Skip to content

Instantly share code, notes, and snippets.

@timkofu
Last active December 16, 2015 13:38
Show Gist options
  • Save timkofu/5442789 to your computer and use it in GitHub Desktop.
Save timkofu/5442789 to your computer and use it in GitHub Desktop.
#!/bin/bash
# Tell the kernel you want to use this machine as an IP V4 gateway
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set up variables for the network interfaces
lan_interface=eth0
internet_interface=eth1
# Ports you want your users to connect directly to on the internet
safe_ports=443,6667
# Your public IP address
public_ip=x.x.x.x
# Clear all the tables, including custom chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# INPUT chain, filter table
# Accept everything from localhost
iptables -A INPUT -s 127.0.0.1 -p all -j ACCEPT
# Allow SSH from anywhere, and stop brut-force attacks [only 3 SYN packets allowed from an IP address every 1200 seconds]
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 1200 --hitcount 4 --rttl --name SSH -j DROP
# Allow already established connections from anywhere, also turning on CONNTRACK, which turns on packet defragementation to the gateway
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow TCP and UDP connections from the LAN to the proxy and DNS ports 2600 and 53
iptables -A INPUT -i $lan_interface -p tcp -m multiport --dport 2600,53 -j ACCEPT
iptables -A INPUT -i $lan_interface -p udp -m multiport --dport 2600,53 -j ACCEPT
# Allow pings from anywhere
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROP
# FORWARD chain, filter table
# Forward everything from localhost
iptables -A FORWARD -s 127.0.0.1 -p all -j ACCEPT
# Forward SSL connections, as a transparent proxy wont work with SSL, and the others (IRC?)
iptables -A FORWARD -p tcp -m multiport --dport $safe_ports -j ACCEPT
# Forward already established connections, turn on CONNTRACK for the same reason as above
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward pings
iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
# Drop every other forward attemp
iptables -A FORWARD -j DROP
# PREROUTING chain, nat table
# Make the proxy transparent; redirect all connections to port 80 to the proxy port
iptables -t nat -A PREROUTING -i $lan_interface -p tcp --dport 80 -j REDIRECT --to-port 2600
# POSTROUTING chain, nat table
# And pass on the rest of the allowed traffic to the Internet.
# I'm using SNAT instead of MASQUERADE because for our machine, our ISP gave us a static IP. Find out the differences here http://www.frozentux.net/iptables-tutorial/chunkyhtml/x4422.html
iptables -t nat -A POSTROUTING -o $internet_interface -j SNAT --to-source $public_ip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment