Created
April 5, 2011 02:56
-
-
Save scumola/902945 to your computer and use it in GitHub Desktop.
My home iptables rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
LOCALNET="10.0.0.0/255.255.255.0" | |
iptables -F | |
iptables -X | |
iptables -F -t nat | |
iptables -X -t nat | |
# setting default policy | |
iptables -P INPUT DROP | |
iptables -P OUTPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -t nat -P POSTROUTING ACCEPT | |
iptables -t nat -P PREROUTING ACCEPT | |
# flush | |
iptables -t filter -F | |
iptables -t mangle -F | |
iptables -t nat -F | |
iptables -t raw -F # (optional) | |
# masq | |
iptables -t nat -A POSTROUTING -s 10.0.0.0/0 -o eth1 -j MASQUERADE | |
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A FORWARD -d $LOCALNET -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -i eth0 -j ACCEPT | |
iptables -A INPUT -i eth1 -p tcp --destination-port 8080 -j ACCEPT #java | |
iptables -A INPUT -i eth1 -p tcp --destination-port 3306 -j ACCEPT #mysql | |
iptables -A INPUT -i eth1 -p tcp --destination-port 2401 -j ACCEPT #cvs | |
iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT #https | |
#iptables -A INPUT -i eth1 -p tcp --destination-port 143 -j ACCEPT #imap | |
#iptables -A INPUT -i eth1 -p tcp --destination-port 110 -j ACCEPT #pop3 | |
iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT #https | |
iptables -A INPUT -i eth1 -p udp --destination-port 67 -j ACCEPT #https | |
iptables -A INPUT -i eth1 -p udp --destination-port 68 -j ACCEPT #https | |
#iptables -A INPUT -i eth1 -p tcp --source-port 53 -j ACCEPT #dns resolve | |
#iptables -A INPUT -i eth1 -p tcp --destination-port 53 -j ACCEPT #dns resolve | |
#iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j ACCEPT #dns resolve | |
#iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT #smtp | |
iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT #sshd | |
iptables -A INPUT -i eth1 -p icmp -j ACCEPT | |
iptables -A INPUT -i eth0 -p icmp -j ACCEPT | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
# tunnels | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8081 -j DNAT --to 10.0.0.223:8081 | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8082 -j DNAT --to 10.0.0.59:80 | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8083 -j DNAT --to 10.0.0.208:80 | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 8084 -j DNAT --to 10.0.0.110:8080 | |
# tivo tunnel | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 67.165.219.126 --dport 9032 -j DNAT --to 10.0.0.208:9032 | |
#iptables -t nat -A PREROUTING -p udp -i eth1 -d 67.165.219.126 --dport 32936 -j DNAT --to 10.0.0.208:32936 | |
# mysql | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8085 -j DNAT --to 10.0.0.208:3306 | |
# transparent squid proxy | |
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 | |
# transparent squid proxy for just 'desktop' machines | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.33 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.39 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.46 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.68 --dport 80 -j REDIRECT --to-port 3128 | |
# upstairs computer | |
#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.81 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.86 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.88 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.90 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.65 --dport 80 -j REDIRECT --to-port 3128 | |
#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.208 --dport 80 -j REDIRECT --to-port 3128 | |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.0.210 --dport 80 -j REDIRECT --to-port 3128 | |
# go through the load-balancer | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8005 -j DNAT --to 10.0.0.15:81 | |
# outside turk access | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8007 -j DNAT --to 10.0.0.208:22 | |
# outside ssh to images server | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8008 -j DNAT --to 10.0.0.14:22 | |
# outside backups via chrashplan can sync to images server | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 4242 -j DNAT --to 10.0.0.14:4242 | |
# heritrix | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9003 -j DNAT --to 10.0.0.14:8080 | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9004 -j DNAT --to 10.0.0.211:8080 | |
# heritrix on heritrix VM | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9004 -j DNAT --to 10.0.0.70:8080 | |
# apache on images | |
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9005 -j DNAT --to 10.0.0.14:80 | |
# rsyncd on images | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 9999 -j DNAT --to 10.0.0.14:9999 | |
# dad's machine - flashrip2 images | |
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.1.10.10 --dport 8086 -j DNAT --to 10.0.0.210:80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment