Last active
May 2, 2019 19:15
-
-
Save josephdrane/cd6cf46d32c3932c9fb663b4cac105a6 to your computer and use it in GitHub Desktop.
CentOS Router Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Set hostname | |
hostnamectl set-hostname router | |
# view interfaces | |
ip addr show | |
# enable ip forwarding w/ out reboot, but not persistent after reboot | |
sysctl -w net.ipv4.ip_forward=1 | |
sysctl -w net.ipv6.conf.all.forwarding=1 | |
# enable ip forwarding after reboot | |
sudo -s | |
ll /etc/sysctl.d/ | |
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/100-sysctl.conf | |
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/100-sysctl.conf | |
# verify ip forwarding changes | |
sysctl -a | grep net.ipv4.ip_forward | |
sysctl -a | grep net.ipv6.conf.all.forwarding | |
# public and private interface variables | |
## used for iptables / firewall rules | |
public="enp1s0" | |
private="enp0s20u2u2" | |
# clear out all rules | |
iptables -F | |
# List all firewall rules | |
iptables -L -n | |
# To accept all traffic on your loopback interface | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# accept packets that are part of communications already | |
iptables -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# allow established outgoing connections | |
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# private to public | |
iptables -A FORWARD -i $private -o $public -j ACCEPT | |
# drop invalid packets | |
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
# block an ip address and don't let them know you blocked them | |
#iptables -A INPUT -s 15.15.15.51 -j DROP | |
# block an ip address and send a packet saying blocked to them | |
#iptables -A INPUT -s 15.15.15.51 -j REJECT | |
# block connections to an interface from a public IP | |
#iptables -A INPUT -i $public -s 15.15.15.51 -j DROP | |
# allow incoming ssh from any RFC1918 private ipv4 subnets | |
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp -s 172.16.0.0/12 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
# allow outgoing ssh | |
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# allow incoming rsync from an ip address | |
# iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
# iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# allow all incoming http | |
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# allow all incoming https | |
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# drop all packets not explicitly allowed | |
iptables -P INPUT DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment