Skip to content

Instantly share code, notes, and snippets.

@lotusirous

lotusirous/scriptv20150606.sh

Created May 6, 2016 11:59
Show Gist options
  • Save lotusirous/12cb2024744a6e1f5859abc35c279e49 to your computer and use it in GitHub Desktop.
Save lotusirous/12cb2024744a6e1f5859abc35c279e49 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
scriptv20150606.sh
#!/bin/sh
#
# delete all existing rules.
#
IPT='/sbin/iptables'
LAN_IF='eth4'
WAN_IF='eth0'
OPT_IF='eth1'
LAN_NET='192.168.10.0/24'
SQUID_NET="192.168.6.0/24"
SQUID_IF="eth5"
VLAN1_NET='192.168.101.0/24'
VLAN2_NET='192.168.102.0/24'
VLAN3_NET='192.168.103.0/24'
VLAN4_NET='192.168.104.0/24'
VLAN5_NET='192.168.105.0/24'
VLAN6_NET='192.168.106.0/24'
VLAN7_NET='192.168.107.0/24'
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
#$IPT -A INPUT -j LOG --log-level 4 --log-prefix 'NETFILTER'
#$IPT -A OUTPUT -j LOG --log-level 4 --log-prefix 'NETFILTER'
$IPT -A FORWARD -j LOG --log-level 4 --log-prefix 'NETFILTER '
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Always accept loopback traffic
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow for lan net
$IPT -A OUTPUT -o $LAN_IF -j ACCEPT
$IPT -A INPUT -i $LAN_IF -j ACCEPT
# Allow from local to internet
$IPT -A OUTPUT -o $WAN_IF -j ACCEPT
$IPT -A OUTPUT -o $OPT_IF -j ACCEPT
# Allow established connections, and those not coming from the outside
$IPT -A INPUT -s $LAN_NET -p icmp -j ACCEPT
$IPT -A OUTPUT -s $LAN_NET -p icmp -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state NEW -i $LAN_IF -j ACCEPT
# Allow forward both WANT and OPT
$IPT -A FORWARD -i $WAN_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $OPT_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
$IPT -A FORWARD -s $LAN_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN5_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN6_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN7_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN4_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN3_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN2_NET -o $WAN_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN1_NET -o $WAN_IF -j ACCEPT
#$IPT -A FORWARD -s $LAN_NET -o $OPT_IF -j ACCEPT
# Allow outgoing connections from the LAN side.
$IPT -A FORWARD -s $LAN_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN5_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN6_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN7_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN4_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN3_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN2_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -s $VLAN1_NET -o $OPT_IF -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN1_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN1_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN2_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN2_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN3_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN3_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN4_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN4_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN5_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN5_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN6_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN6_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -s $VLAN7_NET -j ACCEPT
$IPT -A FORWARD -i $LAN_IF -o $LAN_IF -d $VLAN7_NET -j ACCEPT
# forward squid net
#$IPT -A OUTPUT -o $SQUID_IF -j ACCEPT
#$IPT -A INPUT -i $SQUID_IF -j ACCEPT
#$IPT -A INPUT -i $SQUID_IF -d $LAN_NET -j ACCEPT
#$IPT -A OUTPUT -o $SQUID_IF -s $LAN_NET -j ACCEPT
#$IPT -A FORWARD -i $LAN_IF -s $LAN_NET -d $SQUID_NET -j ACCEPT
#$IPT -A FORWARD -i $SQUID_IF -d $LAN_NET -s $SQUID_NET -j ACCEPT
# Masquerade.
$IPT -t nat -A POSTROUTING -o $WAN_IF -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $OPT_IF -j MASQUERADE
#$IPT -A PREROUTING -t nat -i $LAN_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
# Don't forward from the outside to the inside.
#$IPT -A FORWARD -i $WAN_IF -o $LAN_IF -j REJECT
$IPT -A PREROUTING -t mangle -j CONNMARK --restore-mark
$IPT -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
$IPT -A PREROUTING -p tcp -m state --state NEW -t mangle -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 2
$IPT -A PREROUTING -p tcp -m state --state NEW -t mangle -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 3
$IPT -A PREROUTING -t mangle -j CONNMARK --save-mark
#$IPT -A OUTPUT -t mangle -j CONNMARK --restore-mark
#$IPT -A OUTPUT -t mangle -p tcp -m state --state NEW -m mark --mark 0x0 -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 1
#$IPT -A OUTPUT -t mangle -p tcp -m state --state NEW -m mark --mark 0x0 -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 2
#$IPT -A PREROUTING -t mangle -m mark --mark 0x0 -m statistic --mode nth --every 4 --packet 2 -j MARK --set-mark 1
#$IPT -A PREROUTING -t mangle -m mark --mark 0x0 -m statistic --mode nth --every 4 --packet 3 -j MARK --set-mark 1
#$IPT -A POSTROUTING -t mangle -j CONNMARK --save-mark
# SSH rules
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT
# Webmin rules
# $IPT -A INPUT -p tcp --dport 10000 -j ACCEPT
# $IPT -A OUTPUT -p tcp --dport 10000 -j ACCEPT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment