#!/bin/sh # # masquerading.sh - Version 20020319 - Coresis # # Used random IPs # #### DEBUGGING ### set -x ### FLUSHING CHAIN ### /sbin/iptables -F /sbin/iptables -F -t nat /sbin/iptables -X /sbin/iptables -Z ### DEFAULT CHAIN ### /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT ### SETTING IPFORWARDING ### /bin/echo "1" > /proc/sys/net/ipv4/ip_forward ### DISABLE RESPOND TO BROADCAST ### /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ### ENABLE BAD ERROR MESSAGE PROTECTION ### /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ### DISABLE ICMP REDIRECT ACCEPTANCE ### /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ### SETTING ANTISPOOFING PROTECTION ### /bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter ### DON'T RESPOND TO BROADCAST PINGS ### /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # External Interface EXTIF="eth1" # Internal Interface INTIF="eth0" # Host Public IP EGO="211.121.111.111" # Internal LAN IP LANIN="10.0.0.0/24" # Trusted public network TRUSTED="13.18.151.0/24" # Traceroute ports TR_SRC_PORTS="32769:65535" TR_DEST_PORTS="33434:33523" # DNS servers DNS1="113.118.51.1" DNS2="17.16.32.3" # IP of an User allowed to log in the internal VPN server USER="112.56.10.32/28" # IP of the VPN server VPNSERVER="10.0.0.77" # RFC IPs LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" ### RULE ####################################################################### # ======================= SPOOFING =============================== /sbin/iptables -A INPUT -i $EXTIF -s $EGO -j DROP /sbin/iptables -A INPUT -i $EXTIF -s $CLASS_A -j DROP /sbin/iptables -A INPUT -i $EXTIF -s $CLASS_B -j DROP /sbin/iptables -A INPUT -i $EXTIF -s $CLASS_C -j DROP /sbin/iptables -A INPUT -i $EXTIF -s $CLASS_D_MULTICAST -j DROP /sbin/iptables -A INPUT -i $EXTIF -s $CLASS_E_RESERVED_NET -j DROP /sbin/iptables -A INPUT -i $EXTIF -d $LOOPBACK -j DROP # ======================= LOOP RULE ======================= /sbin/iptables -A INPUT -s $LOOPBACK -j ACCEPT /sbin/iptables -A OUTPUT -d $LOOPBACK -j ACCEPT # ====================== TRACEROUTE ============================== /sbin/iptables -A OUTPUT -o $EXTIF -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS \ -m state --state NEW -j ACCEPT # ======================= LAN IN OUT ================================ /sbin/iptables -A INPUT -i $INTIF -s $LANIN -j ACCEPT /sbin/iptables -A OUTPUT -o $INTIF -d $LANIN -j ACCEPT /sbin/iptables -A FORWARD -s $LANIN -d 0/0 -j ACCEPT /sbin/iptables -A FORWARD -s 0/0 -d $LANIN -p tcp --syn -j DROP /sbin/iptables -A FORWARD -s 0/0 -d $LANIN -j ACCEPT # ======================= SERVICES ========================== # DNS /sbin/iptables -A INPUT -i $EXTIF -p udp -s $DNS1 --sport 53 -j ACCEPT /sbin/iptables -A INPUT -i $EXTIF -p udp -s $DNS2 --sport 53 -j ACCEPT # SSH /sbin/iptables -A INPUT -s $TRUSTED -p TCP --dport 22 -j ACCEPT # ====================== RULE ==================================== /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -i $EXTIF -p udp -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ### POSTROUTING CHAIN ########################################################## /sbin/iptables -t nat -A POSTROUTING -o $EXTIF -s $LANIN -j MASQUERADE ### VPN CHAIN ########################################################### /sbin/iptables -A INPUT -s $USER -p TCP --dport 1723 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -d $EGO -p tcp --dport 1723 -j DNAT --to-dest $VPNSERVER:1723 /sbin/iptables -t nat -A PREROUTING -d $EGO -p 47 -i eth1 -j DNAT --to-dest $VPNSERVER ### LOGGING #################################################################### #/sbin/iptables -A INPUT -j LOG --log-prefix "DENY INPUT:" #/sbin/iptables -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP #/sbin/iptables -A FORWARD -j LOG --log-prefix "DENY FW:" #/sbin/iptables -A OUTPUT -j LOG --log-prefix "DENY OUT:"