API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 21st, 2019
151
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.29 KB | None | 0 0
raw download clone embed print report
  1. # Clean IP Tables
  2. sudo iptables --policy INPUT ACCEPT
  3. sudo iptables --policy OUTPUT ACCEPT
  4. sudo iptables --policy FORWARD ACCEPT
  5. sudo iptables -F
  6. sudo iptables -F -t nat
  7. sudo iptables -F -t mangle
  8.  
  9. # Allow loopback device (internal communication)
  10. sudo iptables -A INPUT -i lo -j ACCEPT
  11. sudo iptables -A OUTPUT -o lo -j ACCEPT
  12.  
  13. # Allow all local traffic.
  14. sudo iptables -I INPUT -s 192.168.0.0/24 -j ACCEPT
  15. sudo iptables -I OUTPUT -d 192.168.0.0/24 -j ACCEPT
  16.  
  17. # Allow VPN establishment
  18. # Port 1198 may be different depending on the VPN
  19. sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
  20. sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
  21. sudo iptables -A OUTPUT -p udp --dport 1198 -j ACCEPT
  22. sudo iptables -A INPUT -p udp --sport 1198 -j ACCEPT
  23. sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
  24. sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT
  25. sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  26. sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
  27. sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
  28.  
  29. # Allow RDP
  30. sudo iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
  31. sudo iptables -A INPUT -p tcp --sport 3389 -j ACCEPT
  32. sudo iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
  33.  
  34. #Accept all TUN connections (tun = VPN tunnel)
  35. sudo iptables -I OUTPUT -o tun+ -j ACCEPT
  36. sudo iptables -I INPUT -i tun+ -j ACCEPT
  37.  
  38. #Set default policies to drop all communication unless specifically allowed
  39. sudo iptables -P INPUT DROP
  40. sudo iptables -P OUTPUT DROP
  41. sudo iptables -P FORWARD DROP
  42.  
  43. #Policy routing to return RDP packets to the default gateway instead of vpn tunnel
  44. #Make a new table
  45. sudo "echo 200 POLICY-ROUTE" >> /etc/iproute2/rt_tables
  46.  
  47. #Mark our incoming traffic in the mangle table at the prerouting stage
  48. sudo iptables -t mangle -I PREROUTING 1 -i eth0 -p tcp -m multiport --ports 3389 -j MARK --set-mark 1
  49.  
  50. #Send marked traffic to newly created route table
  51. sudo ip rule add fwmark 1 table POLICY-ROUTE
  52.  
  53. #Override default route in new table to go via lan gateway
  54. sudo ip route add default via 192.168.0.254 dev eth0 table POLICY-ROUTE
  55.  
  56. #Enable reverse path filter so the kernel does not drop the packets
  57. sudo sysctl -w net.ipv4.conf.all.rp_filter=2
  58. sudo sysctl -w net.ipv4.conf.eth0.rp_filter=2
  59. sudo sysctl -w net.ipv4.conf.default.rp_filter=2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!