· 7 years ago · Apr 16, 2018, 03:02 PM
1#!/bin/bash
2#
3# Watch me mess this up.
4#
5# Topology ftw
6#
7# +----------+
8# | PC 1 +<---+
9# +----------+ |
10# | +------------------+
11# +----------+ | +-----------+ 192.168.0.1:eth0 | |
12# | PC 2 +<---+------>+ Switch +<----------------->+ Linux Firewall | +--+pr0n
13# +----------+ | +-----------+ (LAN) | | Ethernet +-------+ |
14# | | DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
15# +----------+ | | (WAN) | +-------+ |
16# | PC 3 +<---+ +------------------+ +--+lolcatz
17# +----------+
18#
19# /Topolgy ftl
20#
21# Scripting ftw
22#
23# Flush tables
24#
25iptables -F
26iptables -t nat -F
27iptables -t mangle -F
28iptables -X
29
30# Allow esdtablished connections
31iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
32iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
33
34iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
35
36
37# Allow loopback (127.0.01) traffic
38iptables -A INPUT -i lo -j ACCEPT
39iptables -A OUTPUT -o lo -j ACCEPT
40
41# Allow established connections, and those not coming from the outside
42
43#
44# WAN emergency stop
45
46#iptables -A INPUT -i eth2 -j DROP
47
48# Accept DHCP requests
49iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
50
51# Accept BitTorrent Traffic
52#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
53iptables -A FORWARD -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
54
55
56#
57#
58# Drops
59#
60#
61
62
63# Kazaa probes
64iptables -A INPUT -p tcp --dport 1214 -j DROP
65iptables -A INPUT -p udp --dport 1214 -j DROP
66
67
68#
69#
70# Logs
71#
72#
73
74# LOW/HIGH TCP/UDP CONNECTION (log'd)
75iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
76#iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
77#iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
78iptables -A INPUT -p udp -m state --state NEW --dport 1024:43066 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
79iptables -A INPUT -p udp -m state --state NEW --dport 43093:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
80# IMPROPER TAG FRAME (log'd)
81#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
82
83# Log pings
84iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: (PING,PONG) "
85
86#
87#
88# Accepts
89#
90#
91
92# Accept DNS queries (hopefully)
93iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
94
95# HTTP Access MUST HAVE IT
96# iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
97
98# Accept ssh
99iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
100
101# Accept ntp
102iptables -A INPUT -p udp --sport 123 -j ACCEPT
103
104# Accept BitTorrent
105#iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
106#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
107
108
109# Set policy
110iptables -P INPUT DROP
111iptables -P FORWARD DROP
112iptables -P OUTPUT ACCEPT
113
114# NAT
115iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
116iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
117iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
118
119# Ok forwarding with the system
120echo 1 > /proc/sys/net/ipv4/ip_forward