INET_IP="**"
INET_IFACE="ppp0"
INET_IN_IP="**"
#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP="192.168.100.253"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth0"
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#Users
#ADMIN="192.168.100.248"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# 1.6 Other Configuration.
#
# Setup routing ...
echo "setup routing ..."
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
echo "probing modules ..."
/sbin/depmod -a
#
# 2.1 Required modules
#
#/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ppp_mppe
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_gre
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
#
# Set policies
#
echo "clear standart chains ..."
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "clear user chains ..."
$IPTABLES -F bad_tcp_packets
$IPTABLES -F local_in
$IPTABLES -F local_out
$IPTABLES -F inet_in
$IPTABLES -F inet_out
$IPTABLES -X
echo "Set policies ..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# Create chain for bad tcp packets
#
echo "Create chains ..."
$IPTABLES -N bad_tcp_packets
#
# Create chains for interfaces
#
$IPTABLES -N local_in
$IPTABLES -N local_out
$IPTABLES -N inet_in
$IPTABLES -N inet_out
#
# Rules for INPUT chain
#
echo "Setup INPUT ..."
$IPTABLES -A INPUT -p UDP -s 0/0 --sport 53 -j ACCEPT # DNS
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 53 -j ACCEPT # DNS
$IPTABLES -A INPUT -p TCP -s $LAN_IP_RANGE --sport 53 -j ACCEPT # DNS
#allow HTTP from localNet to Local iGate http-server
$IPTABLES -A INPUT -p TCP -s $LO_IP --dport 80 -j ACCEPT
#Allow ssh from Lan
$IPTABLES -A INPUT -p TCP -s $LAN_IP_RANGE --dport 2222 -j ACCEPT
#Allow ftp from Lan
$IPTABLES -A INPUT -p TCP -s $LAN_IP_RANGE --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s $LAN_IP_RANGE --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s $LAN_IP_RANGE --dport 2021 -j ACCEPT
#Torrent
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 35691 -j ACCEPT
#Allow VNC
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 5900 -j ACCEPT
#Allow Webmin
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 10000 -j ACCEPT
# Allow ICMP packets to iGate
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT #
??
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT # Dest unreachable
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT # Redirect
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT # Ping
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Time exceeded
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 12 -j ACCEPT # Parameter problem
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -j inet_in
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j local_in
$IPTABLES -A INPUT -p ALL -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level INFO --log-prefix "IN DROP: "
#
# Rules for OUTPUT chain
#
echo "Setup OUTPUT ..."
$IPTABLES -A OUTPUT -p TCP --dport 5900 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p TCP -d $LAN_IP_RANGE --sport 3128 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j local_out
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j inet_out
$IPTABLES -A OUTPUT -p ALL -o eth2 -j inet_out
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --sport 2222 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level INFO --log-prefix "OUT DROP: "
# Rules for FORWARD chain
echo "Setup FORWARD ..."
# for all
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allow ICMP
#
$IPTABLES -A FORWARD -p ICMP -s $LAN_IP_RANGE --icmp-type 0 -j ACCEPT #
??
$IPTABLES -A FORWARD -p ICMP -s $LAN_IP_RANGE --icmp-type 3 -j ACCEPT # Dest unreachable
$IPTABLES -A FORWARD -p ICMP -s $LAN_IP_RANGE --icmp-type 5 -j ACCEPT # Redirect
$IPTABLES -A FORWARD -p ICMP -s $LAN_IP_RANGE --icmp-type 8 -j ACCEPT # Ping
$IPTABLES -A FORWARD -p ICMP -s $LAN_IP_RANGE --icmp-type 11 -j ACCEPT # Time exceeded
$IPTABLES -A FORWARD -p ICMP -s $LAN_IP_RANGE --icmp-type 12 -j ACCEPT # Parameter problem
#
# Allow SSH
#
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 2222 -j ACCEPT #
??
# Allow FTP
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 2021 -j ACCEPT
#
# new connections from local net
#
#allow http
$IPTABLES -A FORWARD -p TCP --dport 80 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 8080 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 3128 -j ACCEPT
#allow ftp
$IPTABLES -A FORWARD -p TCP --dport 21 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 20 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 2021 -s $LAN_IP_RANGE -j ACCEPT
#allow ftp
#allow ftp
$IPTABLES -A FORWARD -p TCP --dport 9102 -s $LAN_IP_RANGE -j ACCEPT
#allow yahoo
$IPTABLES -A FORWARD -p TCP --dport 5050 -s $LAN_IP_RANGE -j ACCEPT
#allow webmin
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 10000 -j ACCEPT
#allow asad cPanel
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 2082 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 2078 -j ACCEPT
#allow VNC
$IPTABLES -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 5900 -j ACCEPT
# Allow DNS
$IPTABLES -A FORWARD -p TCP --dport 53 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p UDP --sport 53 -s $LAN_IP_RANGE -j ACCEPT
# Allow ICQ
$IPTABLES -A FORWARD -p TCP --dport 5190 -s $LAN_IP_RANGE -j ACCEPT
# Allow mail request
$IPTABLES -A FORWARD -p TCP --dport 110 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 995 -s $LAN_IP_RANGE -j ACCEPT
# Allow mail send
$IPTABLES -A FORWARD -p TCP --dport 25 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 465 -s $LAN_IP_RANGE -j ACCEPT
# Allow Skype
$IPTABLES -A FORWARD -p TCP --dport 443 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p UDP --sport 1025:65535 -s $LAN_IP_RANGE -j ACCEPT
#Allow VNC
$IPTABLES -A FORWARD -p TCP --dport 5900 -i $INET_IFACE -j ACCEPT
#Allow Hamachi
$IPTABLES -A FORWARD -p TCP --dport 12975 -s $LAN_IP_RANGE -j ACCEPT
#Allow Terminal
$IPTABLES -A FORWARD -p TCP --dport 3389 -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p TCP -s $INET_IN_IP -d 192.168.100.1 --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level INFO --log-prefix "FWD DROP: "
#Allow ClientBank
$IPTABLES -A FORWARD -p ALL -j DROP
# Rules for PREROUTING
echo "Setup PREROUTING ..."
#Only SQUID
#$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -p TCP --dport 80 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/24 --dport 80 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/24 --dport 8080 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/24 --dport 10000 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/16 -m multiport --dport 80,8080,10000 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -p TCP --dport 8080 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -p TCP --dport 10000 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p tcp -s $INET_IN_IP -d $INET_IP --dport 3389 -j DNAT --to-destination 192.168.100.1:3389
# Rules for POSTROUTING
echo "Setup POSTROUTING ..."
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s ! $INET_IP -j SNAT --to-source $INET_IP
#$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#
# local_in
#
echo "Setup local_in ..."
$IPTABLES -A local_in -p TCP -s 0/0 --dport 139 -j ACCEPT
$IPTABLES -A local_in -p UDP --dport 136:138 -j ACCEPT
$IPTABLES -A local_in -p TCP --sport 5900 -j ACCEPT
# inet only throught squid
$IPTABLES -A local_in -p TCP -s $LAN_IP_RANGE -d $LAN_IP --dport 3128 -j ACCEPT
# Access to SSH from local net
$IPTABLES -A local_in -p TCP -s 0/0 --dport 2222 -j ACCEPT
$IPTABLES -A local_in -p TCP -s 0/0 --dport 80 -j ACCEPT
# time syncronization
$IPTABLES -A local_in -p UDP -s $LAN_IP_RANGE --dport 123 -j ACCEPT
$IPTABLES -A local_in -p TCP -s $LAN_IP_RANGE --dport 445 -j ACCEPT
# Drop all other packets
$IPTABLES -A local_in -p ALL -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level INFO --log-prefix "local_in DROP: "
$IPTABLES -A local_in -p ALL -j DROP
#
# local_out
#
echo "Setup local_out ..."
$IPTABLES -A local_out -j ACCEPT
#
# inet_in
#
echo "Setup inet_in ..."
$IPTABLES -A inet_in -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A inet_in -p TCP --dport 2222 -j ACCEPT
$IPTABLES -A inet_in -p TCP --dport 80 -j ACCEPT
$IPTABLES -A inet_in -p UDP --sport 123 -j ACCEPT
$IPTABLES -A inet_in -p ALL -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level INFO --log-prefix "inet_in DROP: "
$IPTABLES -A inet_in -p ALL -j DROP
#
# inet_out
#
echo "Setup inet_out ..."
$IPTABLES -A inet_out -p ALL -j ACCEPT
#
# bad_tcp_packets chain
#
echo "Setup bad_tcp_packets ..."
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP