Created
December 15, 2021 12:20
-
-
Save Akanoa/afef9cbc6b4f90a78f2c841017932589 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ################### | |
| # Define variables | |
| ################### | |
| ## Public bridge holds physical interface (public IP, output gateway) | |
| PublicBridge="vmbr0" | |
| ## WAN bridge ( holds WanNetwork ) | |
| WanBridge="vmbr1" | |
| ## LAN bridge ( holds Lan Network ) | |
| LanBridge="vmbr2" | |
| ## Network between hypervisor and firewall | |
| WanNetwork="10.0.0.0/30" | |
| ## Network between firewall and VMs | |
| LanNetwork="192.168.10.0/24" | |
| ## VPN network | |
| VpnNetwork="10.2.2.0/24" | |
| ## IPV4 public IP of the physical interface | |
| PublicIP="xxx.xxx.xxx.xxx.xxx" | |
| ## Hypervisor IP inside the WAN network | |
| HypervisorWanIP="10.0.0.1" | |
| ## Hypervisor IP inside the LAN network | |
| HypervisorLanIP="192.168.9.1" | |
| ## Firewall IP inside the WAN network | |
| FirewallWanIP="10.0.0.2" | |
| ## SSH Port | |
| SshPort="xxxxx" | |
| ################### | |
| # Cleanup | |
| ################### | |
| # Delete all the rules of every chains ( table filter ) | |
| # iptables -F | |
| iptables --flush | |
| # Delete all the rules of every chains ( table nat ) | |
| # iptables -t nat -F | |
| iptables --table nat --flush | |
| # Delete all the rules of every chains ( table mangle ) | |
| #iptables -t mangle -F | |
| iptables --table mangle --flush | |
| # Delete all user-defined chains | |
| #iptables -X | |
| iptables --delete-chain | |
| # Cleanup IPv6 policies | |
| ip6tables --policy INPUT DROP | |
| ip6tables -P OUTPUT DROP | |
| ip6tables -P FORWARD DROP | |
| # Cleanup IPv4 policies | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| ################### | |
| # Chains | |
| ################### | |
| # Create chains | |
| iptables --new-chain TCP | |
| iptables -N UDP | |
| # Define rules on capturing UDP and TCP connexions | |
| iptables --append INPUT --protocol udp --match conntrack --ctstate NEW --jump UDP | |
| iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| ################### | |
| # Global rules | |
| ################### | |
| # Allow localhost | |
| #iptables -A INPUT -i lo -j ACCEPT | |
| #iptables -A OUTPUT -o lo -j ACCEPT | |
| iptables --append INPUT --in-interface lo --jump ACCEPT | |
| iptables --append OUTPUT --out-interface lo --jump ACCEPT | |
| # Don't break current or active connections | |
| iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # Allow ICMP | |
| iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | |
| ######################## | |
| # Incoming traffic rules | |
| ######################## | |
| # Allow SSH connections | |
| iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport $SshPort -j ACCEPT | |
| # Allow Proxmox WebUI | |
| iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport 8006 -j ACCEPT | |
| ######################## | |
| # Outcoming traffic rules | |
| ######################## | |
| # Allow ping out | |
| iptables -A OUTPUT -p icmp -j ACCEPT | |
| # Allow HTTPS/HTTP | |
| iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT | |
| # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT | |
| iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT | |
| # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT | |
| # Allow DNS | |
| iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp --dport 53 -j ACCEPT | |
| # Allow SSH | |
| iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport $SshPort -j ACCEPT | |
| # Allow Proxmox WebUI | |
| iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport 8006 -j ACCEPT | |
| # Allow to access VMs from Hypervisor | |
| iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT | |
| ########################### | |
| # Forwarding traffic rules | |
| ########################### | |
| # Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI | |
| iptables -A PREROUTING -t nat -i $PublicBridge -p tcp --match multiport ! --dports $SshPort,8006 -j DNAT --to $FirewallWanIP | |
| # Send all UDP traffic from Public IP to WAN network | |
| iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT --to $FirewallWanIP | |
| # Allow request forwarding to firewall through WAN network | |
| iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT | |
| iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT | |
| # Allow request from LAN | |
| iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT | |
| # Allow WAN network to use public IP gateway to go out | |
| iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE |
Je ne peux pas te l'assurer avec certitude, car ce lab a disparu quand j'ai changé d'emploi, mais je crois me rappeler que c'est cette ligne qui permet le bon fonctionnement.
# Don't break current or active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTEn tout cas je n'ai jamais eu de problème de désynchro sauf quand le SI avait réellement fermé l' 123/UDP cause partielle de mon départ de la boîte xD
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ne faut-il pas autoriser en trafic sortant le port 123 en udp pour le ntp ? Sans ce port impossible de se synchro à un serveur.