| |
1 #! /bin/sh
2
3 trusthost='192.168.0.20'
4 internal_ip='192.168.0.0/24'
5
6 my_internet_ip='1.2.3.4'
7 my_internal_ip='192.168.0.1'
8
9 echo 1 > /proc/sys/net/ipv4/ip_forward
10
11 ##############
12 #Flush & Reset
13 ##############
14 iptables -F
15 iptables -t nat -F
16 iptables -X
17
18 ##############
19 #Deafult Rule
20 ##############
21 iptables -P INPUT DROP
22 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
23
24 iptables -P OUTPUT ACCEPT
25
26 iptables -P FORWARD DROP
27
28 ##########
29 #Block SMB
30 ##########
31 iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 137:139 -j DROP
32 iptables -A FORWARD -p udp -i eth1 -o eth0 --dport 137:139 -j DROP
33 iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 445 -j DROP
34 iptables -A FORWARD -p udp -i eth1 -o eth0 --dport 445 -j DROP
35 ##########
36 #Block RFC
37 ##########
38 iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 111 -j DROP
39 iptables -A FORWARD -p udp -i eth1 -o eth0 --dport 111 -j DROP
40
41 iptables -A FORWARD -i eth1 -o eth0 -s $internal_ip -j ACCEPT
42 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
43
44
45 #########
46 #loopback
47 #########
48 iptables -A INPUT -i lo -j ACCEPT
49 iptables -A OUTPUT -o lo -j ACCEPT
50 #######################
51 #ICMP trusthost->myhost
52 #######################
53 iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $my_internal_ip -j ACCEPT
54 iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $my_internal_ip -d $trusthost -j ACCEPT
55 #######################
56 #ICMP myhost->trusthost
57 #######################
58 iptables -A OUTPUT -p icmp --icmp-type echo-request -s $my_internal_ip -d $trusthost -j ACCEPT
59 iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $my_internal_ip -j ACCEPT
60 #######################
61 #ssh trusthost-> myhost
62 #######################
63 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
64 iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $trusthost -d $my_internal_ip --dport 22 -j ACCEPT
65 iptables -A OUTPUT -p tcp -s $my_internal_ip --sport 22 -d $trusthost -j ACCEPT
66
67 #################
68 #SNAT(masquerade)
69 #################
70 iptables -t nat -A POSTROUTING -o eth0 -s $internal_ip -j MASQUERADE
71
72 ################################################
73 #Outgoing packet should be real internet Address
74 ################################################
75 iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
76 iptables -A OUTPUT -o eth0 -d 176.16.0.0/12 -j DROP
77 iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
78 iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
79
80 #########
81 #logging
82 #########
83 iptables -N LOGGING
84 iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
85 iptables -A LOGGING -j DROP
86 iptables -A INPUT -j LOGGING
87 iptables -A FORWARD -j LOGGING |
|