Last active
November 25, 2020 18:47
-
-
Save ibakhtin/f8062b753e8788b7496510d328fbf362 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Flushing all rules | |
| /sbin/iptables -F | |
| /sbin/iptables -X | |
| # allow all loopback connections | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # allow all outgoing connections to wan | |
| iptables -A OUTPUT -o eth0 -j ACCEPT | |
| # allow incomming and outgoing icmp connections | |
| iptables -A INPUT -p icmp -j ACCEPT | |
| iptables -A OUTPUT -p icmp -j ACCEPT | |
| # allow all incoming related and established connections | |
| iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # allow all outgoing related and established connections | |
| iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # allow ssh connections from all interfaces | |
| iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT | |
| # drop all other | |
| iptables -P OUTPUT DROP | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| # NAT | |
| iptables -t nat -A POSTROUTING -o eth0 -s 192.168.252.0/24 -j MASQUERADE | |
| # allow forwarding all icmp | |
| iptables -A FORWARD -p icmp -j ACCEPT | |
| # allow forwarding all related and established connections | |
| iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # allow forwarding new connections from local network | |
| iptables -A FORWARD -s 192.168.252.0/24 -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -j ACCEPT | |
| # allow forwarding all dns connections | |
| iptables -A FORWARD -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT | |
| iptables -A FORWARD -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT | |
| # PORT FORWARDING | |
| # Reroute packets destined for $HOST_PRIVATE_IP on ports 80 and 443 to go to $PROXY_IP instead. | |
| sudo iptables -t nat -A PREROUTING -d $HOST_PRIVATE_IP/32 -p tcp --dport 80 -j DNAT --to-destination $PROXY_IP | |
| sudo iptables -t nat -A PREROUTING -d $HOST_PRIVATE_IP/32 -p tcp --dport 443 -j DNAT --to-destination $PROXY_IP | |
| # Accept forwarding on port 80 and 443 | |
| sudo iptables -A FORWARD -p tcp -d $PROXY_IP --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| sudo iptables -A FORWARD -p tcp -d $PROXY_IP --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| # | |
| iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:8080 | |
| iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8080 -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment