121 lines
3.3 KiB
Bash
121 lines
3.3 KiB
Bash
#!/bin/bash
|
|
|
|
##### Port forwarding activation #####
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
##### Variables definitions #####
|
|
|
|
## WAN Router Interface
|
|
WanInt="eth0"
|
|
## LAN Router Interface
|
|
LanInt="eth1"
|
|
## Network LAN
|
|
LanNet="192.168.0.0/24"
|
|
|
|
## WAN Router IP
|
|
WanIP="10.0.0.2"
|
|
## LAN Router IP
|
|
LanIP="192.168.0.2"
|
|
## HAProxy IP
|
|
HAProxyIP="192.168.0.3"
|
|
|
|
DNSPort="53"
|
|
HTTPPort="80"
|
|
HTTPSPort="443"
|
|
|
|
DNS1="XXX.XXX.XXX.XXX"
|
|
DNS2="XXX.XXX.XXX.XXX"
|
|
|
|
##### CLEAN ALL RULES & DROP IPV4 AND IPV6 PACKETS #####
|
|
|
|
## Delete all existing rules.
|
|
iptables -F
|
|
iptables -X
|
|
iptables -t nat -F
|
|
iptables -t nat -X
|
|
iptables -t mangle -F
|
|
iptables -t mangle -X
|
|
|
|
ip6tables -F
|
|
ip6tables -X
|
|
ip6tables -t nat -F
|
|
ip6tables -t nat -X
|
|
ip6tables -t mangle -F
|
|
ip6tables -t mangle -X
|
|
|
|
## Block ALL IPV4 and IPV6 INPUT and OUTPUT
|
|
iptables -P INPUT DROP
|
|
iptables -P OUTPUT DROP
|
|
iptables -P FORWARD DROP
|
|
|
|
ip6tables -P INPUT DROP
|
|
ip6tables -P OUTPUT DROP
|
|
ip6tables -P FORWARD DROP
|
|
|
|
##### CHAINS #####
|
|
|
|
## Creating chains
|
|
iptables -N TCP
|
|
iptables -N UDP
|
|
iptables -N udp-flood
|
|
|
|
## UDP = ACCEPT / SEND TO THIS CHAIN
|
|
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
|
|
## TCP = ACCEPT / SEND TO THIS CHAIN
|
|
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
|
|
|
|
##### GLOBAL RULES #####
|
|
|
|
## Allow localhost
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
|
## Don't break the current/active connections
|
|
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
## Allow response to ping request on interface eth1
|
|
iptables -A INPUT -i $LanInt -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
##### OUTPUT IPV4 RULES FOR Router #####
|
|
|
|
## Allow ping out
|
|
iptables -A OUTPUT -p icmp -j ACCEPT
|
|
|
|
## Routeur as CLIENT
|
|
## Allow DNS
|
|
iptables -A OUTPUT -o $WanInt -s $WanIP -p udp --dport $DNSPort -d $DNS1,$DNS2 -j ACCEPT
|
|
## Block All Other UDP
|
|
#iptables -A OUTPUT -p udp -j DROP
|
|
## Allow HTTP/HTTPS
|
|
iptables -A OUTPUT -o $WanInt -s $WanIP -p tcp --match multiport --dports $HTTPPort,$HTTPSPort -j ACCEPT
|
|
|
|
##### FORWARD IPV4 RULES #####
|
|
|
|
## Allow request forwarding from WAN to Router LAN interface
|
|
iptables -A FORWARD -i $WanInt -d $WanIP -o $LanInt -p tcp -j ACCEPT
|
|
iptables -A FORWARD -i $WanInt -d $WanIP -o $LanInt -p udp -j ACCEPT
|
|
## Allow request forwarding from LAN
|
|
iptables -A FORWARD -i $LanInt -s $LanNet -j ACCEPT
|
|
## Forward HTTP/HTTPS to HAProxy
|
|
iptables -A FORWARD -i $WanInt -p tcp --match multiport --dports $HTTPPort,$HTTPSPort -d $HAProxyIP -j ACCEPT
|
|
|
|
##### MASQUERADE MANDATORY #####
|
|
|
|
## Allow WAN network to use WanInt public adress to go out
|
|
iptables -t nat -A POSTROUTING -s $LanNet -o $WanInt -j MASQUERADE
|
|
|
|
##### Redirect IPV4 (NAT) traffic from internet #####
|
|
|
|
## All tcp to Router WAN
|
|
iptables -t nat -A PREROUTING -i $WanInt -p tcp --match multiport --dports $HTTPPort,$HTTPSPort -j DNAT --to $HAProxyIP
|
|
## All udp to Router WAN
|
|
iptables -t nat -A PREROUTING -i $WanInt -p udp -j DNAT --to $LanIP
|
|
|
|
##### OUTPUT FLOOD PROTECTION #####
|
|
|
|
iptables -A OUTPUT -p udp -j udp-flood
|
|
iptables -A udp-flood -p udp -m limit --limit 10/s -j RETURN
|
|
iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
|
|
iptables -A udp-flood -j DROP
|
|
iptables -A OUTPUT -p udp -j DROP
|