yJSiaacD

· 6 years ago · Jun 26, 2019, 06:14 AM
1#!/bin/bash
2
3WAN=ppp0
4LAN=enp2s0
5VLAN10=enp2s0.10
6VLAN20=enp2s0.20
7VLAN30=enp2s0.30
8
9LAN_NET=192.168.1.0/24
10VLAN10_NET=192.168.10.0/24
11VLAN20_NET=192.168.20.0/24
12VLAN30_NET=192.168.30.0/24
13
14echo "Flushing rules"
15iptables -F
16iptables -t nat -F
17iptables -t mangle -F
18iptables -X
19iptables -Z
20iptables -P INPUT DROP
21iptables -P FORWARD DROP
22iptables -P OUTPUT ACCEPT
23
24echo "Allow loopback"
25iptables -A INPUT -i lo -j ACCEPT
26iptables -A OUTPUT -o lo -j ACCEPT
27
28echo "Drop invalid states"
29iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
30iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
31iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
32
33echo "Allow established and related packets"
34iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
35iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
36iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
37
38echo "Allow echo 'ping' replies"
39iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
40
41echo "Port forwarding 4242 to 22 on router"
42iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 4242 -j DNAT --to-destination 192.168.1.1:22
43iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
44
45echo "Allow SSH from local Ethernet"
46#iptables -A INPUT -i $LAN -s $LAN_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
47iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
48
49echo "Allow DHCP"
50iptables -I INPUT -i $LAN -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
51iptables -I INPUT -i $VLAN10 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
52iptables -I INPUT -i $VLAN20 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
53iptables -I INPUT -i $VLAN30 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
54
55echo "Allow DNS (UDP and TCP for large replies)"
56iptables -A INPUT -i $LAN -s $LAN_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
57iptables -A INPUT -i $LAN -s $LAN_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
58iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
59iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
60iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
61iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
62iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
63iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
64
65echo "Block external DNS"
66iptables -I OUTPUT -p udp --dport 53 -j REJECT
67iptables -I OUTPUT -p tcp --dport 53 -j REJECT
68
69echo "Block external DoT"
70iptables -I OUTPUT -p tcp --dport 853 -j REJECT
71
72echo "Enable NAT"
73iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
74iptables -A FORWARD -o $WAN -i $LAN -s $LAN_NET -m conntrack --ctstate NEW -j ACCEPT
75iptables -A FORWARD -o $WAN -i $VLAN10 -s $VLAN10_NET -m conntrack --ctstate NEW -j ACCEPT
76iptables -A FORWARD -o $WAN -i $VLAN20 -s $VLAN20_NET -m conntrack --ctstate NEW -j ACCEPT
77iptables -A FORWARD -o $WAN -i $VLAN30 -s $VLAN30_NET -m conntrack --ctstate NEW -j ACCEPT
78
79echo "Enable TCP MSS clamping"
80iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
81
82echo "Do not reply with Destination Unreachable messages"
83iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
84
85echo "Log all dropped packets"
86iptables -A INPUT -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPIN>'
87iptables -A OUTPUT -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPOUT>'
88iptables -A FORWARD -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPFWD>' 
89     
90echo "Block external DNS"
91iptables -I OUTPUT -p udp --dport 53 -j REJECT
92iptables -I OUTPUT -p tcp --dport 53 -j REJECT
93
94echo "Block external DoT"
95iptables -I OUTPUT -p tcp --dport 853 -j REJECT