API tools faq
paste
Advertisement
fweng322

iptables rules

fweng322
Jan 1st, 2022
159
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.27 KB | None | 0 0
raw download clone embed print report
  1. [TRUSTED_TCP_PORT defined before this, including port 2000]
  2.  
  3. # ------------- services ------------
  4. echo "Creating services chain...."
  5. iptables -N services
  6. iptables -A services -i $LO_IF -j ACCEPT
  7. iptables -A services -i $INT_IF -s 192.168.212.0/24 -j ACCEPT
  8. iptables -A services -i $EXT_IF -s 192.168.212.0/24 -j ACCEPT
  9. for PORT in $TRUSTED_TCP_PORT; do
  10. iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
  11. done
  12. for PORT in $TRUSTED_UDP_PORT; do
  13. iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
  14. done
  15. # ------------- block -------------
  16. echo "Creating block chain..."
  17. iptables -N block
  18. iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
  19. iptables -A block -m state --state NEW ! -i $EXT_IF -j ACCEPT
  20. iptables -A block -p tcp --dport 1723 -m state --state NEW -j ACCEPT
  21. iptables -A block -p gre -j ACCEPT
  22. iptables -A block -j LOG --log-prefix "block:DROP: " --log-level 6
  23. iptables -A block -j DROP
  24.  
  25. # ------------- filter -------------
  26. echo "Filtering packets..."
  27. iptables -A INPUT -i $INT_IF -j ACCEPT
  28. iptables -A INPUT -j icmpfilter
  29. iptables -A INPUT -j services
  30. iptables -A INPUT -j block
  31.  
  32. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
  33. iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
  34. iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
  35.  
  36. iptables -A FORWARD -j icmpfilter
  37. iptables -A FORWARD -j block
  38.  
  39. # ------------- Port forwarding ------------
  40. iptables -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 2000 -j DNAT --to-destination 192.168.212.51:8088
  41. iptables -A INPUT -i $EXT_IF -p tcp --dport 2000 -m state --state NEW,ESTABLISHED -j ACCEPT
  42. iptables -A OUTPUT -o $EXT_IF -p tcp --sport 2000 -m state --state ESTABLISHED -j ACCEPT
  43. #iptables -t nat -A POSTROUTING -p tcp -d 192.168.212.51 --dport 8088 -j MASQUERADE
  44.  
  45.  
  46. # ------------- masq -------------
  47. echo "Masquerading internel network..."
  48. iptables -t nat -A POSTROUTING -o $EXT_IF -s 192.168.212.0/24 -j MASQUERADE
  49. iptables -t nat -A POSTROUTING -o $EXT_IF -s 172.17.0.0/16 -j MASQUERADE
  50. #iptables -t nat -A POSTROUTING -o $EXT_IF -s 192.168.96.0/24 -j MASQUERADE
  51.  
  52. exit 0
  53. ## EOS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!