ephesus/gist:9968241

## gistfile1.txt
#!/bin/bash

IPT=/sbin/iptables
ETH=enp6s0
WLAN=wlp0s26u1u6

modprobe rt2800usb
sleep 2

ifconfig $WLAN 10.0.0.1 netmask 255.255.255.0

# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain
$IPT -t nat -F

# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# incoming: prerouting ->  INPUT
# outgoing: output -> postrouting
# forwarded: prerouting -> forward -> postrouting
echo 0 > /proc/sys/net/ipv4/ip_forward

#$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
$IPT -t nat -A POSTROUTING -o $ETH -j MASQUERADE

#block ip spoofing
#$IPT -A INPUT -i $ETH -s 192.168.0.0/24 -j DROP
#$IPT -A INPUT -i $ETH -s 10.0.0.0/24 -j DROP

$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 111 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -s work.ip -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 873 -j ACCEPT
#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1156:1400 -j ACCEPT
$IPT -A INPUT -p tcp --dport 32764:32768 -j ACCEPT
$IPT -A INPUT -p udp --dport 32764:32768 -j ACCEPT
#$IPT -A INPUT -p udp -i $WLAN --dport 53 -j ACCEPT

#Allow all access from $WLAN
$IPT -A INPUT -p tcp -i $WLAN -j ACCEPT
$IPT -A INPUT -p udp -i $WLAN -j ACCEPT


# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Allow established and related packets
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#forward any $WLAN traffic that makes it that far
$IPT -A FORWARD -i $WLAN -o $ETH -j ACCEPT

$IPT -A INPUT -j DROP
$IPT -A FORWARD -j DROP


echo 1 > /proc/sys/net/ipv4/ip_forward
systemctl start hostapd
systemctl start squid
systemctl start dhcpd4
	#!/bin/bash

	IPT=/sbin/iptables
	ETH=enp6s0
	WLAN=wlp0s26u1u6

	modprobe rt2800usb
	sleep 2

	ifconfig $WLAN 10.0.0.1 netmask 255.255.255.0

	# Flush old rules, old custom tables
	echo " * flushing old rules"
	$IPT --flush
	$IPT --delete-chain
	$IPT -t nat -F

	# Set default policies for all three default chains
	echo " * setting default policies"
	$IPT -P INPUT DROP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT ACCEPT

	# Enable free use of loopback interfaces
	echo " * allowing loopback devices"
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT

	# incoming: prerouting -> INPUT
	# outgoing: output -> postrouting
	# forwarded: prerouting -> forward -> postrouting
	echo 0 > /proc/sys/net/ipv4/ip_forward

	#$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
	$IPT -t nat -A POSTROUTING -o $ETH -j MASQUERADE

	#block ip spoofing
	#$IPT -A INPUT -i $ETH -s 192.168.0.0/24 -j DROP
	#$IPT -A INPUT -i $ETH -s 10.0.0.0/24 -j DROP

	$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
	$IPT -A INPUT -p udp -m udp --dport 111 -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
	$IPT -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 443 -s work.ip -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
	$IPT -A INPUT -p udp -m udp --dport 873 -j ACCEPT
	#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 80 -j ACCEPT
	#$IPT -A INPUT -i $WLAN -p tcp -m tcp --dport 443 -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT
	$IPT -A INPUT -p tcp --dport 1156:1400 -j ACCEPT
	$IPT -A INPUT -p tcp --dport 32764:32768 -j ACCEPT
	$IPT -A INPUT -p udp --dport 32764:32768 -j ACCEPT
	#$IPT -A INPUT -p udp -i $WLAN --dport 53 -j ACCEPT

	#Allow all access from $WLAN
	$IPT -A INPUT -p tcp -i $WLAN -j ACCEPT
	$IPT -A INPUT -p udp -i $WLAN -j ACCEPT


	# All TCP sessions should begin with SYN
	$IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

	# Allow established and related packets
	$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

	$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A FORWARD -i $ETH -o $WLAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	#forward any $WLAN traffic that makes it that far
	$IPT -A FORWARD -i $WLAN -o $ETH -j ACCEPT

	$IPT -A INPUT -j DROP
	$IPT -A FORWARD -j DROP


	echo 1 > /proc/sys/net/ipv4/ip_forward
	systemctl start hostapd
	systemctl start squid
	systemctl start dhcpd4