LLRnRQcD

· 7 years ago · Apr 16, 2018, 01:46 PM
1#!/bin/bash
2#
3# Watch me mess this up.
4#
5#################### Topology ftw
6#
7#       +----------+
8#       | PC 1     +<---+                                       
9#       +----------+    |                                       
10#                       |                                       +------------------+
11#       +----------+    |       +-----------+  192.168.0.1:eth0 |                  |
12#       | PC 2     +<---+------>+ Switch    +<----------------->+ Linux Firewall   |                                            +--+pr0n
13#       +----------+    |       +-----------+           (LAN)   |                  | Ethernet   +-------+                       |
14#                       |                                       |         DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
15#       +----------+    |                                       |           (WAN)  |            +-------+                       |
16#       | PC 3     +<---+                                       +------------------+                                            +--+lolcatz
17#       +----------+
18#
19################### /Topolgy ftl
20#       
21################### Scripting ftw
22#
23# Flush tables
24#
25iptables -F
26iptables -t nat -F
27iptables -t mangle -F
28iptables -X
29
30# Allow esdtablished connections
31iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
32iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
33
34
35# Allow loopback (127.0.01) traffic
36iptables -A INPUT -i lo -j ACCEPT
37iptables -A OUTPUT -o lo -j ACCEPT
38
39# Allow established connections, and those not coming from the outside
40
41#
42## WAN emergency stop
43
44#iptables -A INPUT -i eth2 -j DROP
45
46# Accept DHCP requests
47iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
48
49
50#
51##
52# Drops
53##
54#
55
56
57# Kazaa probes
58iptables -A INPUT -p tcp -m tcp --dport 1214 -j DROP
59iptables -A INPUT -p udp -m udp --dport 1214 -j DROP
60
61
62#
63##
64# Logs
65##
66#
67
68# LOW/HIGH TCP/UDP CONNECTION (log'd)
69iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
70#iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
71#iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
72iptables -A INPUT -p udp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
73# IMPROPER TAG FRAME (log'd)
74#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
75
76# Log pings
77iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: "
78
79#
80##
81# Accepts
82##
83#
84
85# Accept DNS queries (hopefully)
86iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
87
88# Accept ssh
89iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
90
91# Accept ntp
92iptables -A INPUT -p udp --sport 123 -j ACCEPT
93
94# Accept BitTorrent
95iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
96#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
97iptables -A FORWARD -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
98
99
100# Set policy
101iptables -P INPUT DROP
102iptables -P FORWARD DROP
103
104# NAT
105iptables -t nat -A POSTROUTING -s 192.168.1.0/25 -j MASQUERADE
106iptables -t nat -A PREROUTING -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
107iptables -t nat -A PREROUTING -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
108
109# Ok forwarding with the system
110echo 1 > /proc/sys/net/ipv4/ip_forward