Skip to content

Instantly share code, notes, and snippets.

@Callisto88

Callisto88/iptables.sh

Forked from thomasfr/iptables.sh
Last active March 19, 2018 21:24
Show Gist options
  • Save Callisto88/05851c3d799c79a6b463f0b23087bc0c to your computer and use it in GitHub Desktop.
Save Callisto88/05851c3d799c79a6b463f0b23087bc0c to your computer and use it in GitHub Desktop.
Download ZIP
HEIG-VD / SRX / Labo firewall / script iptables
Raw
iptables.sh
#!/bin/bash
IPT="sudo /sbin/iptables"
# IPs
FIREWALL_IP="192.168.100.254"
DMZ_IP="192.168.200.100"
LAN_IP="192.168.100.100"
LAN_SUBNET="192.168.100.0/24"
# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER="8.8.4.4 8.8.8.8"
# Flush existing rules
echo "flush iptable rules"
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
echo "Allow SSH exclusively from the LAN"
$IPT -A INPUT -i eth1 -p tcp -s $LAN_SUBNET --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o eth1 -p tcp -s $LAN_SUBNET --sport 22 -m state --state ESTABLISHED -j ACCEPT
echo "Allow LAN to open SSH on DMZ"
$IPT -A FORWARD -i eth1 -o eth2 -p tcp -s $LAN_SUBNET -d $DMZ_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth2 -o eth1 -p tcp -s $DMZ_IP -d $LAN_SUBNET --sport 22 -m state --state ESTABLISHED -j ACCEPT
echo "Set default policy to 'DROP'"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "allow all and everything on localhost"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
echo "Allow connection initiated by the .."
echo "firewall to the WAN"
$IPT -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
$IPT -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "firewall to the LAN"
$IPT -I OUTPUT -o eth1 -d 0.0.0.0/0 -j ACCEPT
$IPT -I INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "firewall to the DMZ"
$IPT -I OUTPUT -o eth2 -d 0.0.0.0/0 -j ACCEPT
$IPT -I INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
$IPT -A FORWARD -i eth1 -o eth0 -p udp -s $LAN_SUBNET --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -s $LAN_SUBNET --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p udp -d $LAN_SUBNET --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d $LAN_SUBNET --sport 53 -m state --state ESTABLISHED -j ACCEPT
echo "Allow DHCP requests between Firewall & LAN"
$IPT -A INPUT -s $LAN_SUBNET -p udp --dport 67:68 --sport 67:68 -j ACCEPT
echo "allow PING from LAN to WAN"
$IPT -A FORWARD -p icmp -s $LAN_SUBNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo "allow PING from LAN to DMZ"
$IPT -A FORWARD -p icmp -s $LAN_SUBNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo "allow PING from DMZ to LAN"
$IPT -A FORWARD -i eth2 -o eth1 -p icmp -s 192.168.200.0/24 -d $LAN_SUBNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo "Allow HTTP from LAN to WAN"
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --sports 80 -m state --state ESTABLISHED -j ACCEPT
echo "Allow HTTP, HTTPS and Proxy from LAN to DMZ"
$IPT -A FORWARD -i eth1 -o eth2 -p tcp -m multiport --dports 80,443,8080 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth2 -o eth1 -p tcp -m multiport --sports 80,443,8080 -m state --state ESTABLISHED -j ACCEPT
echo "Log before dropping"
$IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: '
$IPT -A INPUT -j DROP
$IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: '
$IPT -A OUTPUT -j DROP
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment