Last active
December 16, 2015 13:38
-
-
Save timkofu/5442789 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Tell the kernel you want to use this machine as an IP V4 gateway | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| # Set up variables for the network interfaces | |
| lan_interface=eth0 | |
| internet_interface=eth1 | |
| # Ports you want your users to connect directly to on the internet | |
| safe_ports=443,6667 | |
| # Your public IP address | |
| public_ip=x.x.x.x | |
| # Clear all the tables, including custom chains | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| # INPUT chain, filter table | |
| # Accept everything from localhost | |
| iptables -A INPUT -s 127.0.0.1 -p all -j ACCEPT | |
| # Allow SSH from anywhere, and stop brut-force attacks [only 3 SYN packets allowed from an IP address every 1200 seconds] | |
| iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 1200 --hitcount 4 --rttl --name SSH -j DROP | |
| # Allow already established connections from anywhere, also turning on CONNTRACK, which turns on packet defragementation to the gateway | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow TCP and UDP connections from the LAN to the proxy and DNS ports 2600 and 53 | |
| iptables -A INPUT -i $lan_interface -p tcp -m multiport --dport 2600,53 -j ACCEPT | |
| iptables -A INPUT -i $lan_interface -p udp -m multiport --dport 2600,53 -j ACCEPT | |
| # Allow pings from anywhere | |
| iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT | |
| # Drop everything else | |
| iptables -A INPUT -j DROP | |
| # FORWARD chain, filter table | |
| # Forward everything from localhost | |
| iptables -A FORWARD -s 127.0.0.1 -p all -j ACCEPT | |
| # Forward SSL connections, as a transparent proxy wont work with SSL, and the others (IRC?) | |
| iptables -A FORWARD -p tcp -m multiport --dport $safe_ports -j ACCEPT | |
| # Forward already established connections, turn on CONNTRACK for the same reason as above | |
| iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Forward pings | |
| iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | |
| # Drop every other forward attemp | |
| iptables -A FORWARD -j DROP | |
| # PREROUTING chain, nat table | |
| # Make the proxy transparent; redirect all connections to port 80 to the proxy port | |
| iptables -t nat -A PREROUTING -i $lan_interface -p tcp --dport 80 -j REDIRECT --to-port 2600 | |
| # POSTROUTING chain, nat table | |
| # And pass on the rest of the allowed traffic to the Internet. | |
| # I'm using SNAT instead of MASQUERADE because for our machine, our ISP gave us a static IP. Find out the differences here http://www.frozentux.net/iptables-tutorial/chunkyhtml/x4422.html | |
| iptables -t nat -A POSTROUTING -o $internet_interface -j SNAT --to-source $public_ip | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment