Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
- # Enter the designation for the Internal Interface's
- INTIF="eth1"
- # Enter the NETWORK address the Internal Interface is on
- INTNET="192.168.1.0/24"
- # Enter the IP address of the Internal Interface
- INTIP="192.168.1.129/24"
- # Enter the external interface's designation for the
- # EXTIF variable:
- EXTIF="eth2"
- # IP address for the EXTIP variable:
- EXTIP="192.168.0.129"
- #### DEFINIZIONE DEGLI INDIRIZZI STATICI DELLA RETE ####
- WINSERV="192.168.1.10"
- # -------- No more variable setting beyond this point --------
- echo "Loading required stateful/NAT kernel modules..."
- /sbin/depmod -a
- /sbin/modprobe ip_tables
- /sbin/modprobe ip_conntrack
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_conntrack_irc
- /sbin/modprobe iptable_nat
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ip_nat_irc
- echo " Enabling IP forwarding..."
- echo "1" > /proc/sys/net/ipv4/ip_forward
- echo "1" > /proc/sys/net/ipv4/ip_dynaddr
- echo " External interface: $EXTIF"
- echo " External interface IP address is: $EXTIP"
- echo " Loading firewall server rules..."
- UNIVERSE="0.0.0.0/0"
- # Clear any existing rules and setting default policy to DROP
- iptables -P INPUT DROP
- iptables -F INPUT
- iptables -P OUTPUT DROP
- iptables -F OUTPUT
- iptables -P FORWARD DROP
- iptables -F FORWARD
- iptables -F -t nat
- # Flush the user chain.. if it exists
- if [ "`iptables -L | grep drop-and-log-it`" ]; then
- iptables -F drop-and-log-it
- fi
- # Delete all User-specified chains
- iptables -X
- # Reset all IPTABLES counters
- iptables -Z
- # Creating a DROP chain
- iptables -N drop-and-log-it
- iptables -A drop-and-log-it -j LOG --log-level info
- iptables -A drop-and-log-it -j REJECT
- echo -e " - Loading INPUT rulesets"
- #INPUT CHAIN
- # loopback interfaces are valid.
- iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
- # local interface, local machines, going anywhere is valid
- iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
- # remote interface, claiming to be local machines, IP spoofing, get lost
- iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
- # remote interface, any source, going to permanent PPP address is valid
- iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
- # Allow any related traffic coming back to the MASQ server in
- iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
- echo -e " - Allowing EXTERNAL access to the SSH server"
- iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 2222 -j ACCEPT
- # Catch all rule, all other incoming is denied and logged.
- iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
- echo -e " - Loading OUTPUT rulesets"
- #OUTPUT CHAIN
- # loopback interface is valid.
- iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
- # local interfaces, any source going to local net is valid
- iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
- # local interface, any source going to local net is valid
- iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
- # outgoing to local net on remote interface, stuffed routing, deny
- iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
- # anything else outgoing on remote interface is valid
- iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
- # Catch all rule, all other outgoing is denied and logged.
- iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
- echo -e " - Loading FORWARD rulesets"
- #FORWARD CHAIN
- iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
- # Allow forwarding of incoming Port 3389 traffic to DMZ windows server
- iptables -A FORWARD -i $EXTIF -o $INTIF -d $WINSERV -p tcp --dport 3389 -j ACCEPT
- # Catch all rule, all other forwarding is denied and logged.
- iptables -A FORWARD -j drop-and-log-it
- # Enable SNAT (MASQUERADE) functionality on $EXTIF
- iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
- # Enable DNAT port translation to DMZ windows server
- iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 3389 -j DNAT --to $WINSERV
- iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p udp --dport 3389 -j DNAT --to $WINSERV
- #found on google
- #iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.10
- echo -e " Firewall server rule loading complete\n\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement