Skip to content

Instantly share code, notes, and snippets.

@egormkn

egormkn/firewall.bat

Last active December 2, 2018 08:49
Show Gist options
  • Save egormkn/640d05d1f66dd4944349ca2197b37595 to your computer and use it in GitHub Desktop.
Save egormkn/640d05d1f66dd4944349ca2197b37595 to your computer and use it in GitHub Desktop.
Download ZIP
iptables script
Raw
firewall.bat
@echo off
echo "Enable firewall autostart"
sc config SharedAccess start= auto
echo "Start firewall service"
sc start SharedAccess
echo "Enable Windows Firewall"
netsh firewall set opmode mode= ENABLE
echo "Enable logging"
netsh firewall set logging filelocation= %windir%\pfirewall.log maxfilesize= 4096 droppedpackets= ENABLE connections= ENABLE
echo "Enable manual start of telnet"
sc config TlntSvr start= manual
echo "Enable telnet access from private network"
netsh firewall add portopening protocol= TCP port= 23 name= Telnet mode= ENABLE scope= CUSTOM addresses= 11.0.0.0/255.0.0.0
echo "Enable ICMP requests"
netsh firewall set icmpsetting type= 8 mode= ENABLE
echo "Start telnet"
sc start TlntSvr
pause
Raw
iptables-save.txt
# Generated by iptables-save v1.4.7 on Sun Dec 2 11:48:09 2018
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 11.0.0.2:23
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -d 11.0.0.2/32 -o eth3 -p tcp -m tcp --dport 23 -j SNAT --to-source 11.0.0.1
COMMIT
# Completed on Sun Dec 2 11:48:09 2018
# Generated by iptables-save v1.4.7 on Sun Dec 2 11:48:09 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 83.0.0.0/16 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.11.173/32 -j DROP
-A INPUT -i eth3 -p icmp -j DROP
-A INPUT -p tcp -m tcp --sport 23 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 10.10.11.173/32 -j DROP
-A FORWARD -d 77.234.213.242/32 -j DROP
-A FORWARD -i eth3 -o eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 11.0.0.2/32 -p tcp -m tcp --dport 23 -j ACCEPT
-A FORWARD -s 11.0.0.2/32 -p tcp -m tcp --sport 23 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 77.234.212.55/32 -p tcp -m tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 77.234.212.60/32 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 77.234.212.50/32 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 77.234.212.50/32 -p tcp -m tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
COMMIT
# Completed on Sun Dec 2 11:48:09 2018
Raw
iptables.sh
# Clear tables
iptables -t filter --flush
iptables -t nat --flush
iptables -t filter --delete-chain
iptables -t nat --delete-chain
# Allow input from established connections
iptables -t filter -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow everything on localhost
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Allow DNS lookups
iptables -t filter -A OUTPUT -p udp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow proxy.ifmo.ru
iptables -t filter -A OUTPUT -p tcp -d "proxy.ifmo.ru" --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ftp.ifmo.ru
iptables -t filter -A OUTPUT -p tcp -d "ftp.ifmo.ru" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow all POP3
iptables -t filter -A OUTPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow smtp.ifmo.ru
iptables -t filter -A OUTPUT -p tcp -d "mail.ifmo.ru" --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d "mail.ifmo.ru" --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow local ssh from 83.0.0.0/16
iptables -t filter -A INPUT -m state --state NEW -p tcp -s 83.0.0.0/16 --dport 22 -j ACCEPT
# Disallow local and private network from 10.10.11.173
iptables -t filter -A INPUT -s 10.10.11.173 -j DROP
iptables -t filter -A FORWARD -s 10.10.11.173 -j DROP
# Disallow ping from private network
iptables -t filter -A INPUT -i eth3 -p icmp -j DROP
# Disallow de.ifmo.ru from NAT
iptables -t filter -A FORWARD -d 77.234.213.242 -j DROP
# Set up NAT
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t filter -A FORWARD -i eth3 -o eth2 -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable port forwarding
iptables -t nat -A PREROUTING -p tcp -i eth2 --dport 2222 -j DNAT --to-destination 11.0.0.2:23
iptables -t nat -A POSTROUTING -p tcp -o eth3 -d 11.0.0.2 --dport 23 -j SNAT --to-source 11.0.0.1
# Forward ports
iptables -t filter -A FORWARD -p tcp -d 11.0.0.2 --dport 23 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -s 11.0.0.2 --sport 23 -j ACCEPT
# Allow telnet from local
iptables -t filter -A INPUT -p tcp --sport 23 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 23 -j ACCEPT
# Allow ping from public network
iptables -t filter -A INPUT -p icmp -j ACCEPT
# Allow ssh from public network
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Set default policy to DROP
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment