jesusprubio/gist:4972673

## gistfile1.sh
#!/bin/sh
# Just another (very) simple "GNU/Linux router" script.
#
# NOTE: We suposse two interfaces correclty connected and external
# interface is connected to Internet/other network at this point.
#
# Copyright (c) Jesús Pérez
# Licensed under GPLv3 - http://www.gnu.org/licenses/gpl-3.0.html

# Variables
# External interface
EXTIF="wlan0"

# Internal LAN
#LAN="192.168.0.0/24"

# Flush all existing chains
echo "Deleting all rules ..."
iptables -F

# Enables IP-forwarding (if not)
#echo "Enabling IP-forwarding ..."
#echo 1 > /proc/sys/net/ipv4/ip_forward

# Allows all outbound and forwarding traffic
# Drops all inbound (default deny unless explicitly allowed policy)
echo "Aplying rules ..."
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allows all established inbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allows NAT over external interface
#iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Allows PPTP
#iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
# which needs GRE protocol
#iptables -A INPUT -p 47 -j ACCEPT
# PROBAR iptables -A INPUT -p 47 --dport 1723 -j ACCEPT

# Allows SSH (only from intranet)
#iptables -A INPUT -p tcp --dport 6439 -j ACCEPT
# Rate-limit all incoming SSH connections to 3 in a one minute window and logs the attempt (warning level)
#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --set --name SSH
#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level 4 --log-prefix "SSH bruteforcing attempt!:"
	#!/bin/sh
	# Just another (very) simple "GNU/Linux router" script.
	#
	# NOTE: We suposse two interfaces correclty connected and external
	# interface is connected to Internet/other network at this point.
	#
	# Copyright (c) Jesús Pérez
	# Licensed under GPLv3 - http://www.gnu.org/licenses/gpl-3.0.html

	# Variables
	# External interface
	EXTIF="wlan0"

	# Internal LAN
	#LAN="192.168.0.0/24"

	# Flush all existing chains
	echo "Deleting all rules ..."
	iptables -F

	# Enables IP-forwarding (if not)
	#echo "Enabling IP-forwarding ..."
	#echo 1 > /proc/sys/net/ipv4/ip_forward

	# Allows all outbound and forwarding traffic
	# Drops all inbound (default deny unless explicitly allowed policy)
	echo "Aplying rules ..."
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP

	# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# Allows all established inbound connections
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allows ping
	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	# Allows NAT over external interface
	#iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

	# Allows PPTP
	#iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
	# which needs GRE protocol
	#iptables -A INPUT -p 47 -j ACCEPT
	# PROBAR iptables -A INPUT -p 47 --dport 1723 -j ACCEPT

	# Allows SSH (only from intranet)
	#iptables -A INPUT -p tcp --dport 6439 -j ACCEPT
	# Rate-limit all incoming SSH connections to 3 in a one minute window and logs the attempt (warning level)
	#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --set --name SSH
	#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
	#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level 4 --log-prefix "SSH bruteforcing attempt!:"