API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 25th, 2017
67
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.44 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
  3. # Enter the designation for the Internal Interface's
  4. INTIF="eth1"
  5. # Enter the NETWORK address the Internal Interface is on
  6. INTNET="192.168.1.0/24"
  7. # Enter the IP address of the Internal Interface
  8. INTIP="192.168.1.129/24"
  9. # Enter the external interface's designation for the
  10. # EXTIF variable:
  11. EXTIF="eth2"
  12. # IP address for the EXTIP variable:
  13. EXTIP="192.168.0.129"
  14. #### DEFINIZIONE DEGLI INDIRIZZI STATICI DELLA RETE ####
  15. WINSERV="192.168.1.10"
  16. # -------- No more variable setting beyond this point --------
  17. echo "Loading required stateful/NAT kernel modules..."
  18.  
  19. /sbin/depmod -a
  20. /sbin/modprobe ip_tables
  21. /sbin/modprobe ip_conntrack
  22. /sbin/modprobe ip_conntrack_ftp
  23. /sbin/modprobe ip_conntrack_irc
  24. /sbin/modprobe iptable_nat
  25. /sbin/modprobe ip_nat_ftp
  26. /sbin/modprobe ip_nat_irc
  27.  
  28. echo " Enabling IP forwarding..."
  29. echo "1" > /proc/sys/net/ipv4/ip_forward
  30. echo "1" > /proc/sys/net/ipv4/ip_dynaddr
  31.  
  32. echo " External interface: $EXTIF"
  33. echo " External interface IP address is: $EXTIP"
  34. echo " Loading firewall server rules..."
  35.  
  36. UNIVERSE="0.0.0.0/0"
  37.  
  38. # Clear any existing rules and setting default policy to DROP
  39. iptables -P INPUT DROP
  40. iptables -F INPUT
  41. iptables -P OUTPUT DROP
  42. iptables -F OUTPUT
  43. iptables -P FORWARD DROP
  44. iptables -F FORWARD
  45. iptables -F -t nat
  46.  
  47. # Flush the user chain.. if it exists
  48. if [ "`iptables -L | grep drop-and-log-it`" ]; then
  49. iptables -F drop-and-log-it
  50. fi
  51. # Delete all User-specified chains
  52. iptables -X
  53. # Reset all IPTABLES counters
  54. iptables -Z
  55. # Creating a DROP chain
  56. iptables -N drop-and-log-it
  57. iptables -A drop-and-log-it -j LOG --log-level info
  58. iptables -A drop-and-log-it -j REJECT
  59.  
  60. echo -e " - Loading INPUT rulesets"
  61.  
  62. #INPUT CHAIN
  63. # loopback interfaces are valid.
  64. iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
  65. # local interface, local machines, going anywhere is valid
  66. iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
  67. # remote interface, claiming to be local machines, IP spoofing, get lost
  68. iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
  69. # remote interface, any source, going to permanent PPP address is valid
  70. iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
  71. # Allow any related traffic coming back to the MASQ server in
  72. iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
  73.  
  74.  
  75. echo -e " - Allowing EXTERNAL access to the SSH server"
  76. iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 2222 -j ACCEPT
  77. # Catch all rule, all other incoming is denied and logged.
  78. iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
  79.  
  80. echo -e " - Loading OUTPUT rulesets"
  81.  
  82. #OUTPUT CHAIN
  83. # loopback interface is valid.
  84. iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
  85. # local interfaces, any source going to local net is valid
  86. iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
  87. # local interface, any source going to local net is valid
  88. iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
  89. # outgoing to local net on remote interface, stuffed routing, deny
  90. iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
  91. # anything else outgoing on remote interface is valid
  92. iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
  93. # Catch all rule, all other outgoing is denied and logged.
  94. iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
  95.  
  96. echo -e " - Loading FORWARD rulesets"
  97.  
  98.  
  99. #FORWARD CHAIN
  100.  
  101. iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
  102. iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
  103. # Allow forwarding of incoming Port 3389 traffic to DMZ windows server
  104. iptables -A FORWARD -i $EXTIF -o $INTIF -d $WINSERV -p tcp --dport 3389 -j ACCEPT
  105. # Catch all rule, all other forwarding is denied and logged.
  106. iptables -A FORWARD -j drop-and-log-it
  107. # Enable SNAT (MASQUERADE) functionality on $EXTIF
  108. iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
  109. # Enable DNAT port translation to DMZ windows server
  110. iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 3389 -j DNAT --to $WINSERV
  111. iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p udp --dport 3389 -j DNAT --to $WINSERV
  112.  
  113. #found on google
  114. #iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.10
  115.  
  116.  
  117. echo -e " Firewall server rule loading complete\n\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!