sz6SjJSg

· 6 years ago · Mar 04, 2019, 05:32 PM
1#!/usr/bin/env bash
2
3PATH='/sbin'
4
5WAN=ppp0
6LAN=enp3s0
7VLAN10=enp3s0.10
8VLAN20=enp3s0.20
9VLAN30=enp3s0.30
10
11LAN_NET=192.168.1.0/24
12VLAN10_NET=192.168.10.0/24
13VLAN20_NET=192.168.20.0/24
14VLAN30_NET=192.168.30.0/24
15
16# NORMALIZE
17
18echo "Flushing rules"
19iptables -F
20iptables -t nat -F
21iptables -t mangle -F
22iptables -X
23iptables -Z
24iptables -P INPUT DROP
25iptables -P FORWARD DROP
26iptables -P OUTPUT DROP
27
28echo "Allow loopback"
29iptables -A INPUT -i lo -j ACCEPT
30iptables -A OUTPUT -o lo -j ACCEPT
31
32echo "Drop invalid states"
33iptables -A INPUT   -m conntrack --ctstate INVALID -j DROP
34iptables -A OUTPUT  -m conntrack --ctstate INVALID -j DROP
35iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
36
37echo "Allow established and related packets"
38iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
39iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
40iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
41
42# INPUT
43
44echo "Rate limit ICMP traffic per source"
45iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
46
47echo "Allow DHCP"
48iptables -I INPUT -i $LAN    -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
49iptables -I INPUT -i $VLAN10 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
50iptables -I INPUT -i $VLAN20 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
51iptables -I INPUT -i $VLAN30 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
52
53echo "Allow NTP"
54iptables -I INPUT -i $LAN    -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
55iptables -I INPUT -i $VLAN10 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
56iptables -I INPUT -i $VLAN20 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
57iptables -I INPUT -i $VLAN30 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
58
59echo "Allow SSH from LAN and VLAN10"
60iptables -A INPUT -i $LAN    -s $LAN_NET    -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
61iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
62
63echo "Allow DNS (UDP and TCP for large replies)"
64iptables -A INPUT -i $LAN    -s $LAN_NET    -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
65iptables -A INPUT -i $LAN    -s $LAN_NET    -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
66iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
67iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
68iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
69iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
70iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
71iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
72
73# FORWARD
74
75echo "Allow traffic to UniFi Controller from VLAN10"
76iptables -A FORWARD -o $LAN -i $VLAN10 -s $VLAN10_NET -d 192.168.1.2 -p tcp --dport 80   -m conntrack --ctstate NEW -j ACCEPT
77iptables -A FORWARD -o $LAN -i $VLAN10 -s $VLAN10_NET -d 192.168.1.2 -p tcp --dport 443  -m conntrack --ctstate NEW -j ACCEPT
78iptables -A FORWARD -o $LAN -i $VLAN10 -s $VLAN10_NET -d 192.168.1.2 -p tcp --dport 8443 -m conntrack --ctstate NEW -j ACCEPT
79
80echo "Drop outgoing unencrypted DNS"
81iptables -A FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j DROP
82iptables -A FORWARD -p tcp --dport 53 -m conntrack --ctstate NEW -j DROP
83
84echo "Drop outgoing DoT"
85iptables -A FORWARD -p tcp --dport 853 -m conntrack --ctstate NEW -j DROP
86
87echo "Drop SMB/CIFS traffic that requests to be forwarded"
88iptables -A FORWARD -p tcp --dport 445 -j DROP
89
90echo "Drop NETBIOS trafic that requests to be forwarded"
91iptables -A FORWARD -p udp -m multiport --ports 137,138 -j DROP
92iptables -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
93
94echo "Enable NAT"
95iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
96iptables        -A FORWARD     -o $WAN -i $LAN    -s $LAN_NET    -m conntrack --ctstate NEW -j ACCEPT
97iptables        -A FORWARD     -o $WAN -i $VLAN10 -s $VLAN10_NET -m conntrack --ctstate NEW -j ACCEPT
98iptables        -A FORWARD     -o $WAN -i $VLAN20 -s $VLAN20_NET -m conntrack --ctstate NEW -j ACCEPT
99iptables        -A FORWARD     -o $WAN -i $VLAN30 -s $VLAN30_NET -m conntrack --ctstate NEW -j ACCEPT
100
101echo "Enable TCP MSS clamping"
102iptables -t mangle -A FORWARD -o $WAN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
103
104# OUTPUT
105
106echo "Allow outgoing to Internet"
107iptables -A OUTPUT -o $WAN -d 0.0.0.0/0 -j ACCEPT
108
109echo "Allow traffic from the firewall to LAN"
110iptables -A OUTPUT -o $LAN    -d $LAN_NET -j ACCEPT
111iptables -A OUTPUT -o $VLAN10 -d $VLAN10_NET -j ACCEPT
112iptables -A OUTPUT -o $VLAN20 -d $VLAN20_NET -j ACCEPT
113iptables -A OUTPUT -o $VLAN30 -d $VLAN30_NET -j ACCEPT
114
115echo "Do not reply with Destination Unreachable messages"
116iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
117
118# PORT FORWARDING
119
120echo "Port forward for external SSH access"
121iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 4242 -j DNAT --to 192.168.1.1:22
122iptables        -A FORWARD    -i $WAN -p tcp --dport 22 -d 192.168.1.1 -j ACCEPT
123iptables -A INPUT                     -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
124
125# LOGGING
126
127echo "Log all dropped packets"
128iptables -A INPUT   -j LOG --log-level debug --log-prefix 'DROP_IN>'
129iptables -A FORWARD -j LOG --log-level debug --log-prefix 'DROP_FWD>'
130iptables -A OUTPUT  -j LOG --log-level debug --log-prefix 'DROP_OUT>'