noize-e/iptables.sh

## iptables.sh
set -o nounset
set -o pipefail
PATH="/sbin"
EXT=enp3s0
INT_NET=192.168.0.0/24
echo "Flushing rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
echo "Allow loopback"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "Drop invalid states"
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
echo "Allow established and related connections"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "Allow ping replies"
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow DHCP"
iptables -I INPUT -i $INT -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow SSH from local Ethernet"
iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow DNS (UDP and TCP for large replies)"
iptables -A INPUT -i $INT -s $INT_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow all outgoing"
iptables -A OUTPUT -o $EXT -p tcp -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o $EXT -p udp -d 0.0.0.0/0 -j ACCEPT
echo "Allow traffic from the firewall to local networks"
iptables -A OUTPUT -o $INT -d $INT_NET -j ACCEPT
echo "Enable network address translation"
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
iptables -A FORWARD -o $EXT -i $INT -s $INT_NET -m conntrack --ctstate NEW -j ACCEPT
echo "Do not reply with Destination Unreachable messages"
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "Log all dropped packets"
iptables -A INPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPIN>"
iptables -A OUTPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPOUT>"
iptables -A FORWARD -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPFWD>"
	set -o nounset
	set -o pipefail
	PATH="/sbin"
	EXT=enp3s0
	INT_NET=192.168.0.0/24
	echo "Flushing rules"
	iptables -F
	iptables -t nat -F
	iptables -t mangle -F
	iptables -X
	iptables -Z
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	echo "Allow loopback"
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT
	echo "Drop invalid states"
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
	echo "Allow established and related connections"
	iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	echo "Allow ping replies"
	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
	echo "Allow DHCP"
	iptables -I INPUT -i $INT -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
	echo "Allow SSH from local Ethernet"
	iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
	echo "Allow DNS (UDP and TCP for large replies)"
	iptables -A INPUT -i $INT -s $INT_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	echo "Allow all outgoing"
	iptables -A OUTPUT -o $EXT -p tcp -d 0.0.0.0/0 -j ACCEPT
	iptables -A OUTPUT -o $EXT -p udp -d 0.0.0.0/0 -j ACCEPT
	echo "Allow traffic from the firewall to local networks"
	iptables -A OUTPUT -o $INT -d $INT_NET -j ACCEPT
	echo "Enable network address translation"
	iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
	iptables -A FORWARD -o $EXT -i $INT -s $INT_NET -m conntrack --ctstate NEW -j ACCEPT
	echo "Do not reply with Destination Unreachable messages"
	iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
	echo "Log all dropped packets"
	iptables -A INPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPIN>"
	iptables -A OUTPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPOUT>"
	iptables -A FORWARD -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPFWD>"