Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- OUT="ppp0" # имя исходящего интерфейса, смотрящего в интернет.
- OUTADDR="xx.xxx.xxx.xxx" # Адрес исходящего интерфейса
- IN="eth0" # имя входящего интерфейса, смотрящего в локальную сеть
- INADDR="192.168.0.7" # Адрес входящего интерфейса
- NETWORK="192.168.0.0/16" # Адресация вашей локальной сети
- ANYWHERE="0.0.0.0/0" # Назначение, любое.
- PORTS="1024:65535" # Порты, которые считаются локальными
- MULTICAST="224.0.0.0/4" # Мультикаст пакеты, если у вас не используется оставьте как есть,
- # если используется IP TV тогда надо удалить этот пункт
- ADMINS="10.100.100.2 192.168.0.151 192.168.0.187 192.168.0.62 192.168.0.78 192.168.0.162 192.168.0.26 192.168.0.155 192.168.0.116 192.168.0.19 192.168.0.5 192.168.0.144 192.168.0.26 192.168.0.25 192.168.0.14 192.168.0.17 192.168.0.24 192.168.0.153 192.168.0.22 192.168.0.15 192.168.0.17 192.168.0.11 192.168.0.9 192.168.0.10 192.168.0.8" # IP адреса администраторов, имеют полный доступ на сервер, без каких либо ограничений.
- ##############################################################################################
- # Здесь прописаны параметры запуска\остановки\статуса скрипта. лучше не трогайте =)
- # Остановка скрипта
- case "$1" in
- stop)
- echo "Shutting down firewall..."
- iptables --flush
- iptables --delete-chain
- iptables --table nat --flush
- iptables --table filter --flush
- iptables --table nat --delete-chain
- iptables --table filter --delete-chain
- iptables -t filter -P INPUT ACCEPT
- iptables -t filter -P OUTPUT ACCEPT
- iptables -t filter -P FORWARD ACCEPT
- echo "...done"
- ;;
- status)
- echo $"Table: filter"
- iptables --list
- echo $"Table: nat"
- iptables -t nat --list
- ;;
- restart|reload)
- $0 stop
- $0 start
- ;;
- ##############################################################################################
- # Запуск скрипта
- start)
- echo "Starting Firewall..."
- echo ""
- # Очистка таблиц и цепочек
- iptables --flush
- iptables --delete-chain
- iptables --table nat --flush
- iptables --table filter --flush
- iptables --table nat --delete-chain
- iptables --table filter --delete-chain
- # Назначение глобальных политик фаервола
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -F INPUT
- iptables -F OUTPUT
- iptables -F FORWARD
- # Загружаем модули, для корректной работы VPN, Active ftp, DCC in IRC которые будут идти через нат.
- modprobe ip_conntrack
- modprobe ip_gre
- modprobe ip_nat_ftp
- modprobe ip_nat_pptp
- modprobe ip_conntrack_ftp
- modprobe ip_conntrack_irc
- # Включение форвардинга
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # Включение форвардинга для VPN
- echo 1 > /proc/sys/net/ipv4/ip_dynaddr
- #iptables -I FORWARD 1 -s 192.168.0.0/16 -d 10.100.100.0/24
- #iptables -I FORWARD 1 -d 192.168.0.0/16 -s 10.100.100.0/24
- #iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.100.100.0/24 -j ACCEPT
- #iptables -t nat -I POSTROUTING -d 192.168.0.0/16 -s 10.100.100.0/24 -j ACCEPT
- # Admins - full control (even dangerous)
- for admin_ips in $ADMINS; do
- iptables -A INPUT -s $admin_ips -m state --state NEW -j ACCEPT
- done
- ##############################################################################################
- # Silently Drop Stealth Scans
- # All of the bits are cleared
- iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # SYN and FIN are both set
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- # SYN and RST are both set
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- # FIN and RST are both set
- iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- # FIN is the only bit set, without the expected accompanying ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
- # PSH is the only bit set, without the expected accompanying ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- # URG is the only bit set, without the expected accompanying ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
- ##############################################################################################
- # Multicast - ignore
- iptables -A INPUT -s $MULTICAST -j DROP
- iptables -A INPUT -d $MULTICAST -j DROP
- # any established or related conns are welcome
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Loopback
- iptables -A INPUT -i lo -j ACCEPT
- # Statistics and auths for customers, ping tests
- for net_ips in $NETWORK; do
- iptables -A INPUT -p icmp -i $IN --icmp-type echo-request -j ACCEPT
- iptables -A INPUT -p icmp -i eth2 --icmp-type echo-request -j ACCEPT
- iptables -A INPUT -p icmp -i $OUT --icmp-type echo-request -j ACCEPT
- iptables -A INPUT -p icmp -i ppp1 --icmp-type echo-request -j ACCEPT
- iptables -A INPUT -p 139 -i ppp1 -j ACCEPT
- iptables -A INPUT -p 139 -i ppp0 -j ACCEPT
- done
- ############ Открываем нужные нам порты.
- #OpenVPN
- #iptables -A INPUT -p udp --dport 1194 -j ACCEPT
- #iptables -A INPUT -i tap0 -j ACCEPT
- #iptables -A INPUT -i eth2 -j ACCEPT
- #Samba
- iptables -A INPUT -p tcp -i $IN -m multiport --dport 139,445 -j ACCEPT
- iptables -A INPUT -p udp -i $IN -m multiport --dport 137,138 -j ACCEPT
- # APT-Proxy
- #iptables -A INPUT -p tcp -i $IN --dport 9999 -j ACCEPT
- #SNMP port
- iptables -A INPUT -p udp -i $IN --dport 161 -j ACCEPT
- #SNTP time port
- iptables -A INPUT -p udp -i $IN --dport 123 -j ACCEPT
- # HTTP
- iptables -A INPUT -p tcp -i $IN -m multiport --dport 80,443,10000 -j ACCEPT
- iptables -A INPUT -p tcp --source 62.122.207.154 -i $OUT -m multiport --dport 80,443,10000 -j ACCEPT
- #Mail
- iptables -A INPUT -p tcp -i $OUT -m multiport --dport 465,995,587,143,993,110 -j ACCEPT
- #RDP 1C server
- #iptables -A INPUT -p tcp --source 62.122.207.96 -i $OUT --dport 3389 -j ACCEPT
- #iptables -A INPUT -p tcp --source 62.122.207.96 -i $OUT --dport 3389 -j ACCEPT
- #DVR Hirop
- #iptables -A INPUT -p tcp -i $OUT --dport 6036 -j ACCEPT
- # FTP
- iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
- # PASSIVE FTP
- iptables -t filter -A INPUT -p tcp -m tcp --dport 50000:50500 -m state --state NEW -j ACCEPT
- iptables -t filter -A INPUT -p udp -m udp --dport 50000:50500 -m state --state NEW -j ACCEPT
- #SQUID
- iptables -A INPUT -p tcp -i $IN --dport 3128 -j DROP
- iptables -A INPUT -p tcp -i $IN --dport 8080 -j ACCEPT
- #SSH
- iptables -A INPUT -p tcp --dport 40781 -j ACCEPT
- #iptables -A INPUT -p tcp --dport 1022 -j ACCEPT
- #pptp
- iptables -A INPUT -p gre -j ACCEPT
- iptables -A INPUT -p tcp -i $IN --dport 1723 -j ACCEPT
- iptables -A INPUT -p tcp -i $OUT --dport 1723 -j ACCEPT
- iptables -A INPUT -m tcp -p tcp --dport 1723 -j ACCEPT
- #NeoRouter 29.11:16.05
- #iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 32976 -j ACCEPT
- #iptables -A INPUT -m state --state NEW -m udp -p udp --dport 32976 -j ACCEPT
- #MAIL
- #iptables -A INPUT -p tcp -i $IN -m multiport --dport 25,110,143,465,995,993 -j ACCEPT
- #dns
- iptables -A INPUT -p udp -i $IN --dport 53 -j ACCEPT
- #Neorouter 29.11:16.05
- #iptables -A INPUT -p tcp -i $IN --dport 32976 -j ACCEPT
- #iptables -A INPUT -p udp -i $IN --dport 32976 -j ACCEPT
- #Miska merezha 29.11:16.05
- iptables -A INPUT -p tcp -i eth2 -j ACCEPT
- ########### OUTPUT
- iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
- #############
- ########### NAT Вписываем сюда IP своих компьютеров в локальной сети.
- POSTROUTING -s 192.168.0.0/23 -o $OUT -j SNAT --to-source 62.122.207.107 #
- iptables -t nat -A POSTROUTING -s 192.168.0.3 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###fond
- iptables -t nat -A POSTROUTING -s 192.168.0.5 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###fuji
- iptables -t nat -A POSTROUTING -s 192.168.0.6 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###megatron
- iptables -t nat -A POSTROUTING -s 192.168.0.8 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###backup
- iptables -t nat -A POSTROUTING -s 192.168.0.29 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###SEP_server
- iptables -t nat -A POSTROUTING -s 192.168.0.201 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #DVR_pidval_to_send_e-mail
- iptables -t nat -A POSTROUTING -s 192.168.0.202 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #DVR_HIKVISION_to_send_e-mail
- iptables -t nat -A POSTROUTING -s 192.168.1.5 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###VirtualM_SCCM
- iptables -t nat -A POSTROUTING -s 192.168.1.7 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###ubuntu_pppoe__server
- iptables -t nat -A POSTROUTING -s 192.168.1.8 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###Gallileo
- iptables -t nat -A POSTROUTING -s 192.168.1.54 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx ###mail
- iptables -t nat -A POSTROUTING -s 192.168.0.86 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx # temp
- ######## VPN #########
- iptables -t nat -A POSTROUTING -s 192.168.244.2 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #admin
- iptables -t nat -A POSTROUTING -s 192.168.244.3 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #GL
- iptables -t nat -A POSTROUTING -s 192.168.244.4 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #golovbuh
- #iptables -t nat -A POSTROUTING -s 192.168.244.5 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #DC
- #iptables -t nat -A POSTROUTING -s 192.168.244.6 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #DC
- #iptables -t nat -A POSTROUTING -s 192.168.244.7 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #DC
- iptables -t nat -A POSTROUTING -s 192.168.244.8 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #baklab
- #iptables -t nat -A POSTROUTING -s 192.168.244.9 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #DC
- ######
- ########## NTP
- iptables -t nat -A POSTROUTING -p udp --dport 123 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #NTP time
- ####### NAT for MAIL
- iptables -t nat -A POSTROUTING -p tcp --dport 143 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #забираем почту через IMAP
