| |
1 #! /bin/sh
2
3 trusthost='192.168.0.20'
4 internal_net='192.168.0.0/24'
5 my_internal_ip='192.168.0.1'
6
7 echo 1 > /proc/sys/net/ipv4/ip_forward
8
9 ##############
10 #Flush & Reset
11 ##############
12 /sbin/iptables -F
13 /sbin/iptables -t nat -F
14 /sbin/iptables -X
15
16 ##############
17 #Deafult Rule
18 ##############
19 /sbin/iptables -P INPUT DROP
20 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
21
22 /sbin/iptables -P OUTPUT ACCEPT
23
24 /sbin/iptables -P FORWARD DROP
25 /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $internal_net -j ACCEPT
26 /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
27
28 #########
29 #loopback
30 #########
31 /sbin/iptables -A INPUT -i lo -j ACCEPT
32
33 ###############################
34 #ICMP trusthost->my_internal_ip
35 ###############################
36 /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $my_internal_ip -j ACCEPT
37 ###############################
38 #ICMP my_internal_ip->trusthost
39 ###############################
40 /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $my_internal_ip -j ACCEPT
41 ###############################
42 #ssh trusthost-> my_internal_ip
43 ###############################
44 /sbin/iptables -A INPUT -p tcp --syn -m state --state NEW -s $trusthost -d $my_internal_ip --dport 22 -j ACCEPT
45 #################
46 #SNAT(masquerade)
47 #################
48 /sbin/iptables -t nat -A POSTROUTING -o eth0 -s $internal_net -j MASQUERADE
49
50 #################
51 #DNAT(HTTP)
52 #################
53 http_ip='192.168.0.2'
54 http_port='80'
55 /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $http_port -j DNAT --to-destination $http_ip:$http_port
56 /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $http_ip --dport $http_port -j ACCEPT
57 #################
58 #DNAT(HTTPS)
59 #################
60 https_ip='192.168.0.2'
61 https_port='443'
62 /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $https_port -j DNAT --to-destination $https_ip:$https_port
63 /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $https_ip --dport $https_port -j ACCEPT
64 #################
65 #DNAT(SMTP)
66 #################
67 smtp_ip='192.168.0.3'
68 smtp_port='25'
69 /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $smtp_port -j DNAT --to-destination $smtp_ip:$smtp_port
70 /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $smtp_ip --dport $smtp_port -j ACCEPT
71 #################
72 #DNAT(POP3)
73 #################
74 pop3_ip='192.168.0.3'
75 pop3_port='110'
76 /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $pop3_port -j DNAT --to-destination $pop3_ip:$pop3_port
77 /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d $pop3_ip --dport $pop3_port -j ACCEPT
78
79 ################################################
80 #Blocking Private Address
81 ################################################
82 /sbin/iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
83 /sbin/iptables -A OUTPUT -o eth0 -d 176.16.0.0/12 -j DROP
84 /sbin/iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
85 /sbin/iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
86
87 #########
88 #logging
89 #########
90 /sbin/iptables -N LOGGING
91 /sbin/iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
92 /sbin/iptables -A LOGGING -j DROP
93 /sbin/iptables -A INPUT -j LOGGING
94 /sbin/iptables -A FORWARD -j LOGGING
95
|
|