+ ‘iptables.sh’
This commit is contained in:
parent
b8526c0338
commit
4a998f81eb
|
@ -0,0 +1,85 @@
|
|||
#!/bin/bash
|
||||
|
||||
#enable IPv4 Forwarding
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
#Drop IMCP from broadcast multicast
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||
|
||||
#Enable TCP SYN Cookie Protection from SYN Floods
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
||||
|
||||
#Don't accept ICMP redirect messages
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
|
||||
|
||||
#Don't send ICMP redirect messages
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
|
||||
|
||||
#Enable source address ARP spoofing
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
|
||||
#Flush chains
|
||||
iptables --flush
|
||||
|
||||
#Set default policies
|
||||
iptables --policy INPUT DROP
|
||||
iptables --policy OUTPUT DROP
|
||||
iptables --policy FORWARD DROP
|
||||
|
||||
#Allow unlimited Loopback Traffic
|
||||
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
|
||||
|
||||
#Allow ICMP
|
||||
iptables -A INPUT -p ICMP -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p ICMP -m state --state NEW -j ACCEPT
|
||||
iptables -A FORWARD -p ICMP -m state --state NEW -j ACCEPT
|
||||
|
||||
#enable Masquerading (NAT)
|
||||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
#allow Internet Access for internal
|
||||
iptables -A FORWARD -s 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow ACCESS to VPN from internal
|
||||
iptables -A FORWARD -s 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow everything from VPN
|
||||
iptables -A INPUT -i tun0 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -o tun0 -m state --state NEW -j ACCEPT
|
||||
iptables -A FORWARD -i tun0 -m state --state NEW -j ACCEPT
|
||||
iptables -A FORWARD -o tun0 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow VPN
|
||||
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
||||
#iptables -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow Updates,DNS, NTP, DHCP and SSH outgoing
|
||||
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow DNS, SSH and DHCP incoming
|
||||
#iptables -A INPUT -p udp --dport 67 -m state --state NEW -j ACCEPT
|
||||
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
#iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
||||
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow incoming everything from internal
|
||||
iptables -A OUTPUT -d 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
||||
iptables -A INPUT -s 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow vpn server
|
||||
iptables -A INPUT -s 10.30.0.1 -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -d 10.30.0.1 -m state --state NEW -j ACCEPT
|
||||
iptables -A FORWARD -s 10.30.0.1 -m state --state NEW -j ACCEPT
|
||||
iptables -A FORWARD -d 10.30.0.1 -m state --state NEW -j ACCEPT
|
||||
|
||||
#allow established connections
|
||||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
Loading…
Reference in New Issue