| |
1 #! /bin/sh
2
3 trusthost='192.168.0.20'
4 internal_ip='192.168.0.0/24'
5
6 my_internet_ip='1.2.3.4'
7 my_internal_ip='192.168.0.1'
8
9 echo 1 > /proc/sys/net/ipv4/ip_forward
10
11 ##############
12 #Flush & Reset
13 ##############
14 iptables -F
15 iptables -t nat -F
16 iptables -X
17
18 ##############
19 #Deafult Rule
20 ##############
21 iptables -P INPUT DROP
22 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
23
24 iptables -P OUTPUT ACCEPT
25
26 iptables -P FORWARD DROP
27 iptables -A FORWARD -i eth1 -o eth0 -s $internal_ip -j ACCEPT
28 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
29
30 #########
31 #loopback
32 #########
33 iptables -A INPUT -i lo -j ACCEPT
34 iptables -A OUTPUT -o lo -j ACCEPT
35 #######################
36 #ICMP trusthost->myhost
37 #######################
38 iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $my_internal_ip -j ACCEPT
39 iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $my_internal_ip -d $trusthost -j ACCEPT
40 #######################
41 #ICMP myhost->trusthost
42 #######################
43 iptables -A OUTPUT -p icmp --icmp-type echo-request -s $my_internal_ip -d $trusthost -j ACCEPT
44 iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $my_internal_ip -j ACCEPT
45 #######################
46 #ssh trusthost-> myhost
47 #######################
48 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
49 iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $trusthost -d $my_internal_ip --dport 22 -j ACCEPT
50 iptables -A OUTPUT -p tcp -s $my_internal_ip --sport 22 -d $trusthost -j ACCEPT
51
52 #################
53 #DNAT(HTTP)
54 #################
55 http_ip='192.168.0.2'
56 http_port='80'
57 iptables -t nat -A PREROUTING -p tcp -i eth0 -d $my_internet_ip --dport 80 -j DNAT --to-destination $http_ip:$http_port
58 iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $http_ip --dport $http_port -j ACCEPT
59 #################
60 #DNAT(HTTPS)
61 #################
62 https_ip='192.168.0.2'
63 https_port='443'
64 iptables -t nat -A PREROUTING -p tcp -i eth0 -d $my_internet_ip --dport 443 -j DNAT --to-destination $https_ip:$https_port
65 iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $https_ip --dport $https_port -j ACCEPT
66 #################
67 #DNAT(SMTP)
68 #################
69 smtp_ip='192.168.0.3'
70 smtp_port='25'
71 iptables -t nat -A PREROUTING -p tcp -i eth0 -d $my_internet_ip --dport $smtp_port -j DNAT --to-destination $smtp_ip:$smtp_port
72 iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $smtp_ip --dport $smtp_port -j ACCEPT
73 #################
74 #DNAT(POP3)
75 #################
76 pop3_ip='192.168.0.3'
77 pop3_port='110'
78 iptables -t nat -A PREROUTING -p tcp -i eth0 -d $my_internet_ip --dport $pop3_port -j DNAT --to-destination $pop3_ip:$pop3_port
79 iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $pop3_ip --dport $pop3_port -j ACCEPT
80
81 ################################################
82 #Outgoing packet should be real internet Address
83 ################################################
84 iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
85 iptables -A OUTPUT -o eth0 -d 176.16.0.0/12 -j DROP
86 iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
87 iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
88
89 #########
90 #logging
91 #########
92 iptables -N LOGGING
93 iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
94 iptables -A LOGGING -j DROP
95 iptables -A INPUT -j LOGGING
96 iptables -A FORWARD -j LOGGING |
|