Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [TRUSTED_TCP_PORT defined before this, including port 2000]
- # ------------- services ------------
- echo "Creating services chain...."
- iptables -N services
- iptables -A services -i $LO_IF -j ACCEPT
- iptables -A services -i $INT_IF -s 192.168.212.0/24 -j ACCEPT
- iptables -A services -i $EXT_IF -s 192.168.212.0/24 -j ACCEPT
- for PORT in $TRUSTED_TCP_PORT; do
- iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
- done
- for PORT in $TRUSTED_UDP_PORT; do
- iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
- done
- # ------------- block -------------
- echo "Creating block chain..."
- iptables -N block
- iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A block -m state --state NEW ! -i $EXT_IF -j ACCEPT
- iptables -A block -p tcp --dport 1723 -m state --state NEW -j ACCEPT
- iptables -A block -p gre -j ACCEPT
- iptables -A block -j LOG --log-prefix "block:DROP: " --log-level 6
- iptables -A block -j DROP
- # ------------- filter -------------
- echo "Filtering packets..."
- iptables -A INPUT -i $INT_IF -j ACCEPT
- iptables -A INPUT -j icmpfilter
- iptables -A INPUT -j services
- iptables -A INPUT -j block
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
- iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
- iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
- iptables -A FORWARD -j icmpfilter
- iptables -A FORWARD -j block
- # ------------- Port forwarding ------------
- iptables -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 2000 -j DNAT --to-destination 192.168.212.51:8088
- iptables -A INPUT -i $EXT_IF -p tcp --dport 2000 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o $EXT_IF -p tcp --sport 2000 -m state --state ESTABLISHED -j ACCEPT
- #iptables -t nat -A POSTROUTING -p tcp -d 192.168.212.51 --dport 8088 -j MASQUERADE
- # ------------- masq -------------
- echo "Masquerading internel network..."
- iptables -t nat -A POSTROUTING -o $EXT_IF -s 192.168.212.0/24 -j MASQUERADE
- iptables -t nat -A POSTROUTING -o $EXT_IF -s 172.17.0.0/16 -j MASQUERADE
- #iptables -t nat -A POSTROUTING -o $EXT_IF -s 192.168.96.0/24 -j MASQUERADE
- exit 0
- ## EOS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement