t64tvP92

1#!/bin/bash
2#
3# Watch me mess this up.
4#
5# Topology ftw
6#
7#       +----------+
8#       | PC 1     +<---+                                       
9#       +----------+    |                                       
10#                       |                                       +------------------+
11#       +----------+    |       +-----------+  192.168.0.1:eth0 |                  |
12#       | PC 2     +<---+------>+ Switch    +<----------------->+ Linux Firewall   |                    +--+pr0n
13#       +----------+    |       +-----------+           (LAN)   |                  | Ethernet   +-------+|
14#                       |                                       |         DHCP:eth2+<---------->+ Modem +<---+ISP+---+Internet+-+--+torrents
15#       +----------+    |                                       |           (WAN)  |            +-------+|
16#       | PC 3     +<---+                                       +------------------+                    +--+lolcatz
17#       +----------+
18#
19# /Topolgy ftl
20#       
21# Scripting ftw
22#
23# Flush tables
24#
25iptables -F
26iptables -t nat -F
27iptables -t mangle -F
28iptables -X
29
30# Allow esdtablished connections
31iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
32iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
33
34iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
35
36
37# Allow loopback (127.0.01) traffic
38iptables -A INPUT -i lo -j ACCEPT
39iptables -A OUTPUT -o lo -j ACCEPT
40
41# Allow established connections, and those not coming from the outside
42
43#
44# WAN emergency stop
45
46#iptables -A INPUT -i eth2 -j DROP
47
48# Accept DHCP requests
49iptables -A INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
50
51
52#
53#
54# Drops
55#
56#
57
58
59# Kazaa probes
60iptables -A INPUT -p tcp --dport 1214 -j DROP
61iptables -A INPUT -p udp --dport 1214 -j DROP
62
63
64#
65#
66# Logs
67#
68#
69
70# LOW/HIGH TCP/UDP CONNECTION (log'd)
71iptables -A INPUT -p tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
72#iptables -A INPUT -p udp -m state --state NEW --dport 0:1023 -j LOG --log-prefix "LOW PORT UDP CONNECTION: "
73#iptables -A INPUT -p tcp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION: "
74iptables -A INPUT -p udp -m state --state NEW --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
75# IMPROPER TAG FRAME (log'd)
76#iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
77
78# Log pings
79iptables -A INPUT -p icmp -j LOG --log-prefix "ECHO: (PING,PONG) "
80
81#
82#
83# Accepts
84#
85#
86
87# Accept DNS queries (hopefully)
88iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
89
90# HTTP Access MUST HAVE IT
91# iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
92
93# Accept ssh
94iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
95
96# Accept ntp
97iptables -A INPUT -p udp --sport 123 -j ACCEPT
98
99# Accept BitTorrent
100#iptables -A INPUT -p tcp --sport 43067 -j ACCEPT
101#iptables -A FORWARD -s 192.168.1.133 -p tcp --dport 43067:43083 -j ACCEPT
102iptables -A FORWARD -s 192.168.1.122 -p tcp --dport 43084:43092 -j ACCEPT
103
104
105# Set policy
106iptables -P INPUT DROP
107iptables -P FORWARD DROP
108iptables -P OUTPUT ACCEPT
109
110# NAT
111iptables -t nat -A POSTROUTING -s 192.168.1.1 -j MASQUERADE
112iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43067:43083 -j DNAT --to-destination 192.168.0.133
113iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 43084:43092 -j DNAT --to-destination 192.168.0.122
114
115# Ok forwarding with the system
116echo 1 > /proc/sys/net/ipv4/ip_forward