Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- INTIF="eth2"
- EXTIF="eth1"
- INTNET="192.168.0.0/24"
- INTIP="192.168.0.254/24"
- EXTIP="10.255.26.10"
- PROXYSERVER="10.255.26.220"
- PROXYPORT="3128"
- #EXTIP="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
- /sbin/depmod -a
- # Force loading and activation of all the NAT and IPTables needed modules
- /sbin/modprobe ip_tables
- /sbin/modprobe ip_conntrack
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_conntrack_irc
- /sbin/modprobe iptable_nat
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ip_nat_irc
- echo "1" > /proc/sys/net/ipv4/ip_forward
- echo "1" > /proc/sys/net/ipv4/ip_dynaddr
- UNIVERSE="0.0.0.0/0"
- # Clearing any existing rules and setting default policy
- iptables -P INPUT ACCEPT
- iptables -F INPUT
- iptables -P OUTPUT ACCEPT
- iptables -F OUTPUT
- iptables -P FORWARD DROP
- iptables -F FORWARD
- iptables -t nat -F
- # Flush the user chain.. if it exists
- if [ "`iptables -L | grep drop-and-log-it`" ]; then
- iptables -F drop-and-log-it
- fi
- # Delete all User-specified chains
- iptables -X
- # Reset all IPTABLES counters
- iptables -Z
- # Creating a DROP chain
- iptables -N drop-and-log-it
- iptables -A drop-and-log-it -j LOG --log-level info
- iptables -A drop-and-log-it -j REJECT
- # ================ INPUT Chain ================
- # loopback interfaces are valid.
- iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
- # local interface, local machines, going anywhere is valid
- iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
- # remote interface, claiming to be local machines, IP spoofing, get lost
- iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
- # remote interface, any source, going to permanent PPP address is valid
- iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
- # Allow any related traffic coming back to the MASQ server in
- iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Catch all rule, all other incoming is denied and logged.
- iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
- # ================ OUTPUT Chain ================
- # loopback interface is valid.
- iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
- # local interfaces, any source going to local net is valid
- iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
- # local interface, any source going to local net is valid
- iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
- # outgoing to local net on remote interface, stuffed routing, deny
- iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
- # anything else outgoing on remote interface is valid
- iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
- # Catch all rule, all other outgoing is denied and logged.
- iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
- # ================ FORWARD Chain ================
- iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
- # Enabling SNAT (MASQUERADE) functionality on $EXTIF
- iptables -t nat -A PREROUTING -s $INTNET -p tcp --dport 80 -j REDIRECT --to-ports $PROXYPORT
- iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Add Comment
Please, Sign In to add comment
