-
-
Save Callisto88/05851c3d799c79a6b463f0b23087bc0c to your computer and use it in GitHub Desktop.
HEIG-VD / SRX / Labo firewall / script iptables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
IPT="sudo /sbin/iptables" | |
# IPs | |
FIREWALL_IP="192.168.100.254" | |
DMZ_IP="192.168.200.100" | |
LAN_IP="192.168.100.100" | |
LAN_SUBNET="192.168.100.0/24" | |
# Your DNS servers you use: cat /etc/resolv.conf | |
DNS_SERVER="8.8.4.4 8.8.8.8" | |
# Flush existing rules | |
echo "flush iptable rules" | |
$IPT -F | |
$IPT -X | |
$IPT -t nat -F | |
$IPT -t nat -X | |
$IPT -t mangle -F | |
$IPT -t mangle -X | |
echo "Allow SSH exclusively from the LAN" | |
$IPT -A INPUT -i eth1 -p tcp -s $LAN_SUBNET --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -o eth1 -p tcp -s $LAN_SUBNET --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow LAN to open SSH on DMZ" | |
$IPT -A FORWARD -i eth1 -o eth2 -p tcp -s $LAN_SUBNET -d $DMZ_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i eth2 -o eth1 -p tcp -s $DMZ_IP -d $LAN_SUBNET --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo "Set default policy to 'DROP'" | |
$IPT -P INPUT DROP | |
$IPT -P OUTPUT DROP | |
$IPT -P FORWARD DROP | |
echo "allow all and everything on localhost" | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A OUTPUT -o lo -j ACCEPT | |
echo "Allow connection initiated by the .." | |
echo "firewall to the WAN" | |
$IPT -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT | |
$IPT -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
echo "firewall to the LAN" | |
$IPT -I OUTPUT -o eth1 -d 0.0.0.0/0 -j ACCEPT | |
$IPT -I INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
echo "firewall to the DMZ" | |
$IPT -I OUTPUT -o eth2 -d 0.0.0.0/0 -j ACCEPT | |
$IPT -I INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'" | |
$IPT -A FORWARD -i eth1 -o eth0 -p udp -s $LAN_SUBNET --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -s $LAN_SUBNET --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i eth0 -o eth1 -p udp -d $LAN_SUBNET --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d $LAN_SUBNET --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow DHCP requests between Firewall & LAN" | |
$IPT -A INPUT -s $LAN_SUBNET -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
echo "allow PING from LAN to WAN" | |
$IPT -A FORWARD -p icmp -s $LAN_SUBNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
echo "allow PING from LAN to DMZ" | |
$IPT -A FORWARD -p icmp -s $LAN_SUBNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
echo "allow PING from DMZ to LAN" | |
$IPT -A FORWARD -i eth2 -o eth1 -p icmp -s 192.168.200.0/24 -d $LAN_SUBNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
echo "Allow HTTP from LAN to WAN" | |
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --sports 80 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow HTTP, HTTPS and Proxy from LAN to DMZ" | |
$IPT -A FORWARD -i eth1 -o eth2 -p tcp -m multiport --dports 80,443,8080 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A FORWARD -i eth2 -o eth1 -p tcp -m multiport --sports 80,443,8080 -m state --state ESTABLISHED -j ACCEPT | |
echo "Log before dropping" | |
$IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: ' | |
$IPT -A INPUT -j DROP | |
$IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: ' | |
$IPT -A OUTPUT -j DROP | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment