Created
May 1, 2016 03:41
-
-
Save lotusirous/6b93ecb39adabd6f030cd279e6f0cf5a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # delete all existing rules. | |
| # | |
| IPT='/sbin/iptables' | |
| LAN_IF='eth3' | |
| WAN_IF='eth0' | |
| OPT_IF='eth1' | |
| LAN_NET='192.168.200.0/24' | |
| $IPT -F | |
| $IPT -t nat -F | |
| $IPT -t mangle -F | |
| $IPT -X | |
| #$IPT -A INPUT -j LOG --log-level 4 --log-prefix 'NETFILTER' | |
| #$IPT -A OUTPUT -j LOG --log-level 4 --log-prefix 'NETFILTER' | |
| #$IPT -A FORWARD -j LOG --log-level 4 --log-prefix 'NETFILTER ' | |
| $IPT -P INPUT DROP | |
| $IPT -P OUTPUT DROP | |
| $IPT -P FORWARD DROP | |
| # Always accept loopback traffic | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| $IPT -A OUTPUT -o lo -j ACCEPT | |
| $IPT -A INPUT -i eth3 -j ACCEPT | |
| $IPT -A OUTPUT -o eth3 -j ACCEPT | |
| # Allow for lan net | |
| $IPT -A OUTPUT -o $LAN_IF -j ACCEPT | |
| # Allow from local to internet | |
| $IPT -A OUTPUT -o $WAN_IF -j ACCEPT | |
| $IPT -A OUTPUT -o $OPT_IF -j ACCEPT | |
| # Allow established connections, and those not coming from the outside | |
| $IPT -A INPUT -s $LAN_NET -p icmp -j ACCEPT | |
| $IPT -A OUTPUT -s $LAN_NET -p icmp -j ACCEPT | |
| $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $IPT -A INPUT -m state --state NEW -i $LAN_IF -j ACCEPT | |
| # Allow ssh from NAT network | |
| $IPT -A INPUT -i $WAN_IF -p tcp --dport 22 -j ACCEPT | |
| $IPT -A OUTOUT -o $WAN_IF -p tcp --sport 22 -j ACCEPT | |
| # Allow forward both WANT and OPT | |
| $IPT -A FORWARD -i $WAN_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $IPT -A FORWARD -i $OPT_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow outgoing connections from the LAN side. | |
| $IPT -A FORWARD -s $LAN_NET -o $WAN_IF -j ACCEPT | |
| $IPT -A FORWARD -s $LAN_NET -o $OPT_IF -j ACCEPT | |
| # allow all from squid int | |
| $IPT -A OUTPUT -o eth3 -s $LAN_NET -j ACCEPT | |
| $IPT -A INPUT -i eth3 -s $LAN_NET -j ACCEPT | |
| SQUID_NET="192.168.2.0/24" | |
| SQUID_IF="eth2" | |
| $IPT -A INPUT -i $SQUID_IF -d $LAN_NET -j ACCEPT | |
| $IPT -A OUTPUT -o $SQUID_IF -s $LAN_NET -j ACCEPT | |
| $IPT -A FORWARD -i $LAN_IF -s $LAN_NET -d $SQUID_NET -j ACCEPT | |
| $IPT -A FORWARD -i $SQUID_IF -d $LAN_NET -s $SQUID_NET -j ACCEPT | |
| # Masquerade. | |
| $IPT -t nat -A PREROUTING -i $LAN_IF -p tcp --dport 80 -j REDIRECT --to-port 3128 | |
| $IPT -t nat -A POSTROUTING -o $WAN_IF -j MASQUERADE | |
| $IPT -t nat -A POSTROUTING -o $OPT_IF -j MASQUERADE | |
| # Don't forward from the outside to the inside. | |
| #$IPT -A FORWARD -i $WAN_IF -o $LAN_IF -j REJECT | |
| $IPT -A PREROUTING -t mangle -j CONNMARK --restore-mark | |
| $IPT -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT | |
| # | |
| $IPT -A PREROUTING -p tcp -m state --state NEW -t mangle -m mark --mark 0x0 -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 1 | |
| $IPT -A PREROUTING -p tcp -m state --state NEW -t mangle -m mark --mark 0x0 -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 2 | |
| $IPT -A POSTROUTING -t mangle -j CONNMARK --save-mark | |
| $IPT -I OUTPUT -t raw -p udp --sport 5060 -j CT --notrack | |
| $IPT -I PREROUTING -t raw -p udp --dport 5060 -j CT --notrack | |
| # Enable routing. | |
| echo 1 > /proc/sys/net/ipv4/ip_forward |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment