mbohun · December 27, 2012 02:28
diff --git a/gistfile1.sh b/gistfile1.sh
 #!/bin/sh
 #
 #
 IPT="/usr/local/sbin/iptables"

 SSH_HOSTS_ALLOWED="11.11.11.11/16 22.22.22.22/24 33.33.33.0/16 44.44.44.44/24 55.55.55.55/16"

 case "$1" in
        start)
                #/sbin/sysctl -w net.ipv4.ip_forward=1

                # flushing all rules
                ${IPT} -F
                ${IPT} -F -t nat
                ${IPT} -X

                # setting default filter policy
                ${IPT} -P INPUT   DROP
                ${IPT} -P OUTPUT  ACCEPT
                ${IPT} -P FORWARD DROP

                # allow unlimited traffic on loopback
                ${IPT} -A INPUT -i lo -j ACCEPT

                # allow local subnet 192.168.0.x connections (all = tcp & udp)
                ${IPT} -A INPUT -i eth0 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                ${IPT} -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

                # forward port 443 to 22 - so we can connect from a remote IP going out on port 443
                # if they block outgoing traffic on 22
                ${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j REDIRECT --to-ports 22

                # 80 -> 8000
                ${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8000

                # allow incoming ssh from chosen IPs
                for s in $SSH_HOSTS_ALLOWED;
                do
                        ${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 22 --syn -m state --state NEW -j ACCEPT
                        ${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 443 --syn -m state --state NEW -j ACCEPT
                done

                # allow all packets ESTABLISHED,RELATED
                ${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

                # allow ICMP ping (or would be bteer to restrict it to the local net?)
                ${IPT} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

                ${IPT} -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
                ${IPT} -A INPUT -d 224.0.0.1 -j DROP

                ${IPT} -A INPUT -m limit --limit 5/min -j LOG #log is good/handy for 'debugging'
 #               ${IPT} -A INPUT -m limit --limit 5/min -j ULOG #log is good/handy for 'debugging'

                ${IPT} -A INPUT -j DROP #or REJECT/DROP
                ;;

        stop)
                #/sbin/sysctl -w net.ipv4.ip_forward=0

                # flushing all rules
                ${IPT} -F
                ${IPT} -F -t nat
                ${IPT} -X

                # setting default filter policy
                ${IPT} -P INPUT   ACCEPT
                ${IPT} -P OUTPUT  ACCEPT
                ${IPT} -P FORWARD ACCEPT
                ;;
        *)
                $0 start
                ;;
 esac

 exit 0
	#!/bin/sh
	#
	#
	IPT="/usr/local/sbin/iptables"

	SSH_HOSTS_ALLOWED="11.11.11.11/16 22.22.22.22/24 33.33.33.0/16 44.44.44.44/24 55.55.55.55/16"

	case "$1" in
	start)
	#/sbin/sysctl -w net.ipv4.ip_forward=1

	# flushing all rules
	${IPT} -F
	${IPT} -F -t nat
	${IPT} -X

	# setting default filter policy
	${IPT} -P INPUT DROP
	${IPT} -P OUTPUT ACCEPT
	${IPT} -P FORWARD DROP

	# allow unlimited traffic on loopback
	${IPT} -A INPUT -i lo -j ACCEPT

	# allow local subnet 192.168.0.x connections (all = tcp & udp)
	${IPT} -A INPUT -i eth0 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	${IPT} -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

	# forward port 443 to 22 - so we can connect from a remote IP going out on port 443
	# if they block outgoing traffic on 22
	${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j REDIRECT --to-ports 22

	# 80 -> 8000
	${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8000

	# allow incoming ssh from chosen IPs
	for s in $SSH_HOSTS_ALLOWED;
	do
	${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 22 --syn -m state --state NEW -j ACCEPT
	${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 443 --syn -m state --state NEW -j ACCEPT
	done

	# allow all packets ESTABLISHED,RELATED
	${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# allow ICMP ping (or would be bteer to restrict it to the local net?)
	${IPT} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

	${IPT} -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
	${IPT} -A INPUT -d 224.0.0.1 -j DROP

	${IPT} -A INPUT -m limit --limit 5/min -j LOG #log is good/handy for 'debugging'
	# ${IPT} -A INPUT -m limit --limit 5/min -j ULOG #log is good/handy for 'debugging'

	${IPT} -A INPUT -j DROP #or REJECT/DROP
	;;

	stop)
	#/sbin/sysctl -w net.ipv4.ip_forward=0

	# flushing all rules
	${IPT} -F
	${IPT} -F -t nat
	${IPT} -X

	# setting default filter policy
	${IPT} -P INPUT ACCEPT
	${IPT} -P OUTPUT ACCEPT
	${IPT} -P FORWARD ACCEPT
	;;
	*)
	$0 start
	;;
	esac

	exit 0