Skip to content

Instantly share code, notes, and snippets.

@ephesus
Created April 4, 2014 04:36
Show Gist options
  • Save ephesus/9968241 to your computer and use it in GitHub Desktop.
Save ephesus/9968241 to your computer and use it in GitHub Desktop.
Set up wireless AP using USB wireless card, on gentoo, with systemd, iptable. Allow squid proxy on port 443 from work.ip (/etc/hosts) to get around another firewall that doesn't allow ssh connections out (use corkscrew to ssh through my http proxy).
#!/bin/bash
IPT=/sbin/iptables
ETH=enp6s0
WLAN=wlp0s26u1u6
modprobe rt2800usb
sleep 2
ifconfig $WLAN 10.0.0.1 netmask 255.255.255.0
# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain
$IPT -t nat -F
# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# incoming: prerouting -> INPUT
# outgoing: output -> postrouting
# forwarded: prerouting -> forward -> postrouting
echo 0 > /proc/sys/net/ipv4/ip_forward
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
$IPT -t nat -A POSTROUTING -o $ETH -j MASQUERADE
#block ip spoofing
#$IPT -A INPUT -i $ETH -s 192.168.0.0/24 -j DROP
#$IPT -A INPUT -i $ETH -s 10.0.0.0/24 -j DROP
$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 111 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -s work.ip -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 873 -j ACCEPT
#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1156:1400 -j ACCEPT
$IPT -A INPUT -p tcp --dport 32764:32768 -j ACCEPT
$IPT -A INPUT -p udp --dport 32764:32768 -j ACCEPT
#$IPT -A INPUT -p udp -i $WLAN --dport 53 -j ACCEPT
#Allow all access from $WLAN
$IPT -A INPUT -p tcp -i $WLAN -j ACCEPT
$IPT -A INPUT -p udp -i $WLAN -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# Allow established and related packets
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#forward any $WLAN traffic that makes it that far
$IPT -A FORWARD -i $WLAN -o $ETH -j ACCEPT
$IPT -A INPUT -j DROP
$IPT -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
systemctl start hostapd
systemctl start squid
systemctl start dhcpd4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment