3bEZmdws

· 7 years ago · Apr 16, 2018, 03:14 PM
1#!/bin/bash
2#
3# Watch me mess this up.
4#
5# Topology ftw
6#
7#       +----------+
8#       | PC 1     +<---+                                       
9#       +----------+    |                                       
10#                       |                                       +------------------+
11#       +----------+    |       +-----------+  192.168.1.1:eth0 |                  |
12#       | PC 2     +<---+------>+ Switch    +<----------------->+ Linux Firewall   |                                            +--+pr0n
13#       +----------+    |       +-----------+           (LAN)   |                  | Ethernet   +-------+                       |
14#                       |                                       |         DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
15#       +----------+    |                                       |           (WAN)  |            +-------+                       |
16#       | PC 3     +<---+                                       +------------------+                                            +--+lolcatz
17#       +----------+
18#
19# /Topolgy ftl
20#       
21# Scripting ftw
22#
23# Flush tables
24#
25iptables -F
26iptables -t nat -F
27iptables -t mangle -F
28iptables -X
29
30# Deny all invalid packets
31iptables -A all-in -m state --state INVALID -j deny
32iptables -A all-in -m unclean -j deny
33    
34# Allow esdtablished connections
35iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
36iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
37
38iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
39
40# Allow loopback (127.0.01) traffic
41iptables -A INPUT -i lo -j ACCEPT
42iptables -A OUTPUT -o lo -j ACCEPT
43
44# Allow established connections, and those not coming from the outside
45
46#
47# WAN emergency stop
48
49#iptables -A INPUT -i eth2 -j DROP
50
51# Accept DHCP requests
52iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
53
54#
55#
56# Drops
57#
58#
59
60
61# Kazaa probes
62iptables -A INPUT -p tcp --dport 1214 -j DROP
63iptables -A INPUT -p udp --dport 1214 -j DROP
64
65# send all denied tcp packages a tcp reset
66iptables -A deny -p tcp -j REJECT --reject-with tcp-reset
67
68# all other connections get a host unreachable :P
69iptables -A deny -p udp -j REJECT --reject-with icmp-port-closed
70iptables -A deny -j DROP
71
72#
73#
74# Logs
75#
76#
77
78# LOW/HIGH TCP/UDP CONNECTION (log'd)
79#iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
80#iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
81
82iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
83
84iptables -A INPUT -p udp -m state --state NEW --dport 1024:43066 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
85# OMIT TORRENT UDP PORTS 43067:43092
86iptables -A INPUT -p udp -m state --state NEW --dport 43093:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
87
88# IMPROPER TAG FRAME (log'd)
89#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
90
91# Log pings
92iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: (PING,PONG) "
93
94#
95#
96# Accepts
97#
98#
99
100# ALL ACCEPT: ntp
101iptables -A INPUT -p udp --destination-port 123 -j limit10
102iptables -A INPUT -p udp --source-port 123  -j ACCEPT  
103      
104# INT ACCEPT: NetBEUI
105iptables -A FORWARD -p tcp --destination-port 135:139 -j limit1000
106iptables -A FORWARD -p udp --destination-port 135:139 -j ACCEPT
107iptables -A FORWARD -p tcp --destination-port 445 -j limit10
108      
109      
110# ALL ACCEPT: ssh
111iptables -A FORWARD -p tcp --destination-port 22 -j limit100
112iptables -A INPUT -p tcp --source-port 22 ! --syn -j ACCEPT
113      
114# LOCAL ACCEPT: dns
115iptables -A FORWARD -p tcp --destination-port 53 -j limit1000
116iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT
117      
118# INT ACCEPT: http
119iptables -A FORWARD -p tcp --destination-port 80 -j limit1000
120   
121# INT ACCEPT: irc
122iptables -A FORWARD -p tcp --destination-port 6667 -j limit50
123      
124# INT ACCEPT: irc Server-2-Server
125#iptables -A FORWARD -p tcp --destination-port 7000 -j limit10
126      
127# ALL ACCEPT: ftp-data & ftp-control
128#iptables -A FORWARD -p tcp --destination-port 20:21 -j limit100
129      
130# ALL ACCEPT: identd
131iptables -A FORWARD -p tcp --destination-port 113 -j limit10
132iptables -A FORWARD -p tcp --destination-port 113 -j ACCEPT
133
134# Accept BitTorrent
135#iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
136#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
137
138# Accept BitTorrent Traffic
139#iptables -A FORWARD -i eth0 -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
140iptables -A FORWARD -i eth0 -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
141
142
143# Set policy
144iptables -P INPUT DROP
145iptables -P FORWARD DROP
146iptables -P OUTPUT ACCEPT
147
148# NAT
149iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
150iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
151iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
152
153# Ok forwarding with the system
154echo 1 > /proc/sys/net/ipv4/ip_forward
155
156# Ignore all Broadcasts pings
157echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
158
159# Decrease tcp timeouts to prevent DoS
160echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
161echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
162echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
163echo 0 > /proc/sys/net/ipv4/tcp_sack
164
165# Ignore dead errors
166echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
167
168# Log impossible packets
169echo 0 >/proc/sys/net/ipv4/conf/all/log_martians