2018 NA HW3 - firewall

iptables.sh

#!/bin/bash

EXTIF="eth0"
INTIF="lxcbr0"
WEB1="140.113.235.151 140.113.235.152 140.113.235.153 140.113.235.154" #linux
WEB2="140.113.235.131 140.113.235.132 140.113.235.133 140.113.235.134" #bsd

# Clean tables
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Reject bsd
for ip in $WEB2; do
    iptables -A INPUT -s $ip -p tcp -m tcp --dport 222 -j REJECT --reject-with tcp-reset
    iptables -A INPUT -s $ip -p tcp -m tcp --dport 20 -j REJECT --reject-with tcp-reset
    iptables -A INPUT -s $ip -p tcp -m tcp --dport 21 -j REJECT --reject-with tcp-reset
done

# Allow linux
for ip in $WEB1; do
    iptables -t nat -A PREROUTING -s $ip -i $EXTIF -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.0.3.150:22  #SSH
    iptables -t nat -A PREROUTING -s $ip -i $EXTIF -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.0.3.150:20   #FTP
    iptables -t nat -A PREROUTING -s $ip -i $EXTIF -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.3.1:2121 #FTP
done

# Drop others connection
iptables -A INPUT -p tcp -m tcp --dport 222 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 21 -j DROP

# Drop ICMP ECHO-REPLY
iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP

# NAT
iptables -A INPUT -i $INTIF -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -m tcp --dport 67 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -m udp --dport 67 -j ACCEPT
iptables -A FORWARD -o $INTIF -j ACCEPT
iptables -A FORWARD -i $INTIF -j ACCEPT
iptables -t nat -A POSTROUTING -s $INTIF -o $EXTIF -j MASQUERADE

sudo iptables-save