Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CentOS Router Setup
#!/bin/bash
# Set hostname
hostnamectl set-hostname router
# view interfaces
ip addr show
# enable ip forwarding w/ out reboot, but not persistent after reboot
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
# enable ip forwarding after reboot
sudo -s
ll /etc/sysctl.d/
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/100-sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/100-sysctl.conf
# verify ip forwarding changes
sysctl -a | grep net.ipv4.ip_forward
sysctl -a | grep net.ipv6.conf.all.forwarding
# public and private interface variables
## used for iptables / firewall rules
public="enp1s0"
private="enp0s20u2u2"
# clear out all rules
iptables -F
# List all firewall rules
iptables -L -n
# To accept all traffic on your loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# accept packets that are part of communications already
iptables -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow established outgoing connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# private to public
iptables -A FORWARD -i $private -o $public -j ACCEPT
# drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# block an ip address and don't let them know you blocked them
#iptables -A INPUT -s 15.15.15.51 -j DROP
# block an ip address and send a packet saying blocked to them
#iptables -A INPUT -s 15.15.15.51 -j REJECT
# block connections to an interface from a public IP
#iptables -A INPUT -i $public -s 15.15.15.51 -j DROP
# allow incoming ssh from any RFC1918 private ipv4 subnets
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 172.16.0.0/12 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# allow outgoing ssh
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# allow incoming rsync from an ip address
# iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# allow all incoming http
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# allow all incoming https
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# drop all packets not explicitly allowed
iptables -P INPUT DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.