-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathiptables.bash
executable file
·115 lines (93 loc) · 4.8 KB
/
iptables.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/bin/bash
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#### INTERFACES ####
external=eth1
internal=eth0
external_IP=$(/sbin/ifconfig $external | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')
internal_IP=$(/sbin/ifconfig $internal | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')
#### MACHINES ####
dt03=10.0.0.20
web=10.0.0.17
server02=10.0.0.5
##################
#### PROTOCOLS ####
ssh=22
http=80
https=443
####################
# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# --------------------------
# Set up NAT so clients can access internet
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i $internal -j ACCEPT
iptables -A INPUT -m state --state NEW -i lo -j ACCEPT
iptables -A FORWARD -i $external -o $internal -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $internal -o $external -j ACCEPT
# Masquerade - necessary for NAT
iptables -t nat -A POSTROUTING -o $external -j MASQUERADE
# MASQUERADE on packages from internal-to-internal, nessecary for NAT Loopback
iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -d 10.0.0.0/8 -p tcp -j MASQUERADE
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# -------------
# Don't forward from the outside to the inside.
# iptables -A FORWARD -i $external -o $internal -j REJECT
# ---------------------------------------------
# QoS for better performance
# Sonos to Spotify
iptables -t mangle -A PREROUTING -p tcp --sport 4070 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport 4070 -j TOS --set-tos Minimize-Delay
# Web traffic (Sonos use this as well
iptables -t mangle -A PREROUTING -p tcp --sport $http -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport $http -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --sport $https -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport $https -j TOS --set-tos Minimize-Delay
# SSH
iptables -t mangle -A PREROUTING -p tcp --sport $ssh -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport $ssh -j TOS --set-tos Minimize-Delay
# NAT port forwarding for services
# ---------------------------------------------
# port 80
iptables -A PREROUTING -t nat -i $external -p tcp --dport $http -j DNAT --to $web
iptables -A INPUT -p tcp -m state --state NEW --dport $http -i $external -j ACCEPT
iptables -A PREROUTING -t nat -d $external_IP -p tcp --dport $http -j DNAT --to-destination $web
# port 443
iptables -A PREROUTING -t nat -i $external -p tcp --dport $https -j DNAT --to $web
iptables -A INPUT -p tcp -m state --state NEW --dport $https -i $external -j ACCEPT
iptables -A PREROUTING -t nat -d $external_IP -p tcp --dport $https -j DNAT --to-destination $web
# ssh
iptables -A PREROUTING -t nat -i $external -p tcp --dport $ssh -j DNAT --to $dt03
iptables -A INPUT -p tcp -m state --state NEW --dport $ssh -i $external -j ACCEPT
iptables -A PREROUTING -t nat -d $external_IP -p tcp --dport $ssh -j DNAT --to-destination $dt03
# mosh
iptables -A PREROUTING -t nat -i $external -p udp --dport 60000:61000 -j DNAT --to $dt03
iptables -A INPUT -p udp -m state --state NEW --dport 60000:61000 -i $external -j ACCEPT
iptables -A PREROUTING -t nat -d $external_IP -p tcp --dport 60000:61000 -j DNAT --to-destination $dt03
# BitTorrent
#iptables -A PREROUTING -t nat -i $external -p tcp --dport 64795 -j DNAT --to $server02
#iptables -A INPUT -p tcp -m state --state NEW --dport 64795 -i $external -j ACCEPT
# ---- Counter Strike server
# 1200
iptables -A PREROUTING -t nat -i $external -p udp --dport 1200 -j DNAT --to $dt03
iptables -A INPUT -p udp -m state --state NEW --dport 1200 -i $external -j ACCEPT
iptables -A PREROUTING -t nat -i $external -p tcp --dport 1200 -j DNAT --to $dt03
iptables -A INPUT -p tcp -m state --state NEW --dport 1200 -i $external -j ACCEPT
# 27000-27015
iptables -A PREROUTING -t nat -i $external -p udp --dport 27000:27015 -j DNAT --to $dt03
iptables -A INPUT -p udp -m state --state NEW --dport 27000:27015 -i $external -j ACCEPT
iptables -A PREROUTING -t nat -i $external -p tcp --dport 27000:27015 -j DNAT --to $dt03
iptables -A INPUT -p tcp -m state --state NEW --dport 27000:27015 -i $external -j ACCEPT
# 27020-27039
iptables -A PREROUTING -t nat -i $external -p udp --dport 27020:27039 -j DNAT --to $dt03
iptables -A INPUT -p udp -m state --state NEW --dport 27020:27039 -i $external -j ACCEPT
iptables -A PREROUTING -t nat -i $external -p tcp --dport 27020:27039 -j DNAT --to $dt03
iptables -A INPUT -p tcp -m state --state NEW --dport 27020:27039 -i $external -j ACCEPT
# -----------------------------