File location
You should create symlink between for script tools
chown root /usr/local/src/forward.sh
chgrp root /usr/local/src/forward.sh
chown root /usr/local/src/firewall.sh
chgrp root /usr/local/src/firewall.sh
ln -sf /usr/local/src/forward.sh /usr/local/sbin/forward
ln -sf /usr/local/src/firewall.sh /usr/local/sbin/firewall
| # The primary network interface | |
| auto eth0 | |
| iface eth0 inet static | |
| address 192.168.2.2/24 | |
| gateway 192.168.2.1 |
| # The secondary network interface | |
| auto eth1 | |
| iface eth1 inet static | |
| address 172.16.1.1/24 |
| #!/bin/sh | |
| interface_0=eth0 | |
| interface_1=eth1 | |
| public_ip="192.168.2.2" | |
| stop() { | |
| #reset policy | |
| iptables -t raw -P PREROUTING ACCEPT | |
| iptables -t raw -P OUTPUT ACCEPT | |
| iptables -t mangle -P PREROUTING ACCEPT | |
| iptables -t mangle -P INPUT ACCEPT | |
| iptables -t mangle -P FORWARD ACCEPT | |
| iptables -t mangle -P OUTPUT ACCEPT | |
| iptables -t mangle -P POSTROUTING ACCEPT | |
| iptables -t nat -P PREROUTING ACCEPT | |
| iptables -t nat -P INPUT ACCEPT | |
| iptables -t nat -P OUTPUT ACCEPT | |
| iptables -t nat -P POSTROUTING ACCEPT | |
| iptables -t filter -P INPUT ACCEPT | |
| iptables -t filter -P FORWARD ACCEPT | |
| iptables -t filter -P OUTPUT ACCEPT | |
| #Empty table | |
| iptables -t raw -F | |
| iptables -t mangle -F | |
| iptables -t nat -F | |
| iptables -t filter -F | |
| # Remove chain | |
| iptables -t raw -X | |
| iptables -t mangle -X | |
| iptables -t nat -X | |
| iptables -t filter -X | |
| } | |
| start() { | |
| #### Routing rules | |
| # | |
| # Set the default FORWARD policie to DROP for security | |
| iptables -t filter -P FORWARD DROP | |
| # | |
| # Nat rule to redirect 80 and 443 to the good ip address | |
| iptables -t nat -A PREROUTING -d $public_ip -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 172.16.1.2 | |
| # | |
| # Forward rule to enable trafic between eth0 and interface who serve 172.16.1.2 | |
| # Trafic in: Incomming interface ($interface_0) ==> Outgoing interface ($interface_1) ==> dest 172.16.1.2:80 and 172.16.1.2:443 | |
| iptables -A FORWARD -i $interface_0 -o $interface_1 -d 172.16.1.2 -p tcp -m multiport --dports 80,443 -j ACCEPT | |
| # Trafic out: Outgoing interface ($interface_0) <== Incomming interface ($interface_1) <== source 172.16.1.2:80 and 172.16.1.2:443 | |
| iptables -A FORWARD -o $interface_0 -i $interface_1 -s 172.16.1.2 -p tcp -m multiport --sports 80,443 -j ACCEPT | |
| # | |
| # forwarding rule for the outgoing interface. (Important) | |
| iptables -t nat -A POSTROUTING -o $interface_0 -j MASQUERADE | |
| #### VM specifique rules | |
| # | |
| # Set the default incoming trafic to drop | |
| iptables -t filter -P INPUT DROP | |
| iptables -t filter -P OUTPUT DROP | |
| # Accept incoming trafic from the loopback interface | |
| iptables -t filter -A INPUT -i lo -j ACCEPT | |
| iptables -t filter -A OUTPUT -o lo -j ACCEPT | |
| # Enable ssh connexion from outside | |
| iptables -A INPUT -p tcp -i $interface_0 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p tcp -o $interface_0 --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # | |
| iptables -A INPUT -p tcp -i $interface_1 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p tcp -o $interface_1 --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # Enable hostname resolution | |
| iptables -t filter -A INPUT -p tcp --sport 53 -j ACCEPT | |
| iptables -t filter -A INPUT -p udp --sport 53 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT | |
| iptables -t filter -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT | |
| } | |
| show() { | |
| echo "RAW tables" | |
| iptables -S -t raw | |
| echo "" | |
| echo "Mangle table:" | |
| iptables -S -t mangle | |
| echo "" | |
| echo "Nat table: " | |
| iptables -S -t nat | |
| echo "" | |
| echo "Filter table: " | |
| iptables -S | |
| echo "" | |
| } | |
| case "$1" in | |
| start) | |
| start | |
| ;; | |
| stop) | |
| stop | |
| ;; | |
| restart) | |
| stop | |
| start | |
| ;; | |
| show) | |
| show | |
| ;; | |
| *) | |
| echo "Usage: $0 {start|stop|restart|show}" | |
| exit 1 | |
| ;; | |
| esac | |
| exit 0 |
| #!/bin/sh | |
| # Enable ip forwarding | |
| enable() { | |
| echo "1" > /proc/sys/net/ipv4/ip_forward | |
| cat /proc/sys/net/ipv4/ip_forward | |
| echo "Set persistent by editing /etc/sysctl.conf" | |
| } | |
| # Disable ip forwording | |
| disable () { | |
| echo "0" > /proc/sys/net/ipv4/ip_forward | |
| cat /proc/sys/net/ipv4/ip_forward | |
| echo "Set persistent by editing /etc/sysctl.conf" | |
| } | |
| case "$1" in | |
| enable) | |
| enable | |
| ;; | |
| disable) | |
| disable | |
| ;; | |
| *) | |
| echo "Usage: $0 {enable|disable}" | |
| echo "Set persistent by editing /etc/sysctl.conf" | |
| exit 1 | |
| ;; | |
| esac | |
| exit 0 |
| # This file describes the network interfaces available on your system | |
| # and how to activate them. For more information, see interfaces(5). | |
| source /etc/network/interfaces.d/* | |
| # The loopback network interface | |
| auto lo | |
| iface lo inet loopback |
| # Setup you DNS serveur address | |
| # nameserver 172.16.1.1 | |
| nameserver 8.8.8.8 |