dBH3M2L0

· 6 years ago · Dec 30, 2018, 11:20 PM
1#!/bin/bash
2#Accepter les paquets appartenant Ã  des connexions dÃ©jÃ  Ã©tablies (Statefull)
3iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
4iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
5iptables -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
6
7#Flux internet -> DMZ
8#1
9iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth0 --sport 1024:65535 -o eth1 -d 31.33.73.3 --dport 80 -j ACCEPT
10iptables -t nat -A PREROUTING -p tcp -i eth0 --sport 1024:65535 -d 31.33.73.3 --dport 80 -j DNAT --to-destination 192.168.0.3
11#2
12iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth0 --sport 1024:65535 -o eth1 -d 31.33.73.3 --dport 443 -j ACCEPT
13iptables -t nat -A PREROUTING -p tcp -i eth0 --sport 1024:65535 -d 31.33.73.3 --dport 443 -j DNAT --to-destination 192.168.0.3
14#3
15iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth0 --sport 1024:65535 -o eth1 -d 31.33.73.4 --dport 25 -j ACCEPT
16iptables -t nat -A PREROUTING -p tcp -i eth0 --sport 1024:65535 -d 31.33.73.4 --dport 25 -j DNAT --to-destination 192.168.0.4
17#4
18iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth0 --sport 1024:65535 -o eth1 -d 31.33.73.2 --dport 53 -j ACCEPT
19iptables -t nat -A PREROUTING -p tcp -i eth0 --sport 1024:65535 -d 31.33.73.2 --dport 53 -j DNAT --to-destination 192.168.0.2
20#5
21iptables -t filter -A FORWARD -m state --state NEW -p udp -i eth0 --sport 1024:65535 -o eth1 -d 31.33.73.2 --dport 53 -j ACCEPT
22iptables -t nat -A PREROUTING -p udp -i eth0 --sport 1024:65535 -d 31.33.73.2 --dport 53 -j DNAT --to-destination 192.168.0.2
23
24#Flux DMZ -> internet
25#6
26iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth1 -s 192.168.0.0/24 --sport 1024:65535 -o eth0 -d 200.200.200.200 --dport 80 -j ACCEPT
27
28#Flux DMZ -> LAN
29#7
30iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth1 -s 192.168.0.3 --sport 1024:65535 -o eth2 -d 192.168.1.10 --dport 3306 -j ACCEPT
31#8
32iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth1 -s 192.168.0.4 --sport 1024:65535 -o eth2 -d 192.168.1.12 --dport 25 -j ACCEPT
33
34#Flux LAN -> DMZ
35#9
36iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth2 -s 192.168.1.101 --sport 1024:65535 -o eth1 -d 192.168.0.0/24 --dport 22 -j ACCEPT
37#10
38iptables -t filter -A FORWARD -m state --state NEW -p udp -i eth2 -s 192.168.1.101 --sport 1024:65535 -o eth1 -d 192.168.0.0/24 --dport 161 -j ACCEPT
39
40#Flux LAN -> Internet
41#11
42iptables -t filter -A FORWARD -m state --state NEW -p udp -i eth2 -s 192.168.1.14 --sport 1024:65535 -o eth0 -d 150.150.150.150 --dport 53 -j ACCEPT
43iptables -t nat -A POSTROUTING -p udp -s 192.168.1.14 --sport 1024:65535 -o eth0 -d 150.150.150.150 --dport 53 -j SNAT --to-source 31.33.73.6
44#12
45iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth2 -s 192.168.1.14 --sport 1024:65535 -o eth0 -d 150.150.150.150 --dport 53 -j ACCEPT
46iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.14 --sport 1024:65535 -o eth0 -d 150.150.150.150 --dport 53 -j SNAT --to-source 31.33.73.6
47#13
48iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth2 -s 192.168.1.13 --sport 1024:65535 -o eth0 --dport 80 -j ACCEPT
49iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.13 --sport 1024:65535 -o eth0 --dport 80 -j SNAT --to-source 31.33.73.6
50#14
51iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth2 -s 192.168.1.13 --sport 1024:65535 -o eth0 --dport 443 -j ACCEPT
52iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.13 --sport 1024:65535 -o eth0 --dport 443 -j SNAT --to-source 31.33.73.6
53#15
54iptables -t filter -A FORWARD -m state --state NEW -p tcp -i eth2 -s 192.168.1.12 --sport 1024:65535 -o eth0 --dport 25 -j ACCEPT
55iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.12 --sport 1024:65535 -o eth0 --dport 25 -j SNAT --to-source 31.33.73.6