API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 12th, 2022
519
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.37 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. ###################
  4. # Define variables
  5. ###################
  6.  
  7. ## Public bridge holds physical interface (public IP, output gateway)
  8. Public_Bridge="vmbr0"
  9.  
  10. ## WAN bridge ( holds WAN_Network )
  11. WAN_Bridge="vmbr1"
  12.  
  13. ## LAN bridge ( holds Lan Network )
  14. LAN_Bridge="vmbr2"
  15.  
  16. ## Network between hypervisor and firewall
  17. WAN_Network="192.168.100.0/24"
  18.  
  19. ## Network between firewall and VMs
  20. LAN_Network="10.0.1.0/24"
  21.  
  22. ## VPN network
  23. VPN_Network="10.8.0.0/24"
  24.  
  25. ## IPV4 public IP of the physical interface
  26. Public_IP="x.x.x.x"
  27.  
  28. ## Hypervisor IP inside the WAN network
  29. Hypervisor_Wan_IP="192.168.100.1"
  30.  
  31. ## Hypervisor IP inside the LAN network
  32. Hypervisor_LAN_IP="10.0.1.1"
  33.  
  34. ## Firewall IP inside the WAN network
  35. Firewall_WAN_IP="192.168.100.2"
  36.  
  37. ## SSH Port
  38. SSH_Port="22"
  39.  
  40. ###################
  41. # Cleanup
  42. ###################
  43.  
  44. # Delete all the rules of every chains ( table filter )
  45. # iptables -F
  46. iptables --flush
  47.  
  48. # Delete all the rules of every chains ( table nat )
  49. # iptables -t nat -F
  50. iptables --table nat --flush
  51.  
  52. # Delete all the rules of every chains ( table mangle )
  53. #iptables -t mangle -F
  54. iptables --table mangle --flush
  55.  
  56. # Delete all user-defined chains
  57. #iptables -X
  58. iptables --delete-chain
  59.  
  60. # Cleanup IPv6 policies
  61. ip6tables --policy INPUT DROP
  62. ip6tables -P OUTPUT DROP
  63. ip6tables -P FORWARD DROP
  64.  
  65. # Cleanup IPv4 policies
  66. iptables -P INPUT DROP
  67. iptables -P OUTPUT DROP
  68. iptables -P FORWARD DROP
  69.  
  70. ###################
  71. # Chains
  72. ###################
  73.  
  74. # Create chains
  75. iptables --new-chain TCP
  76. iptables -N UDP
  77.  
  78. # Define rules on capturing UDP and TCP connexions
  79. iptables --append INPUT --protocol udp --match conntrack --ctstate NEW --jump UDP
  80. iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
  81.  
  82. ###################
  83. # Global rules
  84. ###################
  85.  
  86. # Allow localhost
  87. #iptables -A INPUT -i lo -j ACCEPT
  88. #iptables -A OUTPUT -o lo -j ACCEPT
  89. iptables --append INPUT --in-interface lo --jump ACCEPT
  90. iptables --append OUTPUT --out-interface lo --jump ACCEPT
  91.  
  92. # Don't break current or active connections
  93. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  94. iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  95.  
  96. # Allow ICMP
  97. iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  98.  
  99. ########################
  100. # Incoming traffic rules
  101. ########################
  102.  
  103. # Allow SSH connections
  104. iptables -A TCP -i $Public_Bridge -d $Public_IP -p tcp --dport $SSH_Port -j ACCEPT
  105.  
  106. # Allow Proxmox WebUI
  107. iptables -A TCP -i $Public_Bridge -d $Public_IP -p tcp --dport 8006 -j ACCEPT
  108.  
  109. ########################
  110. # Outcoming traffic rules
  111. ########################
  112.  
  113. # Allow ping out
  114. iptables -A OUTPUT -p icmp -j ACCEPT
  115.  
  116. # Allow HTTPS/HTTP
  117. iptables -A OUTPUT -o $Public_Bridge -s $Public_IP -p tcp --dport 80 -j ACCEPT
  118. # ip6tables -A OUTPUT -o $Public_Bridge -s $Public_IP -p tcp --dport 80 -j ACCEPT
  119. iptables -A OUTPUT -o $Public_Bridge -s $Public_IP -p tcp --dport 443 -j ACCEPT
  120. # ip6tables -A OUTPUT -o $Public_Bridge -s $Public_IP -p tcp --dport 443 -j ACCEPT
  121.  
  122. # Allow DNS
  123. iptables -A OUTPUT -o $Public_Bridge -s $Public_IP -p udp --dport 53 -j ACCEPT
  124.  
  125. # Allow SSH
  126. iptables -A OUTPUT -o $Public_Bridge -s $Public_IP -p tcp --sport $SSH_Port -j ACCEPT
  127.  
  128. # Allow Proxmox WebUI
  129. iptables -A OUTPUT -o $Public_Bridge -s $Public_IP -p tcp --sport 8006 -j ACCEPT
  130.  
  131. # Allow to access VMs from Hypervisor
  132. iptables -A OUTPUT -o $WAN_Bridge -s $Hypervisor_Wan_IP -p tcp -j ACCEPT
  133.  
  134. ###########################
  135. # Forwarding traffic rules
  136. ###########################
  137.  
  138. # Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI
  139. iptables -A PREROUTING -t nat -i $Public_Bridge -p tcp --match multiport ! --dports $SSH_Port,8006 -j DNAT --to $Firewall_WAN_IP
  140.  
  141. # Send all UDP traffic from Public IP to WAN network
  142. iptables -A PREROUTING -t nat -i $Public_Bridge -p udp -j DNAT --to $Firewall_WAN_IP
  143.  
  144. # Allow request forwarding to firewall through WAN network
  145. iptables -A FORWARD -i $Public_Bridge -d $Firewall_WAN_IP -o $WAN_Bridge -p tcp -j ACCEPT
  146. iptables -A FORWARD -i $Public_Bridge -d $Firewall_WAN_IP -o $WAN_Bridge -p udp -j ACCEPT
  147.  
  148. # Allow request from LAN
  149. iptables -A FORWARD -i $WAN_Bridge -s $WAN_Network -j ACCEPT
  150.  
  151. # Allow WAN network to use public IP gateway to go out
  152. iptables -t nat -A POSTROUTING -s $WAN_Network -o $Public_Bridge -j MASQUERADE
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!