Last active
September 17, 2016 10:32
-
-
Save kevinzhow/984f55af8b6c901814b1 to your computer and use it in GitHub Desktop.
iptables_ipsec_pptp.rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Flush old rules, old custom tables | |
/sbin/iptables --flush | |
/sbin/iptables --flush -t nat | |
/sbin/iptables --delete-chain | |
# Set default policies for all three default chains | |
/sbin/iptables -P INPUT DROP | |
/sbin/iptables -P FORWARD DROP | |
/sbin/iptables -P OUTPUT ACCEPT | |
# Enable free use of loopback interfaces | |
/sbin/iptables -A INPUT -i lo -j ACCEPT | |
/sbin/iptables -A OUTPUT -o lo -j ACCEPT | |
# Allow VPN forwarding | |
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT | |
/sbin/iptables -A FORWARD -o tun+ -j ACCEPT | |
/sbin/iptables -A FORWARD -i dns+ -j ACCEPT | |
/sbin/iptables -A FORWARD -o dns+ -j ACCEPT | |
/sbin/iptables -F FORWARD | |
/sbin/iptables -A FORWARD -j ACCEPT | |
/sbin/iptables -I FORWARD -s 172.7.0.0/24 -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1300 | |
# Accept limited inbound ICMP messages | |
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set | |
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP | |
/sbin/iptables -A INPUT -p icmp -j ACCEPT | |
# All TCP sessions should begin with SYN | |
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0/0 -j DROP | |
# Accept inbound TCP packets | |
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT | |
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT | |
/sbin/iptables -A INPUT -p tcp --dport 8088 -m state --state NEW -j ACCEPT | |
/sbin/iptables -A INPUT -p gre -j ACCEPT | |
# Accept inbound UDP packets | |
/sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT | |
/sbin/iptables -A INPUT -p 47 -j ACCEPT | |
/sbin/iptables -A OUTPUT -p 47 -j ACCEPT | |
/sbin/iptables -A INPUT -i ppp+ -j ACCEPT | |
/sbin/iptables -A OUTPUT -o ppp+ -j ACCEPT | |
/sbin/iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT | |
# Accept IPSEC packets | |
/sbin/iptables -A INPUT -p esp -j ACCEPT | |
/sbin/iptables -A INPUT -p 50 -j ACCEPT | |
/sbin/iptables -A INPUT -p 51 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp --dport 8088 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT | |
# VPN NAT | |
/sbin/iptables -t nat -A POSTROUTING -s 172.7.0.0/24 -o eth0 -j MASQUERADE | |
/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o eth0 -j MASQUERADE | |
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
/sbin/iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE | |
/sbin/iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment