155 lines
5.0 KiB
Bash
155 lines
5.0 KiB
Bash
#!/bin/sh
|
|
|
|
##### Variables definitions #####
|
|
|
|
## Proxmox bridge holding Public IP
|
|
ProxPhyInt="vmbr0"
|
|
## Proxmox bridge on ProxVMBR1Net
|
|
ProxVMBR1="vmbr1"
|
|
## Network/Mask of ProxVMBR1Net
|
|
ProxVMBR1NET="10.0.0.0/30"
|
|
|
|
## Public IP => Set your own
|
|
PublicIP="XXX.XXX.XXX.XXX"
|
|
## Proxmox WAN Bridge IP
|
|
ProxVMBR1IP="10.0.0.1"
|
|
## Router WAN IP
|
|
RtrWANIP="10.0.0.2"
|
|
|
|
ProxWebIntPort="8006"
|
|
DNSPort="53"
|
|
HTTPPort="80"
|
|
NTPPort="123"
|
|
HTTPSPort="443"
|
|
SSHDPort="1234"
|
|
DNS1="XXX.XXX.XXX.XXX"
|
|
DNS2="XXX.XXX.XXX.XXX"
|
|
|
|
|
|
##### CLEAN ALL RULES & DROP IPV4 AND IPV6 PACKETS #####
|
|
|
|
## Delete all existing rules.
|
|
/sbin/iptables -F
|
|
/sbin/iptables -X
|
|
/sbin/iptables -t nat -F
|
|
/sbin/iptables -t nat -X
|
|
/sbin/iptables -t mangle -F
|
|
/sbin/iptables -t mangle -X
|
|
|
|
/sbin/ip6tables -F
|
|
/sbin/ip6tables -X
|
|
/sbin/ip6tables -t nat -F
|
|
/sbin/ip6tables -t nat -X
|
|
/sbin/ip6tables -t mangle -F
|
|
/sbin/ip6tables -t mangle -X
|
|
|
|
## Block ALL IPV4 and IPV6 INPUT and OUTPUT
|
|
/sbin/iptables -P INPUT DROP
|
|
/sbin/iptables -P OUTPUT DROP
|
|
/sbin/iptables -P FORWARD DROP
|
|
|
|
/sbin/ip6tables -P INPUT DROP
|
|
/sbin/ip6tables -P OUTPUT DROP
|
|
/sbin/ip6tables -P FORWARD DROP
|
|
|
|
##### CHAINS #####
|
|
|
|
## Creating chains
|
|
/sbin/iptables -N TCP
|
|
/sbin/iptables -N UDP
|
|
/sbin/iptables -N udp-flood
|
|
|
|
## UDP = ACCEPT / SEND TO THIS CHAIN
|
|
/sbin/iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
|
|
## TCP = ACCEPT / SEND TO THIS CHAIN
|
|
/sbin/iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
|
|
|
|
##### GLOBAL RULES #####
|
|
|
|
## Allow localhost
|
|
/sbin/iptables -A INPUT -i lo -j ACCEPT
|
|
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
|
|
## Don't break the current/active connections
|
|
/sbin/iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
## Allow response to ping request
|
|
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
##### INPUT IPV4 RULES FOR ProxPhyInt #####
|
|
|
|
## Allow Proxmox SSH server
|
|
/sbin/iptables -A TCP -i $ProxPhyInt -d $PublicIP -p tcp --dport $SSHDPort -j ACCEPT
|
|
## Allow Proxmox WebUI
|
|
/sbin/iptables -A TCP -i $ProxPhyInt -d $PublicIP -p tcp --dport $ProxWebIntPort -j ACCEPT
|
|
## NTP Client
|
|
/sbin/iptables -A UDP -i $ProxPhyInt -d $PublicIP -p udp --sport $NTPPort -j ACCEPT
|
|
|
|
##### OUTPUT IPV4 RULES FOR ProxPhyInt #####
|
|
|
|
## Allow ping out
|
|
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
|
|
## Allow LAN to access internet
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $RtrWANIP -d $PublicIP -j ACCEPT
|
|
|
|
## Proxmox Host as CLIENT
|
