Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #The overall philosophy of this firewall is to reject any traffic we don't explicitly allow.
- #There are 2 main servers, but they can be thought of as 3, as one uses 2 ips to separate some services
- # First, 207.70.62.18 should nearly always forward to 192.168.0.30 - this is Elwood
- # Next, 207.70.62.19 should nearly always forward to 192.168.0.20 - this is Jake
- # Third, 207.70.62.20 should nearly always forward to 192.168.0.31 - this is on Elwood, but does different things
- # Finally, there are some exceptions to these rules (stuff like remote support traffic that his my laptop
- # instead of going on to elwood or jake, etc.
- #We don't know or care what openwrt has done with the firewall prior to running this script. Off we go!
- #Set everything to accept
- iptables -t nat -P PREROUTING ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- #Barrroooommmm -- flush all rules
- iptables -t nat -F
- iptables -t nat -X
- #set default policy of acceptance on everything
- iptables -t filter -P INPUT ACCEPT
- iptables -t filter -P FORWARD ACCEPT
- #don't enable this drop until after verifying the rest of the forward and nat rules work.
- #iptables -t filter -P FORWARD DROP
- iptables -t filter -P OUTPUT ACCEPT
- iptables -t filter -F
- iptables -t filter -X
- #these IPs are not allowed to talk to us at all - (web crawlers that are misbehaving)
- iptables -t filter -A FORWARD -s 66.17.15.166 -j DROP
- iptables -t filter -A FORWARD -s 69.84.207.147 -j DROP
- #first, set up exclusions to the rules of straight external IP -> internal IP translation
- # Set up services that need to hit Kimball's laptop
- #port 5500 is for reverse VNC - remote support to our customers.
- iptables -t nat -A PREROUTING -d 207.70.62.19 -p udp -m udp --dport 5500 -j DNAT --to-destination 192.168.0.21
- iptables -t nat -A PREROUTING -d 207.70.62.19 -p tcp -m tcp --dport 5500 -j DNAT --to-destination 192.168.0.21
- iptables -A FORWARD -d 192.168.0.21 -p tcp --dport 5500 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.21 -p udp --dport 5500 -j ACCEPT
- # ports 44555 and 49152 are for remote debugging. Not needed frequently, so disabled for now.
- #iptables -t nat -A PREROUTING -d 207.70.62.19 -p udp -m udp --dport 44555 -j DNAT --to-destination 192.168.0.21
- #iptables -t nat -A PREROUTING -d 207.70.62.19 -p tcp -m tcp --dport 44555 -j DNAT --to-destination 192.168.0.21
- #iptables -t nat -A PREROUTING -d 207.70.62.19 -p udp -m udp --dport 49152 -j DNAT --to-destination 192.168.0.21
- #iptables -t nat -A PREROUTING -d 207.70.62.19 -p tcp -m tcp --dport 49152 -j DNAT --to-destination 192.168.0.21
- #This sets up Cameron's machine to receive incoming remote support requests
- iptables -t nat -A PREROUTING -d 207.70.62.18 -p udp -m udp --dport 5500 -j DNAT --to-destination 192.168.0.4
- iptables -t nat -A PREROUTING -d 207.70.62.18 -p tcp -m tcp --dport 5500 -j DNAT --to-destination 192.168.0.4
- iptables -A FORWARD -d 192.168.0.4 -p tcp --dport 5500 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.4 -p udp --dport 5500 -j ACCEPT
- #catch all to send everything to elwood that comes in on .18 - though everything that is natted in this fashion will be
- #dropped by the forward chain, so we'll explicitly list some things to allow through (web, mail, ssh, etc)
- iptables -t nat -A PREROUTING -d 207.70.62.18 -j DNAT --to-destination 192.168.0.30
- #catch all to send everything to Jake
- iptables -t nat -A PREROUTING -d 207.70.62.19 -j DNAT --to-destination 192.168.0.20
- #catch all to send everything to 192.168.0.31 that comes in on 207.70.62.20
- iptables -t nat -A PREROUTING -d 207.70.62.20 -j DNAT --to-destination 192.168.0.31
- #take care of some lan routing - always let traffic originating from the lan through.
- iptables -A FORWARD -i br-lan -j ACCEPT
- #explicitly forward some ports on 207.70.62.18 to elwood
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 80 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 22 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 443 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 993 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 995 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 2500 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 3493 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 3306 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 110 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 143 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 10000 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 53 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p udp --dport 53 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 25 -j ACCEPT
- #explicitly forward some ports on 207.70.62.19 to jake
- iptables -A FORWARD -d 192.168.0.20 -p tcp --dport 80 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.20 -p tcp --dport 8080 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.20 -p tcp --dport 22 -j ACCEPT
- #explicitly forward some ports on 207.70.62.20 to 192.168.0.31 (also on elwood, but separate interface)
- iptables -A FORWARD -d 192.168.0.31 -p tcp --dport 80 -j ACCEPT
- iptables -A FORWARD -d 192.168.0.30 -p tcp --dport 443 -j ACCEPT
- #log some forwarding
- iptables -A FORWARD -j LOG --log-prefix would_drop
- #snat everything back to servers as needed
- iptables -t nat -A POSTROUTING -s 192.168.0.30 -j SNAT --to-source 207.70.62.18
- iptables -t nat -A POSTROUTING -s 192.168.0.20 -j SNAT --to-source 207.70.62.19
- iptables -t nat -A POSTROUTING -s 192.168.0.31 -j SNAT --to-source 207.70.62.20
- #and local subnets are always masqueraded (eth0.1 is the modem-facing interface on the router)
- iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0.1 -j MASQUERADE
- iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d 207.70.62.16/29 -j MASQUERADE
- exit
Add Comment
Please, Sign In to add comment