| |
1 #! /bin/sh
2
3 trusthost='192.168.0.2'
4 internal_ip='192.168.0.0/24'
5
6 my_internet_ip='1.2.3.4'
7 my_internal_ip='192.168.0.1'
8
9 echo 1 > /proc/sys/net/ipv4/ip_forward
10
11 ##############
12 #Flush & Reset
13 ##############
14 iptables -F
15 iptables -t nat -F
16 iptables -X
17
18 ##############
19 #Deafult Rule
20 ##############
21 iptables -P INPUT DROP
22 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
23
24 iptables -P OUTPUT ACCEPT
25
26 iptables -P FORWARD DROP
27 iptables -A FORWARD -i eth1 -o eth0 -s $internal_ip -j ACCEPT
28 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
29
30 #########
31 #loopback
32 #########
33 iptables -A INPUT -i lo -j ACCEPT
34 iptables -A OUTPUT -o lo -j ACCEPT
35 #######################
36 #ICMP trusthost->myhost
37 #######################
38 iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $my_internal_ip -j ACCEPT
39 iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $my_internal_ip -d $trusthost -j ACCEPT
40 #######################
41 #ICMP myhost->trusthost
42 #######################
43 iptables -A OUTPUT -p icmp --icmp-type echo-request -s $my_internal_ip -d $trusthost -j ACCEPT
44 iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $my_internal_ip -j ACCEPT
45 #######################
46 #ssh trusthost-> myhost
47 #######################
48 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
49 iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $trusthost -d $my_internal_ip --dport 22 -j ACCEPT
50 iptables -A OUTPUT -p tcp -s $my_internal_ip --sport 22 -d $trusthost -j ACCEPT
51
52 #######################################
53 #DNAT(HTTP) load balancer in round-robin
54 #######################################
55 iptables -t nat -A PREROUTING -p tcp -i eth0 -d $my_internet_ip --dport 80 -j DNAT --to-destination 192.168.0.3-192.168.0.4
56 iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.3 --dport 80 -j ACCEPT
57 iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.4 --dport 80 -j ACCEPT
58
59 ################################################
60 #Outgoing packet should be real internet Address
61 ################################################
62 iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
63 iptables -A OUTPUT -o eth0 -d 176.16.0.0/12 -j DROP
64 iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
65 iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
66
67 #########
68 #logging
69 #########
70 iptables -N LOGGING
71 iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
72 iptables -A LOGGING -j DROP
73 iptables -A INPUT -j LOGGING
74 iptables -A FORWARD -j LOGGING |
|