#!/bin/sh # Start/stop/restart my iptables configuration for gate. # # interface summary: # in: eth0 # out: eth1, ppp+ # dmz: eth2 # mng: eth3 # vpn: tun+ start() { # load modules /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe tun ## filter table begin: iptables -F # default policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # enable all lookback packets iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # disable all fragment packets iptables -A INPUT -f -j DROP iptables -A FORWARD -f -j DROP # enable I access anywhere and response messages iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # enable openvpn in (1st is only for server) #iptables -A INPUT -i eth1 -p udp --dport 1194 -m state --state NEW -j ACCEPT iptables -A INPUT -i tun+ -m state --state NEW -j ACCEPT # define new chains iptables -N in-IN iptables -N in-out-FOR iptables -N in-dmz-FOR iptables -N in-mng-FOR iptables -N in-vpn-FOR iptables -N in-OUT iptables -N out-IN iptables -N out-in-FOR iptables -N out-dmz-FOR iptables -N out-mng-FOR iptables -N out-vpn-FOR iptables -N out-OUT iptables -N dmz-IN iptables -N dmz-in-FOR iptables -N dmz-out-FOR iptables -N dmz-mng-FOR iptables -N dmz-vpn-FOR iptables -N dmz-OUT iptables -N mng-IN iptables -N mng-in-FOR iptables -N mng-out-FOR iptables -N mng-dmz-FOR iptables -N mng-vpn-FOR iptables -N mng-OUT iptables -N vpn-IN iptables -N vpn-in-FOR iptables -N vpn-out-FOR iptables -N vpn-dmz-FOR iptables -N vpn-mng-FOR iptables -N vpn-OUT # jump to new chains iptables -A INPUT -i eth0 -j in-IN iptables -A FORWARD -i eth0 -o eth1 -j in-out-FOR iptables -A FORWARD -i eth0 -o ppp+ -j in-out-FOR iptables -A FORWARD -i eth0 -o eth2 -j in-dmz-FOR iptables -A FORWARD -i eth0 -o eth3 -j in-mng-FOR iptables -A FORWARD -i eth0 -o tun+ -j in-vpn-FOR iptables -A OUTPUT -o eth0 -j in-OUT iptables -A INPUT -i eth1 -j out-IN iptables -A INPUT -i ppp+ -j out-IN iptables -A FORWARD -i eth1 -o eth0 -j out-in-FOR iptables -A FORWARD -i ppp+ -o eth0 -j out-in-FOR iptables -A FORWARD -i eth1 -o eth2 -j out-dmz-FOR iptables -A FORWARD -i ppp+ -o eth2 -j out-dmz-FOR iptables -A FORWARD -i eth1 -o eth3 -j out-mng-FOR iptables -A FORWARD -i ppp+ -o eth3 -j out-mng-FOR iptables -A FORWARD -i eth1 -o tun+ -j out-vpn-FOR iptables -A FORWARD -i ppp+ -o tun+ -j out-vpn-FOR iptables -A OUTPUT -o eth1 -j out-OUT iptables -A OUTPUT -o ppp+ -j out-OUT iptables -A INPUT -i eth2 -j dmz-IN iptables -A FORWARD -i eth2 -o eth0 -j dmz-in-FOR iptables -A FORWARD -i eth2 -o eth1 -j dmz-out-FOR iptables -A FORWARD -i eth2 -o ppp+ -j dmz-out-FOR iptables -A FORWARD -i eth2 -o eth3 -j dmz-mng-FOR iptables -A FORWARD -i eth2 -o tun+ -j dmz-vpn-FOR iptables -A OUTPUT -o eth2 -j dmz-OUT iptables -A INPUT -i eth3 -j mng-IN iptables -A FORWARD -i eth3 -o eth0 -j mng-in-FOR iptables -A FORWARD -i eth3 -o eth1 -j mng-out-FOR iptables -A FORWARD -i eth3 -o ppp+ -j mng-out-FOR iptables -A FORWARD -i eth3 -o eth2 -j mng-dmz-FOR iptables -A FORWARD -i eth3 -o tun+ -j mng-vpn-FOR iptables -A OUTPUT -o eth3 -j mng-OUT iptables -A INPUT -i tun+ -j vpn-IN iptables -A FORWARD -i tun+ -o eth0 -j vpn-in-FOR iptables -A FORWARD -i tun+ -o eth1 -j vpn-out-FOR iptables -A FORWARD -i tun+ -o ppp+ -j vpn-out-FOR iptables -A FORWARD -i tun+ -o eth2 -j vpn-dmz-FOR iptables -A FORWARD -i tun+ -o eth3 -j vpn-mng-FOR iptables -A OUTPUT -o tun+ -j vpn-OUT # enable ssh for management in eth0,eth3 iptables -A in-IN -p tcp --dport ssh -m state --state NEW -j ACCEPT iptables -A mng-IN -p tcp --dport ssh -m state --state NEW -j ACCEPT # enalbe LAN ping me iptables -A in-IN -p icmp --icmp-type echo-request -j ACCEPT iptables -A dmz-IN -p icmp --icmp-type echo-request -j ACCEPT iptables -A mng-IN -p icmp --icmp-type