T8qv53si

· 6 years ago · Dec 19, 2018, 05:50 PM
1#!/usr/bin/env bash
2# based on https://github.com/drduh/config/blob/master/scripts/iptables.sh
3
4PATH='/sbin'
5
6WAN=ppp0
7
8LAN=enp3s0
9VLAN10=enp3s0.10
10VLAN20=enp3s0.20
11VLAN30=enp3s0.30
12
13LAN_NET=192.168.1.0/24
14VLAN10_NET=192.168.10.0/24
15VLAN20_NET=192.168.20.0/24
16VLAN30_NET=192.168.30.0/24
17
18echo "Flushing rules"
19iptables -F
20iptables -t nat -F
21iptables -t mangle -F
22iptables -X
23iptables -Z
24iptables -P INPUT DROP
25iptables -P OUTPUT DROP
26iptables -P FORWARD DROP
27
28echo "Allow loopback"
29iptables -A INPUT -i lo -j ACCEPT
30iptables -A OUTPUT -o lo -j ACCEPT
31
32echo "Drop invalid states"
33iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
34iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
35iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
36
37echo "Allow established and related packets"
38iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
39iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
40iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
41
42echo "Allow echo 'ping' replies"
43iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
44
45echo "Allow DHCP"
46iptables -I INPUT -i $LAN -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
47iptables -I INPUT -i $VLAN10 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
48iptables -I INPUT -i $VLAN20 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
49iptables -I INPUT -i $VLAN30 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
50
51echo "Port forward 2435 to internal SSH port"
52iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 2435 -j DNAT --to-destination 192.168.1.1:22
53iptables -A FORWARD -p tcp --dport 22 -d 192.168.1.1 -j ACCEPT
54
55echo "Allow SSH from LAN"
56iptables -A INPUT -i $LAN -s $LAN_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
57
58echo "Allow SSH from VLAN10"
59iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
60
61echo "Allow DNS (UDP and TCP for large replies)"
62iptables -A INPUT -i $LAN -s $LAN_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
63iptables -A INPUT -i $LAN -s $LAN_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
64iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
65iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
66iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
67iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
68iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
69iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
70
71echo "Allow outgoing to Internet"
72iptables -A OUTPUT -o $WAN -d 0.0.0.0/0 -j ACCEPT
73
74echo "Allow traffic from the firewall to LAN"
75iptables -A OUTPUT -o $LAN -d $LAN_NET -j ACCEPT
76iptables -A OUTPUT -o $VLAN10 -d $VLAN10_NET -j ACCEPT
77iptables -A OUTPUT -o $VLAN20 -d $VLAN20_NET -j ACCEPT
78iptables -A OUTPUT -o $VLAN30 -d $VLAN30_NET -j ACCEPT
79
80echo "Enable NAT"
81iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
82iptables -A FORWARD -o $WAN -i $LAN -s $LAN_NET -m conntrack --ctstate NEW -j ACCEPT
83iptables -A FORWARD -o $WAN -i $VLAN10 -s $VLAN10_NET -m conntrack --ctstate NEW -j ACCEPT
84iptables -A FORWARD -o $WAN -i $VLAN20 -s $VLAN20_NET -m conntrack --ctstate NEW -j ACCEPT
85iptables -A FORWARD -o $WAN -i $VLAN30 -s $VLAN30_NET -m conntrack --ctstate NEW -j ACCEPT
86
87echo "Do not reply with Destination Unreachable messages"
88iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
89
90echo "Log all dropped packets"
91iptables -A INPUT -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPIN>'
92iptables -A OUTPUT -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPOUT>'
93iptables -A FORWARD -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPFWD>'