#!/bin/bash###****BEGIN IPTABLES HOSTAPD FIREWALL****#### Ensure subnets do

1. #!/bin/bash
2. ###****BEGIN IPTABLES HOSTAPD FIREWALL****###
3. # Ensure subnets do not match
4. ifconfig dns0 up 172.16.0.1 netmask 255.255.255.254
5. ifconfig dns1 up 172.16.2.1 netmask 255.255.255.252
6. ifconfig wlan0 up 10.0.0.2 netmask 255.255.255.0
7. # Clearing old iptables settings
8. iptables -F
9. iptables -t nat -F
10. iptables -t mangle -F
11. iptables -X
12. iptables -t nat -X
13. iptables -t mangle -X
14. # Reqired iptables rule for eth0 masquerading (enable only if not using a vpn)
15. iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
16. # Allowing iodine (ip-over-dns) traffic (enable only if not using a vpn)
17. iptables -t filter -A FORWARD -i eth0 -o dns+ -m state --state RELATED,ESTABLISHED -j ACCEPT
18. iptables -t filter -A FORWARD -i dns+ -o eth0 -j ACCEPT
19. # Make sure "accepted" packets are allowed
20. iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
21.  
22. ###****BEGIN IPTABLES WIFI FIREWALL ****###
23. iptables -P FORWARD DROP
24. # http, https
25. iptables --append FORWARD --in-interface wlan0 --out-interface -p tcp --dport 80 eth0 -j ACCEPT
26. iptables --append FORWARD --in-interface wlan0 --out-interface -p tcp --dport 443 eth0 -j ACCEPT
27.  
28. ###****BEGIN IPTABLES SERVER FIREWALL****###
29. iptables -P INPUT DROP
30. iptables -P OUTPUT ACCEPT
31. ## Fine tune what traffic we want
32. # Keep state.
33. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
34. # Loop device.
35. iptables -A INPUT -i lo -j ACCEPT
36. # http, https
37. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
38. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
39. # smtp, submission
40. iptables -A INPUT -p tcp --dport 25 -j ACCEPT
41. iptables -A INPUT -p tcp --dport 587 -j ACCEPT
42. # pop3, pop3s
43. iptables -A INPUT -p tcp --dport 110 -j ACCEPT
44. iptables -A INPUT -p tcp --dport 995 -j ACCEPT
45. # imap, imaps
46. iptables -A INPUT -p tcp --dport 143 -j ACCEPT
47. iptables -A INPUT -p tcp --dport 993 -j ACCEPT
48. # ssh
49. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
50. # Allow PING from remote hosts.
51. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
52. # ejabberd
53. #iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
54. #iptables -A INPUT -p tcp --dport 5223 -j ACCEPT
55. #iptables -A INPUT -p tcp --dport 5280 -j ACCEPT
56. # ldap/ldaps
57. #iptables -A INPUT -p tcp --dport 389 -j ACCEPT
58. #iptables -A INPUT -p tcp --dport 636 -j ACCEPT
59. # ftp.
60. #iptables -A INPUT -p tcp --dport 20 -j ACCEPT
61. #iptables -A INPUT -p tcp --dport 21 -j ACCEPT
62.  
63. ###EXTRA IPTABLES STUFF###
64.  
65. ##REQUIRED IPTABLES RULES FOR VPN AND VPN IP MASQUERADING
66. #iptables --table nat --append POSTROUTING --out-interface tun0 -j MASQUERADE
67. #iptables -t filter -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
68. #iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT
69.  
70. ##REQIRED IPTABLES RULES FOR IODINE OVER VPN
71. #iptables -t filter -A FORWARD -i tun0 -o dns+ -m state --state RELATED,ESTABLISHED -j ACCEPT
72. #iptables -t filter -A FORWARD -i dns+ -o tun0 -j ACCEPT