Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. #!/bin/sh
  2.  
  3. # ---------
  4. # VARIABLES
  5. # ---------
  6.  
  7. ## Proxmox bridge holding Public IP
  8. PrxPubVBR="vmbr0"
  9. ## Proxmox bridge on VmWanNET (PFSense WAN side)
  10. PrxVmWanVBR="vmbr1"
  11. ## Proxmox bridge on PrivNET (PFSense LAN side)
  12. PrxVmPrivVBR="vmbr2"
  13.  
  14. ## Network/Mask of VmWanNET
  15. VmWanNET="10.0.0.0/30"
  16. ## Network/Mmask of PrivNET
  17. PrivNET="192.168.10.0/24"
  18. ## Network/Mmask of VpnNET
  19. VpnNET="10.2.2.0/24"
  20.  
  21. ## Public IP => Set your own
  22. PublicIP="IPPUBLiC"
  23. ## Proxmox IP on the same network than PFSense WAN (VmWanNET)
  24. ProxVmWanIP="10.0.0.1"
  25. ## Proxmox IP on the same network than VMs
  26. ProxVmPrivIP="192.168.10.1"
  27. ## PFSense IP used by the firewall (inside VM)
  28. PfsVmWanIP="10.0.0.2"
  29.  
  30.  
  31. # ---------------------
  32. # CLEAN ALL & DROP IPV6
  33. # ---------------------
  34. ### Delete all existing rules.
  35. iptables -F
  36. iptables -t nat -F
  37. iptables -t mangle -F
  38. iptables -X
  39. ### This policy does not handle IPv6 traffic except to drop it.
  40. ip6tables -P INPUT DROP
  41. ip6tables -P OUTPUT DROP
  42. ip6tables -P FORWARD DROP
  43.  
  44. # --------------
  45. # DEFAULT POLICY
  46. # --------------
  47.  
  48. ### Block ALL !
  49. iptables -P OUTPUT DROP
  50. iptables -P INPUT DROP
  51. iptables -P FORWARD DROP
  52.  
  53. # ------
  54. # CHAINS
  55. # ------
  56.  
  57. ### Creating chains
  58. iptables -N TCP
  59. iptables -N UDP
  60.  
  61. # UDP = ACCEPT / SEND TO THIS CHAIN
  62. iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
  63.  
  64. # TCP = ACCEPT / SEND TO THIS CHAIN
  65. iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
  66.  
  67. # ------------
  68. # GLOBAL RULES
  69. # ------------
  70.  
  71. # Allow localhost
  72. iptables -A INPUT -i lo -j ACCEPT
  73. iptables -A OUTPUT -o lo -j ACCEPT
  74.  
  75. # Don't break the current/active connections
  76. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  77. iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  78.  
  79. # Allow Ping - Comment this to return timeout to ping request
  80. #iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  81.  
  82. # --------------------
  83. # RULES FOR PrxPubVBR
  84. # --------------------
  85.  
  86. ### INPUT RULES
  87. # ---------------
  88.  
  89. # Allow SSH server
  90. iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 22 -j ACCEPT
  91. # Allow Proxmox WebUI
  92. iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
  93.  
  94. ### OUTPUT RULES
  95. # ---------------
  96.  
  97. # Allow ping out
  98. iptables -A OUTPUT -p icmp -j ACCEPT
  99.  
  100. ### Allow LAN to access internet
  101. iptables -A OUTPUT -o $PrxPubVBR -s $PfsVmWanIP -d $PublicIP -j ACCEPT
  102.  
  103. ### Proxmox Host as CLIENT
  104. # Allow SSH
  105. iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 22 -j ACCEPT
  106. # Allow DNS
  107. iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT
  108. # Allow HTTP/HTTPS
  109. iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
  110. iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
  111.  
  112. ### Proxmox Host as SERVER
  113. # Allow SSH
  114. iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 22 -j ACCEPT
  115.  
  116. ### FORWARD RULES
  117. # ----------------
  118.  
  119. # Allow request forwarding to PFSense WAN interface
  120. iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
  121. iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT
  122.  
  123. # Allow request forwarding from LAN
  124. iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT
  125.  
  126. ### MASQUERADE MANDATORY
  127. # Allow WAN network (PFSense) to use vmbr0 public adress to go out
  128. iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE
  129.  
  130. ### Redirect (NAT) traffic from internet
  131. # All tcp to PFSense WAN except 22, 8006
  132. iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports 22 -j DNAT --to $PfsVmWanIP
  133. # All udp to PFSense WAN
  134. iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $PfsVmWanIP
  135.  
  136. # ----------------------
  137. # RULES FOR PrxVmWanVBR
  138. # ----------------------
  139.  
  140. ### INPUT RULES
  141. # ---------------
  142.  
  143. # SSH (Server)
  144. iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 22 -j ACCEPT
  145.  
  146. ### OUTPUT RULES
  147. # ---------------
  148.  
  149.  
  150. # Allow SSH server
  151. iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 22 -j ACCEPT
  152. # Allow PROXMOX WebUI on Public Interface from Internet
  153. iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 8006 -j ACCEPT
  154.  
  155. # -----------------------
  156. # RULES FOR PrxVmPrivVBR
  157. # -----------------------
  158.  
  159. # NO RULES => All blocked !!!
  160. service fail2ban restart