Last active
July 3, 2020 08:23
-
-
Save kaiiiz/1f69fbac0bb557de360be2fac294f6e3 to your computer and use it in GitHub Desktop.
2018 NA HW3 - firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
EXTIF="eth0" | |
INTIF="lxcbr0" | |
WEB1="140.113.235.151 140.113.235.152 140.113.235.153 140.113.235.154" #linux | |
WEB2="140.113.235.131 140.113.235.132 140.113.235.133 140.113.235.134" #bsd | |
# Clean tables | |
iptables -F | |
iptables -t nat -F | |
iptables -X | |
iptables -Z | |
iptables -P INPUT ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
# Allow localhost | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -i $EXTIF -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Reject bsd | |
for ip in $WEB2; do | |
iptables -A INPUT -s $ip -p tcp -m tcp --dport 222 -j REJECT --reject-with tcp-reset | |
iptables -A INPUT -s $ip -p tcp -m tcp --dport 20 -j REJECT --reject-with tcp-reset | |
iptables -A INPUT -s $ip -p tcp -m tcp --dport 21 -j REJECT --reject-with tcp-reset | |
done | |
# Allow linux | |
for ip in $WEB1; do | |
iptables -t nat -A PREROUTING -s $ip -i $EXTIF -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.0.3.150:22 #SSH | |
iptables -t nat -A PREROUTING -s $ip -i $EXTIF -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.0.3.150:20 #FTP | |
iptables -t nat -A PREROUTING -s $ip -i $EXTIF -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.3.1:2121 #FTP | |
done | |
# Drop others connection | |
iptables -A INPUT -p tcp -m tcp --dport 222 -j DROP | |
iptables -A INPUT -p tcp -m tcp --dport 21 -j DROP | |
# Drop ICMP ECHO-REPLY | |
iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP | |
# NAT | |
iptables -A INPUT -i $INTIF -p tcp -m tcp --dport 53 -j ACCEPT | |
iptables -A INPUT -i $INTIF -p udp -m udp --dport 53 -j ACCEPT | |
iptables -A INPUT -i $INTIF -p tcp -m tcp --dport 67 -j ACCEPT | |
iptables -A INPUT -i $INTIF -p udp -m udp --dport 67 -j ACCEPT | |
iptables -A FORWARD -o $INTIF -j ACCEPT | |
iptables -A FORWARD -i $INTIF -j ACCEPT | |
iptables -t nat -A POSTROUTING -s $INTIF -o $EXTIF -j MASQUERADE | |
sudo iptables-save |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment