Created
April 4, 2014 04:36
-
-
Save ephesus/9968241 to your computer and use it in GitHub Desktop.
Set up wireless AP using USB wireless card, on gentoo, with systemd, iptable. Allow squid proxy on port 443 from work.ip (/etc/hosts) to get around another firewall that doesn't allow ssh connections out (use corkscrew to ssh through my http proxy).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
IPT=/sbin/iptables | |
ETH=enp6s0 | |
WLAN=wlp0s26u1u6 | |
modprobe rt2800usb | |
sleep 2 | |
ifconfig $WLAN 10.0.0.1 netmask 255.255.255.0 | |
# Flush old rules, old custom tables | |
echo " * flushing old rules" | |
$IPT --flush | |
$IPT --delete-chain | |
$IPT -t nat -F | |
# Set default policies for all three default chains | |
echo " * setting default policies" | |
$IPT -P INPUT DROP | |
$IPT -P FORWARD DROP | |
$IPT -P OUTPUT ACCEPT | |
# Enable free use of loopback interfaces | |
echo " * allowing loopback devices" | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A OUTPUT -o lo -j ACCEPT | |
# incoming: prerouting -> INPUT | |
# outgoing: output -> postrouting | |
# forwarded: prerouting -> forward -> postrouting | |
echo 0 > /proc/sys/net/ipv4/ip_forward | |
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128 | |
$IPT -t nat -A POSTROUTING -o $ETH -j MASQUERADE | |
#block ip spoofing | |
#$IPT -A INPUT -i $ETH -s 192.168.0.0/24 -j DROP | |
#$IPT -A INPUT -i $ETH -s 10.0.0.0/24 -j DROP | |
$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT | |
$IPT -A INPUT -p udp -m udp --dport 111 -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT | |
$IPT -A INPUT -p udp -m udp --dport 2049 -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 443 -s work.ip -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT | |
$IPT -A INPUT -p udp -m udp --dport 873 -j ACCEPT | |
#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 80 -j ACCEPT | |
#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 443 -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT | |
$IPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT | |
$IPT -A INPUT -p tcp --dport 1156:1400 -j ACCEPT | |
$IPT -A INPUT -p tcp --dport 32764:32768 -j ACCEPT | |
$IPT -A INPUT -p udp --dport 32764:32768 -j ACCEPT | |
#$IPT -A INPUT -p udp -i $WLAN --dport 53 -j ACCEPT | |
#Allow all access from $WLAN | |
$IPT -A INPUT -p tcp -i $WLAN -j ACCEPT | |
$IPT -A INPUT -p udp -i $WLAN -j ACCEPT | |
# All TCP sessions should begin with SYN | |
$IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
# Allow established and related packets | |
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate NEW -j ACCEPT | |
$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
#forward any $WLAN traffic that makes it that far | |
$IPT -A FORWARD -i $WLAN -o $ETH -j ACCEPT | |
$IPT -A INPUT -j DROP | |
$IPT -A FORWARD -j DROP | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
systemctl start hostapd | |
systemctl start squid | |
systemctl start dhcpd4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment