Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env bash
- working_path="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
- script_name=`basename "$0"`
- if ! [ $(id -u) = 0 ]; then
- printf "This script must be run as root, e.g.:\n'sudo %s/%s'\n" $working_path $script_name
- exit 1
- fi
- printf "Configuring firewall rules...\n"
- # OpenVPN ports used by major providers:
- OPENVPN_UDP_PORTS="53,1194,1195,1196,1197,1198,1301,1302"
- # delete all existing rules
- iptables -Z
- iptables --flush
- iptables --delete-chain
- iptables -t nat -F
- # default drop policy:
- iptables --policy INPUT DROP;
- iptables --policy OUTPUT DROP;
- iptables --policy FORWARD DROP;
- # establish logging chain:
- iptables -N LOGGING
- iptables -N BADPKT_LOGGING
- # allow loopback:
- iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
- iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
- # local network access rules:
- # allow incoming from lan, outgoing thru vpn:
- iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
- iptables -I INPUT -i eth0 -m comment --comment "In from eth0" -j ACCEPT
- # allow outbound services:
- iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp -m multiport --dports $OPENVPN_UDP_PORTS -m comment --comment "openvpn" -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
- iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
- # rule chain for forwarding via VPN:
- iptables -N forward_rules_vpn
- iptables -t filter -A forward_rules_vpn -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -t filter -A forward_rules_vpn -i eth0 -o tun+ -m comment --comment "eth0 out to VPN" -j ACCEPT
- ############### port forwarding rules
- # prerouting rule:
- iptables -A PREROUTING -t nat -i tun+ -p tcp --dport 43691 -j DNAT --to 10.1.2.10:8080
- # create port forwarding rule chain:
- iptables -N port_forwarding_vpn
- iptables -t filter -A port_forwarding_vpn -i tun+ -p tcp -d 10.1.2.10 --dport 8080 -j ACCEPT
- # add port forwarding rule chain to the vpn forwarding rule chain
- iptables -A forward_rules_vpn -j port_forwarding_vpn
- ###############
- # rule chain for forwarding via LAN
- iptables -N forward_rules_lan
- iptables -t filter -A forward_rules_lan -i eth0 -o eth0 -m comment --comment "eth0 forwarding" -j ACCEPT
- # turn on forwarding via VPN
- iptables -A FORWARD -j forward_rules_vpn
- # nat the gateway
- iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
- # TCP sessions must start with SYN, drop bad packets:
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -j BADPKT_LOGGING
- iptables -A INPUT -m state --state INVALID -j BADPKT_LOGGING
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADPKT_LOGGING
- iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADPKT_LOGGING
- iptables -A INPUT -f -m comment --comment "Drop FRAGS" -j BADPKT_LOGGING
- iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j BADPKT_LOGGING
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADPKT_LOGGING
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADPKT_LOGGING
- # accept inbound vpn initiated traffic
- # accept outbound lan initiated traffic
- iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- # killswitch rule chains
- iptables -N killswitch_on
- iptables -t filter -A killswitch_on -j RETURN
- iptables -N killswitch_off
- iptables -t filter -A killswitch_off -o eth0 -j ACCEPT
- # create killswitch rule chain, turn the killswitch on
- iptables -N killswitch
- iptables -t filter -A killswitch -j killswitch_on
- # add killswitch chain to OUTPUT chain:
- iptables -t filter -A OUTPUT -j killswitch
- # logging for dropped traffic
- iptables -A INPUT -m comment --comment "LOG and DROP" -j LOGGING
- iptables -A OUTPUT -m comment --comment "LOG and DROP" -j LOGGING
- # logging chain
- iptables -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
- iptables -A LOGGING -j DROP
- # logging badpackets chain
- iptables -A BADPKT_LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables- BADPACKETS: " --log-level 4
- iptables -A BADPKT_LOGGING -j DROP
- # save the firewall rules
- iptables-save > /etc/iptables/rules.v4
- printf "Firewall rules have been configured.\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement