|
1 #! /bin/sh
2
3 trusthost='192.168.0.20'
4 internal_ip='192.168.0.0/24'
5
6 my_internet_ip='1.2.3.4'
7 my_internal_ip='192.168.0.1'
8
9 echo 1 > /proc/sys/net/ipv4/ip_forward
10
11 ##############
12 #Flush & Reset
13 ##############
14 iptables -F
15 iptables -t nat -F
16 iptables -X
17
18 ##############
19 #Deafult Rule
20 ##############
21 iptables -P INPUT DROP
22 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
23
24 iptables -P OUTPUT ACCEPT
25
26 iptables -P FORWARD DROP
27 iptables -A FORWARD -i eth1 -o eth0 -s $internal_ip -j ACCEPT
28 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
29
30 #########
31 #loopback
32 #########
33 iptables -A INPUT -i lo -j ACCEPT
34 iptables -A OUTPUT -o lo -j ACCEPT
35 #######################
36 #ICMP trusthost->myhost
37 #######################
38 iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $my_internal_ip -j ACCEPT
39 iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $my_internal_ip -d $trusthost -j ACCEPT
40 #######################
41 #ICMP myhost->trusthost
42 #######################
43 iptables -A OUTPUT -p icmp --icmp-type echo-request -s $my_internal_ip -d $trusthost -j ACCEPT
44 iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $my_internal_ip -j ACCEPT
45 #######################
46 #ssh trusthost-> myhost
47 #######################
48 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
49 iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $trusthost -d $my_internal_ip --dport 22 -j ACCEPT
50 iptables -A OUTPUT -p tcp -s $my_internal_ip --sport 22 -d $trusthost -j ACCEPT
51
52 #################
53 #SNAT(masquerade)
54 #################
55 iptables -t nat -A POSTROUTING -o eth0 -s $internal_ip -j MASQUERADE
56
57 ################################################
58 #Outgoing packet should be real internet Address
59 ################################################
60 iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
61 iptables -A OUTPUT -o eth0 -d 176.16.0.0/12 -j DROP
62 iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
63 iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
64
65 #########
66 #logging
67 #########
68 iptables -N LOGGING
69 iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
70 iptables -A LOGGING -j DROP
71 iptables -A INPUT -j LOGGING
72 iptables -A FORWARD -j LOGGING |
|