Created
June 6, 2018 13:05
-
-
Save sxander/4a73673173d18a3f9ad56a3aea51686c to your computer and use it in GitHub Desktop.
Linux Home Server - Firewall Script - LEGENDARY :D
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Example Firewall Script | |
| ############################################################### | |
| ### Define interfaces here | |
| EXT_DEV=ppp0 | |
| INT_DEV=eth1 | |
| INT_NET=192.168.1.0/24 | |
| ### Loading firewall modules | |
| modprobe ip_conntrack | |
| modprobe ip_conntrack_ftp | |
| ############################################################### | |
| ### Enable Packet Forwarding | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| ### Remove all previous rules, and delete any user defined chains | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| ### Set the default policies to drop | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| ### Loopback device OK | |
| iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT | |
| iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT | |
| ### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH. | |
| iptables -A INPUT -p icmp --icmp-type any -j ACCEPT | |
| iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT | |
| iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT | |
| ### Allow all Internal traffic to Server | |
| iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT | |
| iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT | |
| ############################################################### | |
| ### OUTBOUND Rule: Allow ALL packets out the external device | |
| iptables -A OUTPUT -o $EXT_DEV -j ACCEPT | |
| iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT | |
| ############################################################### | |
| ### MASQUERADING: All packets from the internal network will | |
| ### appear as if they had originated from the firewall. | |
| iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j MASQUERADE | |
| ############################################################### | |
| ### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules) | |
| iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # | |
| ### INBOUND Rules: Allow ONLY NEW packets on these ports. | |
| # | |
| # New INBOUND Connection: FTP (with TLS) | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 20 -j ACCEPT | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT | |
| # New INBOUND Connection: Secure Shell | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT | |
| # New INBOUND Connection: SMTP and SMTPS (over TLS/SSL) | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT | |
| # New INBOUND Connection: HTTP (Plain and SSL) | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT | |
| # New INBOUND Connection: LDAPS Server (over SSL) | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 636 -j ACCEPT | |
| # New INBOUND Connection: IMAPS Email Clients (over SSL) | |
| iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT | |
| ### | |
| # Squid Transparent Proxy: Enable rule for transparent proxy redirection | |
| # Redirect all WWW (port 80) OUTBOUNT packets to the Squid Server on port 3128 | |
| #iptables -t nat -A PREROUTING -i $INT_DEV -s $INT_NET -p tcp --dport 80 -j REDIRECT --to-port 3128 | |
| # | |
| ### INBOUND DNAT (redirection) Rules: Allow ONLY NEW packets on these ports and redirect to internal services. | |
| # | |
| ### INBOUND Rule: Redirect ALL packets to the INTERNAL workstation - HTTP | |
| #iptables -t nat -A PREROUTING -i $EXT_DEV -p tcp --dport 80 -j DNAT --to-destination wkstn1.example.com:80 | |
| #iptables -A FORWARD -i $EXT_DEV -o $INT_DEV -p tcp --dport 80 -j ACCEPT | |
| ### INBOUND Rule: Redirect ALL packets to the INTERNAL workstation - HTTPS | |
| #iptables -t nat -A PREROUTING -i $EXT_DEV -p tcp --dport 443 -j DNAT --to-destination wkstn1.example.com:443 | |
| #iptables -A FORWARD -i $EXT_DEV -o $INT_DEV -p tcp --dport 443 -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment