86 lines
3.1 KiB
Bash
86 lines
3.1 KiB
Bash
#!/bin/bash
|
|
|
|
#enable IPv4 Forwarding
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
#Drop IMCP from broadcast multicast
|
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
|
|
|
#Enable TCP SYN Cookie Protection from SYN Floods
|
|
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
#Don't accept ICMP redirect messages
|
|
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
|
|
|
|
#Don't send ICMP redirect messages
|
|
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
|
|
|
|
#Enable source address ARP spoofing
|
|
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
|
|
|
#Flush chains
|
|
iptables --flush
|
|
|
|
#Set default policies
|
|
iptables --policy INPUT DROP
|
|
iptables --policy OUTPUT DROP
|
|
iptables --policy FORWARD DROP
|
|
|
|
#Allow unlimited Loopback Traffic
|
|
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
|
|
|
|
#Allow ICMP
|
|
iptables -A INPUT -p ICMP -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p ICMP -m state --state NEW -j ACCEPT
|
|
iptables -A FORWARD -p ICMP -m state --state NEW -j ACCEPT
|
|
|
|
#enable Masquerading (NAT)
|
|
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
#allow Internet Access for internal
|
|
iptables -A FORWARD -s 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
|
|
|
#allow ACCESS to VPN from internal
|
|
iptables -A FORWARD -s 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
|
|
|
#allow everything from VPN
|
|
iptables -A INPUT -i tun0 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -o tun0 -m state --state NEW -j ACCEPT
|
|
iptables -A FORWARD -i tun0 -m state --state NEW -j ACCEPT
|
|
iptables -A FORWARD -o tun0 -m state --state NEW -j ACCEPT
|
|
|
|
#allow VPN
|
|
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#iptables -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
|
|
#allow Updates,DNS, NTP, DHCP and SSH outgoing
|
|
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
|
|
|
|
#allow DNS, SSH and DHCP incoming
|
|
#iptables -A INPUT -p udp --dport 67 -m state --state NEW -j ACCEPT
|
|
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
#iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
|
|
#allow incoming everything from internal
|
|
iptables -A OUTPUT -d 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
|
iptables -A INPUT -s 10.30.1.0/25 -m state --state NEW -j ACCEPT
|
|
|
|
#allow vpn server
|
|
iptables -A INPUT -s 10.30.0.1 -m state --state NEW -j ACCEPT
|
|
iptables -A OUTPUT -d 10.30.0.1 -m state --state NEW -j ACCEPT
|
|
iptables -A FORWARD -s 10.30.0.1 -m state --state NEW -j ACCEPT
|
|
iptables -A FORWARD -d 10.30.0.1 -m state --state NEW -j ACCEPT
|
|
|
|
#allow established connections
|
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|