Skip to content

Instantly share code, notes, and snippets.

@whoamiTM

whoamiTM/softether_bridge.fw

Last active October 6, 2018 19:45
Show Gist options
  • Save whoamiTM/b98772b692eedbf3bc2213af80907397 to your computer and use it in GitHub Desktop.
Save whoamiTM/b98772b692eedbf3bc2213af80907397 to your computer and use it in GitHub Desktop.
Download ZIP
v.4 & 6 Firewall Rules For SoftEther Bridge
Raw
softether_bridge.fw
#!/bin/bash
#
#######################################################################
# iptables rules
#######################################################################
#
# Flush current V4 polices
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# Set default chain policies
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
# Drop null packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
# DROP syn-flood packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
# DROP XMAS packets
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept on local network
iptables -A INPUT -s 192.168.0.1/24 -j ACCEPT
# Accept incoming SSH
# 55.55.55.55 = A public IP address you have access to...
iptables -A INPUT -p tcp -s 55.55.55.55 -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 -m tcp --dport 22 -j ACCEPT
# Accept incoming HTTPS for SoftEther (default)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Accept incoming OpenVPN
#iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# Accept incoming IPsec
#iptables -A INPUT -p udp --dport 500 -j ACCEPT
#iptables -A INPUT -p udp --dport 4500 -j ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# DHCP (dnsmasq)
iptables -A INPUT -i tap_soft -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i tap_soft -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 67 -j ACCEPT
# NAT using Local Bridge
# 192.168.30.0/24 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 192.168.0.12 = SoftEther VPN Server's network interface (Local IP if behind NAT or Public IP of VPS)
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 192.168.0.12
##########################
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
#######################################################################
# ip6tables rules
#######################################################################
#
# Flush current V6 polices
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
# Set default chain policies IPv6
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P INPUT DROP
# Drop null packets
ip6tables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
# DROP syn-flood packets
ip6tables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
# DROP XMAS packets
ip6tables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Accept local loopback
ip6tables -A INPUT -i lo -j ACCEPT
# Block remote packets claiming to be from a loopback address.
ip6tables -A INPUT -s ::1/128 ! -i lo -j DROP
# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs.
ip6tables -N SSHBRUTE
ip6tables -A SSHBRUTE -m recent --name SSH --set
ip6tables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: "
ip6tables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
ip6tables -A SSHBRUTE -j ACCEPT
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source.
ip6tables -N ICMPFLOOD
ip6tables -A ICMPFLOOD -m recent --set --name ICMP --rsource
ip6tables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: "
ip6tables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
ip6tables -A ICMPFLOOD -j ACCEPT
# Permit needed ICMP packet types for IPv6 per RFC 4890.
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping
# flooding.
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD
# Allow link local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
# Allow incoming SSH
# 2603:9001:3C8A:101::/56 = IPv6 subnet you have access to...
ip6tables -A INPUT -p tcp -s 2603:9001:3C8A:101::/56 -m tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
# Allow incoming HTTPS for SoftEther (default)
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow incoming OpenVPN (optional)
#ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT
# Allow DHCP (dnsmasq)
ip6tables -A INPUT -i tap_soft -p tcp --dport 53 -j ACCEPT
ip6tables -A INPUT -i tap_soft -p udp --dport 53 -j ACCEPT
# Allow established sessions to receive traffic
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Forwarding rules for IPv6
ip6tables -A FORWARD -m state --state NEW -i tap_soft -o eht0 -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop non-conforming packets, such as malformed headers, etc.
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# NAT using Local Bridge
# fc00:0000:2ac:7af1::/64 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 2603:9001:3c8a:101:596a:2ebc:472:7be6 = SoftEther VPN Server's network interface Global Unicast
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source 2603:9001:3c8a:101:596a:2ebc:472:7be6
###########################
# Save Changes
service ip6tables save
# Service
systemctl restart ip6tables
systemctl status ip6tables
#######################################################################
# End of rules
#######################################################################
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment