| |
1 #! /bin/sh
2
3 trusthost='192.168.0.20'
4 internal_ip='192.168.0.0/24'
5
6 my_internet_ip='1.2.3.4'
7 my_internal_ip='192.168.0.1'
8
9 proxy_port='3128'
10
11 echo 1 > /proc/sys/net/ipv4/ip_forward
12
13 ##############
14 #Flush & Reset
15 ##############
16 iptables -F
17 iptables -t nat -F
18 iptables -X
19
20 ##############
21 #Deafult Rule
22 ##############
23 iptables -P INPUT DROP
24 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
25
26 iptables -P OUTPUT ACCEPT
27
28 iptables -P FORWARD DROP
29 iptables -A FORWARD -i eth1 -o eth0 -s $internal_ip -j ACCEPT
30 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
31
32 #########
33 #loopback
34 #########
35 iptables -A INPUT -i lo -j ACCEPT
36 iptables -A OUTPUT -o lo -j ACCEPT
37 #######################
38 #ICMP trusthost->myhost
39 #######################
40 iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $my_internal_ip -j ACCEPT
41 iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $my_internal_ip -d $trusthost -j ACCEPT
42 #######################
43 #ICMP myhost->trusthost
44 #######################
45 iptables -A OUTPUT -p icmp --icmp-type echo-request -s $my_internal_ip -d $trusthost -j ACCEPT
46 iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $my_internal_ip -j ACCEPT
47 #######################
48 #ssh trusthost-> myhost
49 #######################
50 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
51 iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $trusthost -d $my_internal_ip --dport 22 -j ACCEPT
52 iptables -A OUTPUT -p tcp -s $my_internal_ip --sport 22 -d $trusthost -j ACCEPT
53 #########################
54 #Proxy trusthost-> myhost
55 #########################
56 iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $internal_ip -d $my_internal_ip --dport $proxy_port -j ACCEPT
57 iptables -A OUTPUT -p tcp -s $my_internal_ip --sport $proxy_port -d $internal_ip -j ACCEPT
58
59 #################
60 #SNAT(masquerade)
61 #################
62 iptables -t nat -A POSTROUTING -o eth0 -s $internal_ip -j MASQUERADE
63
64 ####################
65 #Transparently proxy
66 ####################
67 iptables -t nat -A PREROUTING -i eth1 -s ! $my_internal_ip -p tcp --dport 80 -j DNAT --to-destination $my_internal_ip:$proxy_port
68 #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port $proxy_port
69
70 ################################################
71 #Outgoing packet should be real internet Address
72 ################################################
73 iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
74 iptables -A OUTPUT -o eth0 -d 176.16.0.0/12 -j DROP
75 iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
76 iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
77
78 #########
79 #logging
80 #########
81 iptables -N LOGGING
82 iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
83 iptables -A LOGGING -j DROP
84 iptables -A INPUT -j LOGGING
85 iptables -A FORWARD -j LOGGING |
|