echo-request -j ACCEPT # in --> out # enable out respond in iptables -A out-in-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A in-out-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT # enable in access out # ping #iptables -A in-out-FOR -p icmp --icmp-type echo-request -j ACCEPT # http(s) #iptables -A in-out-FOR -p tcp --dport http -m state --state NEW -j ACCEPT #iptables -A in-out-FOR -p tcp --dport https -m state --state NEW -j ACCEPT # ftp #iptables -A in-out-FOR -p tcp --dport ftp -m state --state NEW -j ACCEPT # in <--> vpn # enable vpn and in respond each other iptables -A vpn-in-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A in-vpn-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT # enable in access vpn # ping #iptables -A in-vpn-FOR -p icmp --icmp-type echo-request -j ACCEPT # http(s) #iptables -A in-vpn-FOR -p tcp --dport http -m state --state NEW -j ACCEPT #iptables -A in-vpn-FOR -p tcp --dport https -m state --state NEW -j ACCEPT # ftp #iptables -A in-vpn-FOR -p tcp --dport ftp -m state --state NEW -j ACCEPT # enable vpn access in # ping #iptables -A vpn-in-FOR -p icmp --icmp-type echo-request -j ACCEPT # http(s) #iptables -A vpn-in-FOR -p tcp --dport http -m state --state NEW -j ACCEPT #iptables -A vpn-in-FOR -p tcp --dport https -m state --state NEW -j ACCEPT # ftp #iptables -A vpn-in-FOR -p tcp --dport ftp -m state --state NEW -j ACCEPT # in --> dmz # enable dmz respond in iptables -A dmz-in-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A in-dmz-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT # enable in access dmz #iptables -A in-dmz-FOR -m state --state NEW -j ACCEPT # dmz <-- out # enable dmz respond out iptables -A dmz-out-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A out-dmz-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT # enable out access dmz # http(s) #iptables -A out-dmz-FOR -p tcp --dport http -m state --state NEW -j ACCEPT #iptables -A out-dmz-FOR -p tcp --dport https -m state --state NEW -j ACCEPT # ftp #iptables -A out-dmz-FOR -p tcp --dport ftp -m state --state NEW -j ACCEPT # dmz <-- vpn # enable dmz respond vpn iptables -A dmz-vpn-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A vpn-dmz-FOR -m state --state ESTABLISHED,RELATED -j ACCEPT # enable vpn access dmz # http(s) #iptables -A vpn-dmz-FOR -p tcp --dport http -m state --state NEW -j ACCEPT #iptables -A vpn-dmz-FOR -p tcp --dport https -m state --state NEW -j ACCEPT # ftp #iptables -A vpn-dmz-FOR -p tcp --dport ftp -m state --state NEW -j ACCEPT ## filter table end. ## nat table begin: #iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #iptables -t nat -A PREROUTING -i eth1 -j DNAT --to dmz-machine ## nat table end. } resume_all() { # enable all iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT } stop() { ## filter table begin: iptables -F # remove all chains iptables -X in-IN iptables -X in-out-FOR iptables -X in-dmz-FOR iptables -X in-mng-FOR iptables -X in-vpn-FOR iptables -X in-OUT iptables -X out-IN iptables -X out-in-FOR iptables -X out-dmz-FOR iptables -X out-mng-FOR iptables -X out-vpn-FOR iptables -X out-OUT iptables -X dmz-IN iptables -X dmz-in-FOR iptables -X dmz-out-FOR iptables -X dmz-mng-FOR iptables -X dmz-vpn-FOR iptables -X dmz-OUT iptables -X mng-IN iptables -X mng-in-FOR iptables -X mng-out-FOR iptables -X mng-dmz-FOR iptables -X mng-vpn-FOR iptables -X mng-OUT iptables -X vpn-IN iptables -X vpn-in-FOR iptables -X vpn-out-FOR iptables -X vpn-dmz-FOR iptables -X vpn-mng-FOR iptables -X vpn-OUT ## filter table end. ## nat table begin: iptables -t nat -F ## nat table end. } case "$1" in 'start') start ;; 'stop') stop resume_all ;; 'restart') stop start ;; *) echo "usage $0 start|stop|restart" esac