#!/bin/sh # service iptables stop # variable IPTABLES="/sbin/iptables" LO_IFACE="lo" LO_IP="127.0.0.1" INET_IFACE="eth2" INET_IP="193.X/maska" LAN_IFACE1="eth0" LAN_IP1="10.X/255.255.255.0" LAN_IFACE2="eth1" LAN_IP2="10.X/255.255.255.0" # Set policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # clear all $IPTABLES -F $IPTABLES -X # Create chain for bad tcp packets $IPTABLES -N bad_tcp_packets # Create separate chains for ICMP, TCP and UDP to traverse $IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets $IPTABLES -N icmp_packets # bad_tcp_packets chain $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # allowed chain $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # TCP rules # ftp(20,21),ssh(22),smtp(25),pop3(110),imap(143) $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed # UDP ports $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 20 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 21 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 22 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 25 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 110 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 143 -j ACCEPT # ICMP rules $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # INPUT chain # # Bad TCP packets we don't want. $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # Rules for special networks not part of the Internet $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP1 -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP2 -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # Rules for incoming packets from anywhere. $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udp_packets $IPTABLES -A INPUT -p ICMP -j icmp_packets # Log weird packets that don't match the above. $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # FORWARD chain # # Bad TCP packets we don't want $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # Accept the packets we actually want to forward $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE1 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE2 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE1 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE1 -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # OUTPUT chain # # Bad TCP packets we don't want. $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # Special OUTPUT rules to decide which IP's to allow. $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # # nat table # $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 8081 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 8081 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 1080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 1080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3128 service iptables save