Guest User

firewall

a guest
Apr 30th, 2021
54
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2.  
  3. IPTABLE_ADDRS='255.255.255.255 240.0.0.0/4 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
  4.  
  5. stop() {
  6.     iptables -F
  7.     iptables -t nat -F
  8.     iptables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT
  9. }
  10.  
  11. start() {
  12.     iptables -F
  13.     iptables -t nat -F
  14.     iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
  15.  
  16.     iptables -A INPUT -m state --state INVALID -j DROP
  17.     iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  18.     iptables -A INPUT -i lo -j ACCEPT
  19.     iptables -A INPUT -j DROP
  20.  
  21.     iptables -A FORWARD -j DROP
  22.  
  23.     iptables -A OUTPUT -m state --state INVALID -j DROP
  24.     iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
  25.  
  26.     iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
  27.     iptables -A OUTPUT -p tcp --syn -d 127.0.0.1 --dport 9040 -j ACCEPT
  28.  
  29.     iptables -A OUTPUT -p tcp --syn -m owner --uid-owner debian-tor -m state --state NEW -j ACCEPT
  30.     iptables -A OUTPUT -o lo -j ACCEPT
  31.  
  32.     for iptable_addrs in $IPTABLE_ADDRS; do
  33.         iptables -A OUTPUT -d $iptable_addrs -j DROP
  34.     done
  35.  
  36.     iptables -A OUTPUT -j DROP
  37.  
  38.     iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
  39.     iptables -t nat -A OUTPUT -p tcp --syn -d 10.192.0.0/10 -j DNAT --to-destination='127.0.0.1:9040'
  40.  
  41.     iptables -t nat -A OUTPUT -p tcp --syn -m owner --uid-owner debian-tor -j RETURN
  42.     iptables -t nat -A OUTPUT -o lo -j RETURN
  43.  
  44.     for iptable_addr in $IPTABLE_ADDRS; do
  45.         iptables -t nat -A OUTPUT -d $iptable_addr -j RETURN
  46.     done
  47.  
  48.     iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
  49.  
  50.     ip6tables -F
  51.     ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
  52.     ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
  53.  
  54.     {
  55.         echo DNSPort 127.0.0.1:9053
  56.         echo AutomapHostsOnResolve 1
  57.         echo AutomapHostsSuffixes .onion
  58.         echo
  59.         echo TransPort 127.0.0.1:9040
  60.         echo VirtualAddrNetwork 10.192.0.0/10
  61.     } > /etc/tor/torrc
  62. }
  63.  
  64. case $1 in
  65.     stop)
  66.         stop
  67.         systemctl stop tor
  68.         iptables -nvL; iptables -t nat -nvL
  69.     ;;
  70.     start)
  71.         start
  72.         systemctl restart tor
  73.         iptables -nvL; iptables -t nat -nvL
  74.     ;;
  75.     *)
  76.         echo sudo $0 stop
  77.         echo sudo $0 start
  78.     ;;
  79. esac
RAW Paste Data