josephdrane/centos_router_setup.sh

## centos_router_setup.sh
#!/bin/bash

# Set hostname
hostnamectl set-hostname router

# view interfaces
ip addr show

# enable ip forwarding w/ out reboot, but not persistent after reboot
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

# enable ip forwarding after reboot
sudo -s
ll /etc/sysctl.d/
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/100-sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/100-sysctl.conf

# verify ip forwarding changes
sysctl -a | grep net.ipv4.ip_forward
sysctl -a | grep net.ipv6.conf.all.forwarding

# public and private interface variables
## used for iptables / firewall rules
public="enp1s0"
private="enp0s20u2u2"

# clear out all rules
iptables -F

# List all firewall rules
iptables -L -n

# To accept all traffic on your loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# accept packets that are part of communications already
iptables -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow established outgoing connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# private to public
iptables -A FORWARD -i $private -o $public -j ACCEPT

# drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# block an ip address and don't let them know you blocked them
#iptables -A INPUT -s 15.15.15.51 -j DROP

# block an ip address and send a packet saying blocked to them
#iptables -A INPUT -s 15.15.15.51 -j REJECT

# block connections to an interface from a public IP
#iptables -A INPUT -i $public -s 15.15.15.51 -j DROP

# allow incoming ssh from any RFC1918 private ipv4 subnets
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 172.16.0.0/12 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# allow incoming rsync from an ip address
# iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# allow all incoming http
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# allow all incoming https
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


# drop all packets not explicitly allowed
iptables -P INPUT DROP
	#!/bin/bash

	# Set hostname
	hostnamectl set-hostname router

	# view interfaces
	ip addr show

	# enable ip forwarding w/ out reboot, but not persistent after reboot
	sysctl -w net.ipv4.ip_forward=1
	sysctl -w net.ipv6.conf.all.forwarding=1

	# enable ip forwarding after reboot
	sudo -s
	ll /etc/sysctl.d/
	echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/100-sysctl.conf
	echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/100-sysctl.conf

	# verify ip forwarding changes
	sysctl -a \| grep net.ipv4.ip_forward
	sysctl -a \| grep net.ipv6.conf.all.forwarding

	# public and private interface variables
	## used for iptables / firewall rules
	public="enp1s0"
	private="enp0s20u2u2"

	# clear out all rules
	iptables -F

	# List all firewall rules
	iptables -L -n

	# To accept all traffic on your loopback interface
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# accept packets that are part of communications already
	iptables -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT

	# allow established outgoing connections
	iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# private to public
	iptables -A FORWARD -i $private -o $public -j ACCEPT

	# drop invalid packets
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

	# block an ip address and don't let them know you blocked them
	#iptables -A INPUT -s 15.15.15.51 -j DROP

	# block an ip address and send a packet saying blocked to them
	#iptables -A INPUT -s 15.15.15.51 -j REJECT

	# block connections to an interface from a public IP
	#iptables -A INPUT -i $public -s 15.15.15.51 -j DROP

	# allow incoming ssh from any RFC1918 private ipv4 subnets
	iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -s 172.16.0.0/12 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# allow outgoing ssh
	iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# allow incoming rsync from an ip address
	# iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	# iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# allow all incoming http
	iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# allow all incoming https
	sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT



	# drop all packets not explicitly allowed
	iptables -P INPUT DROP