Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT DROP [0:0]
- ###################################################
- # INPUT: Incoming traffic from various interfaces #
- ###################################################
- # Loopback interface is valid
- -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
- # Local interface, local machines, going anywhere is valid
- -A INPUT -i br2 -s 10.0.2.0/24 -d 0.0.0.0/0 -j ACCEPT
- -A INPUT -i br1 -s 10.0.1.0/24 -d 0.0.0.0/0 -j ACCEPT
- # Prevent unallocated untrust-net from gaining external network access
- -A INPUT -i br2 -s 10.0.2.8/29 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i br2 -s 10.0.2.16/28 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i br2 -s 10.0.2.32/27 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i br2 -s 10.0.2.64/26 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i br2 -s 10.0.2.128/25 -d 0.0.0.0/0 -j REJECT
- # Printer doesn't get external network access
- #-A INPUT -i br2 -s 10.0.2.5 -d 0.0.0.0/5 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 8.0.0.0/7 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 11.0.0.0/8 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 12.0.0.0/6 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 16.0.0.0/4 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 32.0.0.0/3 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 64.0.0.0/2 -j REJECT
- #-A INPUT -i br2 -s 10.0.2.5 -d 128.0.0.0/1 -j REJECT
- # IP spoofing, get lost
- -A INPUT -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 172.16.0.0/12 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.0.0/18 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.64.0/19 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.96.0/22 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.101.0/24 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.102.0/23 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.104.0/21 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.112.0/20 -d 0.0.0.0/0 -j REJECT
- -A INPUT -i eth0 -s 192.168.128.0/17 -d 0.0.0.0/0 -j REJECT
- # External interface, from any source, for ICMP traffic is valid
- -A INPUT -i eth0 -p ICMP -s 0.0.0.0/0 -j ACCEPT
- # Allow any related traffic coming back to the MASQ server in.
- -A INPUT -i eth0 -s 0.0.0.0/0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # Internal interface, DHCP traffic accepted
- -A INPUT -i br2 -p tcp --sport 68 --dport 67 -j ACCEPT
- -A INPUT -i br2 -p udp --sport 68 --dport 67 -j ACCEPT
- # External interface, SSH traffic allowed
- -A INPUT -i eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s 0.0.0.0/0 --dport 2222 -j ACCEPT
- -A INPUT -i eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p udp -s 0.0.0.0/0 --dport 655 -j ACCEPT
- # Accept port 1234 to be forwarded (this rule needs to correspond with PREROUTING rules in NAT table)
- #-A FORWARD -i eth0 -o br2 -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
- # Catch-all rule, reject anything else
- -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT
- ####################################################
- # OUTPUT: Outgoing traffic from various interfaces #
- ####################################################
- # Workaround bug in netfilter
- -A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP
- # Loopback interface is valid.
- -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
- # Local interfaces, any source going to local net is valid
- -A OUTPUT -o eth0 -d 10.0.2.0/24 -j ACCEPT
- -A OUTPUT -o eth0 -d 10.0.1.0/24 -j ACCEPT
- # local interface, MASQ server source going to the local net is valid
- -A OUTPUT -o br2 -s 10.0.2.0 -d 10.0.2.0/24 -j ACCEPT
- -A OUTPUT -o br1 -s 10.0.1.0 -d 10.0.1.0/24 -j ACCEPT
- # outgoing to local net on remote interface, stuffed routing, deny
- -A OUTPUT -o eth0 -s 0.0.0.0/0 -d 10.0.0.0/16 -j REJECT
- # anything else outgoing on remote interface is valid
- -A OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
- # Internal interface, DHCP traffic accepted
- -A OUTPUT -o br2 -p tcp -s 10.0.2.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
- -A OUTPUT -o br2 -p udp -s 10.0.2.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
- # Catch all rule, all other outgoing is denied and logged.
- -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT
- # Accept solicited tcp packets
- -A FORWARD -i eth0 -o br2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- -A FORWARD -i eth0 -o br1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # Allow packets across the internal interface
- -A FORWARD -i br2 -o br2 -j ACCEPT
- -A FORWARD -i br1 -o br1 -j ACCEPT
- -A FORWARD -i br1 -o br2 -j ACCEPT
- -A FORWARD -i br2 -o br1 -j ACCEPT
- # Forward packets from the internal network to the Internet
- -A FORWARD -i br2 -o eth0 -j ACCEPT
- -A FORWARD -i br1 -o eth0 -j ACCEPT
- # Catch-all REJECT rule
- -A FORWARD -j REJECT
- COMMIT
- ###########################
- # Address translations (only; there is no actual forwarding done here)
- ###########################
- *nat
- :PREROUTING ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- # ----- Begin OPTIONAL FORWARD Section -----
- #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100
- #-A PREROUTING -p tcp -d $EXTIP --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234
- # ----- End OPTIONAL FORWARD Section -----
- # IP-Masquerade
- -A POSTROUTING -o eth0 -j MASQUERADE
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