|
## Allow SSH
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --dport $SSHDPort -j ACCEPT
|
|
## Allow DNS
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p udp --dport $DNSPort -d $DNS1,$DNS2 -j ACCEPT
|
|
## Allow HTTP/HTTPS
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --dport $HTTPPort -j ACCEPT
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --dport $HTTPSPort -j ACCEPT
|
|
## Allow NTP
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p udp --dport $NTPPort -j ACCEPT
|
|
|
|
## Proxmox Host as SERVER
|
|
## Allow SSH
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --sport $SSHDPort -j ACCEPT
|
|
## Allow PROXMOX WebUI
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p tcp --sport $ProxWebIntPort -j ACCEPT
|
|
## Allow NTP
|
|
/sbin/iptables -A OUTPUT -o $ProxPhyInt -s $PublicIP -p udp --sport $NTPPort -j ACCEPT
|
|
|
|
##### FORWARD IPV4 RULES #####
|
|
|
|
## Allow request forwarding from WAN to Router WAN interface
|
|
/sbin/iptables -A FORWARD -i $ProxPhyInt -d $RtrWANIP -o $ProxVMBR1 -p tcp -j ACCEPT
|
|
/sbin/iptables -A FORWARD -i $ProxPhyInt -d $RtrWANIP -o $ProxVMBR1 -p udp -j ACCEPT
|
|
|
|
## Allow request forwarding from LAN
|
|
/sbin/iptables -A FORWARD -i $ProxVMBR1 -s $ProxVMBR1NET -j ACCEPT
|
|
|
|
##### MASQUERADE MANDATORY #####
|
|
|
|
## Allow WAN network to use vmbr0 public adress to go out
|
|
/sbin/iptables -t nat -A POSTROUTING -s $ProxVMBR1NET -o $ProxPhyInt -j MASQUERADE
|
|
|
|
##### Redirect IPV4 (NAT) traffic from internet #####
|
|
|
|
## All tcp to Router WAN except 22 and 8006
|
|
/sbin/iptables -t nat -A PREROUTING -i $ProxPhyInt -p tcp --match multiport ! --dports $SSHDPort,$ProxWebIntPort -j DNAT --to $RtrWANIP
|
|
## All udp to Router WAN
|
|
/sbin/iptables -t nat -A PREROUTING -i $ProxPhyInt -p udp -j DNAT --to $RtrWANIP
|
|
|
|
##### INPUT IPV4 RULES FOR ProxVMBR1 #####
|
|
|
|
## SSH (Server)
|
|
/sbin/iptables -A TCP -i $ProxVMBR1 -d $ProxVMBR1IP -p tcp --dport $SSHDPort -j ACCEPT
|
|
## Proxmox WebUI (Server)
|
|
/sbin/iptables -A TCP -i $ProxVMBR1 -d $ProxVMBR1IP -p tcp --dport $ProxWebIntPort -j ACCEPT
|
|
|
|
##### OUTPUT IPV4 RULES FOR ProxVMBR1 #####
|
|
|
|
## Allow SSH server
|
|
/sbin/iptables -A OUTPUT -o $ProxVMBR1 -s $ProxVMBR1IP -p tcp --sport $SSHDPort -j ACCEPT
|
|
## Allow Proxmox WebUI
|
|
/sbin/iptables -A OUTPUT -o $ProxVMBR1 -s $ProxVMBR1IP -p tcp --sport $ProxWebIntPort -j ACCEPT
|
|
|
|
##### OUTPUT FLOOD PROTECTION #####
|
|
|
|
/sbin/iptables -A OUTPUT -p udp -j udp-flood
|
|
/sbin/iptables -A udp-flood -p udp -m limit --limit 10/s -j RETURN
|
|
/sbin/iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
|
|
/sbin/iptables -A udp-flood -j DROP
|
|
/sbin/iptables -A OUTPUT -p udp -j DROP
|