jesusprubio · October 20, 2019 09:02 · x5qubits · Oct 20, 2019
diff --git a/gistfile1.sh b/gistfile1.sh
 #!/bin/sh
 # Just another (very) simple "GNU/Linux router" script.
 #
 # NOTE: We suposse two interfaces correclty connected and external 
 # interface is connected to Internet/other network at this point.
 #
 # Copyright (c) Jesús Pérez
 # Licensed under GPLv3 - http://www.gnu.org/licenses/gpl-3.0.html

 # Variables
 # External interface
 EXTIF="wlan0"

 # Internal LAN
 #LAN="192.168.0.0/24"

 # Flush all existing chains
 echo "Deleting all rules ..."
 iptables -F

 # Enables IP-forwarding (if not)
 #echo "Enabling IP-forwarding ..."
 #echo 1 > /proc/sys/net/ipv4/ip_forward

 # Allows all outbound and forwarding traffic
 # Drops all inbound (default deny unless explicitly allowed policy)
 echo "Aplying rules ..."
 iptables -P INPUT DROP
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD DROP

 # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allows all established inbound connections
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Allows ping
 iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

 # Allows NAT over external interface
 #iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

 # Allows PPTP
 #iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 # which needs GRE protocol
 #iptables -A INPUT -p 47 -j ACCEPT
 # PROBAR iptables -A INPUT -p 47 --dport 1723 -j ACCEPT

 # Allows SSH (only from intranet) 
 #iptables -A INPUT -p tcp --dport 6439 -j ACCEPT
 # Rate-limit all incoming SSH connections to 3 in a one minute window and logs the attempt (warning level)
 #iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --set --name SSH
 #iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
 #iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level 4 --log-prefix "SSH bruteforcing attempt!:"
	#!/bin/sh
	# Just another (very) simple "GNU/Linux router" script.
	#
	# NOTE: We suposse two interfaces correclty connected and external
	# interface is connected to Internet/other network at this point.
	#
	# Copyright (c) Jesús Pérez
	# Licensed under GPLv3 - http://www.gnu.org/licenses/gpl-3.0.html

	# Variables
	# External interface
	EXTIF="wlan0"

	# Internal LAN
	#LAN="192.168.0.0/24"

	# Flush all existing chains
	echo "Deleting all rules ..."
	iptables -F

	# Enables IP-forwarding (if not)
	#echo "Enabling IP-forwarding ..."
	#echo 1 > /proc/sys/net/ipv4/ip_forward

	# Allows all outbound and forwarding traffic
	# Drops all inbound (default deny unless explicitly allowed policy)
	echo "Aplying rules ..."
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP

	# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# Allows all established inbound connections
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allows ping
	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	# Allows NAT over external interface
	#iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

	# Allows PPTP
	#iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
	# which needs GRE protocol
	#iptables -A INPUT -p 47 -j ACCEPT
	# PROBAR iptables -A INPUT -p 47 --dport 1723 -j ACCEPT

	# Allows SSH (only from intranet)
	#iptables -A INPUT -p tcp --dport 6439 -j ACCEPT
	# Rate-limit all incoming SSH connections to 3 in a one minute window and logs the attempt (warning level)
	#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --set --name SSH
	#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
	#iptables -A INPUT -i EXTIF -p tcp --dport 6439 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level 4 --log-prefix "SSH bruteforcing attempt!:"