#!/bin/sh # ########################################################################### set -x DEBUG_LEVEL=INFO EXTIF="eth0" EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'` EXTBROAD=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3 }'` EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'` echo External IP: $EXTIP echo External broadcast: $EXTBROAD echo Default GW: $EXTGW echo " --- " INTIF="eth1" INTIP=`ifconfig $INTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'` INT_MASK="`ifconfig $INTIF |grep Mask |cut -d: -f4`" INTLAN="192.168.50.0/255.255.255.0" echo Internal Interface: $INTIF echo Internal IP: $INTIP echo Internal LAN: $INTLAN echo " --- " LOIF="lo" LOIP="127.0.0.1" BROADCAST="255.255.255.255" IPTABLES="`which iptables`" # /sbin/depmod -a # /sbin/modprobe ip_tables # /sbin/modprobe ip_conntrack # /sbin/modprobe iptable_filter # /sbin/modprobe iptable_mangle # /sbin/modprobe iptable_nat # /sbin/modprobe ipt_LOG # /sbin/modprobe ipt_limit # /sbin/modprobe ipt_state #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe nf_conntrack_pptp /sbin/modprobe nf_nat_pptp ########################################################################### echo "echo 1 > /proc/sys/net/ipv4/ip_forward" && echo 1 > /proc/sys/net/ipv4/ip_forward echo "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" && echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo "echo 1 > /proc/sys/net/ipv4/ip_dynaddr" && echo 1 > /proc/sys/net/ipv4/ip_dynaddr ########################################################################### $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P OUTPUT DROP $IPTABLES -t filter -P FORWARD DROP $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t filter -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -t filter -X $IPTABLES -t nat -X $IPTABLES -t mangle -X $IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INTIF -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT $IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport http -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 110 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 631 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 25 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 22 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 21 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 65500:65534 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 143 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 993 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 995 -j ACCEPT $IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 1723 -j ACCEPT $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -d 224.0.0.0/8 -j DROP $IPTABLES -A INPUT -d $EXTBROAD -j DROP $IPTABLES -A INPUT -d $BROADCAST -j DROP $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 $IPTABLES -A FORWARD -i $INTIF -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 $IPTABLES -A OUTPUT -p ALL -s $LOIP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP # Forward #$IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $EXTIP --dport 60000 -j DNAT --to 192.168.50.147:60000 #$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF -d $EXTIP --dport 60000 -j DNAT --to 192.168.50.147:60000 #$IPTABLES -A FORWARD -p TCP -i $EXTIF -d 192.168.50.147 --dport 60000 -j ACCEPT #$IPTABLES -A FORWARD -p UDP -i $EXTIF -d 192.168.50.147 --dport 60000 -j ACCEPT # IPSec connections $IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT $IPTABLES -A INPUT -p UDP --dport 4500 -j ACCEPT $IPTABLES -A INPUT -p ESP -j ACCEPT $IPTABLES -A INPUT -p 50 -j ACCEPT $IPTABLES -A INPUT -p 51 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -m policy --dir out --pol ipsec -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -j MASQUERADE # PPTPD test # Accept all packets via ppp* interfaces $IPTABLES -A INPUT -i ppp+ -j ACCEPT $IPTABLES -A OUTPUT -o ppp+ -j ACCEPT # Accept incoming connections to port 1723 (PPTP) $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT # Accept GRE packets $IPTABLES -A INPUT -p 47 -j ACCEPT $IPTABLES -A OUTPUT -p 47 -j ACCEPT # Enable IP forwarding $IPTABLES -F FORWARD $IPTABLES -A FORWARD -j ACCEPT # Enable NAT for eth0 and ppp* interfaces $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE $IPTABLES -A POSTROUTING -t nat -o ppp+ -j MASQUERADE