-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall.sh
executable file
·80 lines (59 loc) · 2.23 KB
/
firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/sh
# Firewall rules for router(hermes)
# Location of iptables
IPT="/sbin/iptables"
# Network Interfaces
LAN="eth0" # Ethernet
WAN="eth1" # Wireless
# Flush old rules and old custom tables
$IPT --flush
$IPT -t nat --flush
$IPT --delete-chain
# Set the default policies
$IPT -P INPUT DROP # Drop anything coming in
$IPT -P OUTPUT ACCEPT # Allow aything going out
$IPT -P FORWARD DROP # Drop any forwarding
# Allow all traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
## NATing
# Forward all traffic from the wan to the lan
$IPT -A FORWARD -i ${WAN} -o ${LAN} -j ACCEPT
# Forward all traffic from the lan to the wan
$IPT -A FORWARD -i ${LAN} -o ${WAN} -j ACCEPT
# Translate internal IPs to the IP of the router on the external network
$IPT -t nat -A POSTROUTING -o ${WAN} -j SNAT --to-source 192.168.0.51
# Allow all traffic from the LAN
$IPT -A INPUT -i ${LAN} -j ACCEPT
# Allow traffic from the WAN that is an established connection
$IPT -A INPUT -i ${WAN} -m state --state RELATED,ESTABLISHED -j ACCEPT
## Filters
#
# Allow SSH
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow DNS
$IPT -A INPUT -p udp --dport domain -j ACCEPT
# Allow DHCP
$IPT -A INPUT -p udp --dport bootps -j ACCEPT
# Allow HTTP and HTTPS
$IPT -A INPUT -p tcp --dport http -j ACCEPT
$IPT -A INPUT -p tcp --dport https -j ACCEPT
## Port Forwarding
#
# Send HTTP and HTTPS to spacewalk server (10.10.10.11)
$IPT -t nat -A PREROUTING -p tcp --dport http -i ${WAN} -j DNAT --to 10.10.10.11
$IPT -t nat -A PREROUTING -p tcp --dport https -i ${WAN} -j DNAT --to 10.10.10.11
# Debugging
## Logging Blocked Packets
## Enable/Disable as needed
#$IPT -A INPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped in: "
#$IPT -A OUTPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped out: "
#$IPT -A FORWARD -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped fw: "
## Packet Tracing
## Enable/Disable as needed
#$IPT -t raw -A PREROUTING -p tcp --dport 443 -j TRACE
#$IPT -t raw -A PREROUTING --destination 10.0.0.1 -p tcp --dport 25 -j TRACE
## Flush settings after 300 seconds if i lock myself out
## Uncomment/comment this as needed
#sleep 300
#$IPT --flush