- iptables -t nat -A POSTROUTING -p tcp --dport 993 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx #забираем почту через sIMAP
- iptables -t nat -A POSTROUTING -p tcp --dport 25 -s 192.168.1.54 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- iptables -t nat -A POSTROUTING -p tcp --dport 110 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- iptables -t nat -A POSTROUTING -p tcp --dport 465 -s 192.168.1.54 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- iptables -t nat -A POSTROUTING -p tcp --dport 587 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- iptables -t nat -A POSTROUTING -p tcp --dport 995 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- #####NAT Reestraciya polskih anket
- #iptables -t nat -A POSTROUTING -p tcp --dport 2555 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- #iptables -t nat -A POSTROUTING -p tcp --dport 443 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- #########NAT RDP
- iptables -t nat -A POSTROUTING -p tcp --dport 3389 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- ##########UTM IPtv & Radio
- iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 9001:9024 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 8001:8102 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- ######## PPTP ##########
- iptables -t nat -A POSTROUTING -p tcp --dport 1723 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- ############ PORT FORWARD Сюда вписываем проброс портов локальную сеть.
- #NOD Update Mirror na sergiy
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 2221 -j DNAT --to-destination 192.168.0.8:2221
- #NeoRouter 29.11:16.05
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 32976 -j DNAT --to-destination 192.168.0.8:32976
- #iptables -t nat -A PREROUTING -p udp -d $OUTADDR --dport 32976 -j DNAT --to-destination 192.168.0.8:32976
- #BTSync on backup
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 17068 -j DNAT --to-destination 192.168.0.8:17068
- #временный нат для ВПН на томографию
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 1723 -j DNAT --to-destination 192.168.0.14:1723
- #нат для поштовика
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 465 -j DNAT --to-destination 192.168.1.54:465
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 995 -j DNAT --to-destination 192.168.1.54:995
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 587 -j DNAT --to-destination 192.168.1.54:587
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 143 -j DNAT --to-destination 192.168.1.54:143
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 993 -j DNAT --to-destination 192.168.1.54:993
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 25 -j DNAT --to-destination 192.168.1.54:25
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 110 -j DNAT --to-destination 192.168.1.54:110
- #torrent na Sergiy 29.11:16.05
- iptables -t filter -A FORWARD -i $OUT -d 192.168.0.8 -p tcp --dport 7681 -j ACCEPT
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 7681 -j DNAT --to-destination 192.168.0.8:7681
- # Cam Administracia Lift
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 11401 -j DNAT --to-destination 192.168.0.224:11401
- # Cam Administracia
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 11410 -j DNAT --to-destination 192.168.0.231:11410
- # Cam Pryjmalne
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 11402 -j DNAT --to-destination 192.168.0.222:11402
- # Cam Sekretar
- iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 11403 -j DNAT --to-destination 192.168.0.223:11403
- #DVR Hirop
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 80 -j DNAT --to-destination 192.168.1.37
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 6036 -j DNAT --to-destination 192.168.1.37:6036
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 50 -j DNAT --to-destination 192.168.0.14:50
- #iptables -t nat -A PREROUTING -p udp -d $OUTADDR --dport 500 -j DNAT --to-destination 192.168.0.14:500
- #iptables -t nat -A PREROUTING -p udp -d $OUTADDR --dport 4500 -j DNAT --to-destination 192.168.0.14:4500
- #iptables -t nat -A PREROUTING -p udp -d $OUTADDR --dport 1194 -j DNAT --to-destination 192.168.0.14:1194
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 1194 -j DNAT --to-destination 192.168.0.14:1194
- #Mantikor
- #iptables -t nat -A POSTROUTING -p tcp --dport 3391 -s 192.168.0.0/16 -o $OUT -j SNAT --to-source xx.xxx.xxx.xxx
- # OpenMeetings
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 1935 -j DNAT --to-destination 192.168.0.144:1935
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 5080 -j DNAT --to-destination 192.168.0.144:5080
- #iptables -t nat -A PREROUTING -p tcp -d $OUTADDR --dport 8088 -j DNAT --to-destination 192.168.0.144:8088
- echo "...done"
- echo "--> IPTABLES firewall loaded/activated <--"
- ##--------------------------------End Firewall---------------------------------##
- ;;
- *)
- echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
- exit 1
- esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement