT -p udp -m multiport --dports 33434:33534 -j ACCEPT
  65.  
  66. #Open standart ports (from computer)
  67. echo "Open standart ports (DNS,WWW, email) from server"
  68. # 53-DNS,80 8080/tcp - WWW, 443/tcp - https, 110,443,25,587 - e-mail 873/tcp - rsync (for sbopkg)
  69. iptables -A OUTPUT -p udp -m multiport --dports 53,443 -j ACCEPT
  70. iptables -A OUTPUT -p tcp -m multiport --dports 53,80,8080,443,110,443,25,587,873 -j ACCEPT
  71.  
  72. #start VPN server
  73. echo "Starting PPTD VPN server..."
  74. pptpd &
  75.  
  76. echo "Final firewall settings for VPN clients..."
  77. #NAT for VPN clients
  78. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
  79. #popravlaem pakety (bez etogo visnut nekotorye soedinenia)
  80. iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top