Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Clean IP Tables
- sudo iptables --policy INPUT ACCEPT
- sudo iptables --policy OUTPUT ACCEPT
- sudo iptables --policy FORWARD ACCEPT
- sudo iptables -F
- sudo iptables -F -t nat
- sudo iptables -F -t mangle
- # Allow loopback device (internal communication)
- sudo iptables -A INPUT -i lo -j ACCEPT
- sudo iptables -A OUTPUT -o lo -j ACCEPT
- # Allow all local traffic.
- sudo iptables -I INPUT -s 192.168.0.0/24 -j ACCEPT
- sudo iptables -I OUTPUT -d 192.168.0.0/24 -j ACCEPT
- # Allow VPN establishment
- # Port 1198 may be different depending on the VPN
- sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
- sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
- sudo iptables -A OUTPUT -p udp --dport 1198 -j ACCEPT
- sudo iptables -A INPUT -p udp --sport 1198 -j ACCEPT
- sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
- sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT
- sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
- sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
- # Allow RDP
- sudo iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
- sudo iptables -A INPUT -p tcp --sport 3389 -j ACCEPT
- sudo iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
- #Accept all TUN connections (tun = VPN tunnel)
- sudo iptables -I OUTPUT -o tun+ -j ACCEPT
- sudo iptables -I INPUT -i tun+ -j ACCEPT
- #Set default policies to drop all communication unless specifically allowed
- sudo iptables -P INPUT DROP
- sudo iptables -P OUTPUT DROP
- sudo iptables -P FORWARD DROP
- #Policy routing to return RDP packets to the default gateway instead of vpn tunnel
- #Make a new table
- sudo "echo 200 POLICY-ROUTE" >> /etc/iproute2/rt_tables
- #Mark our incoming traffic in the mangle table at the prerouting stage
- sudo iptables -t mangle -I PREROUTING 1 -i eth0 -p tcp -m multiport --ports 3389 -j MARK --set-mark 1
- #Send marked traffic to newly created route table
- sudo ip rule add fwmark 1 table POLICY-ROUTE
- #Override default route in new table to go via lan gateway
- sudo ip route add default via 192.168.0.254 dev eth0 table POLICY-ROUTE
- #Enable reverse path filter so the kernel does not drop the packets
- sudo sysctl -w net.ipv4.conf.all.rp_filter=2
- sudo sysctl -w net.ipv4.conf.eth0.rp_filter=2
- sudo sysctl -w net.ipv4.conf.default.rp_filter=2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement