iptables - базовый конфиг роутера

1. Iptables - базовый конфиг роутера
2.  
3. #!/bin/bash
4.  
5. fw_setup () {
6.     lan_range="192.168.100.0/24";
7.     lan_ip="192.168.100.1/24";
8.     lan_int="enp0s3";
9.     wan_int="enp0s8";
10. }
11. fw_clean () {
12.     iptables -F;
13.     iptables -X;
14.     iptables -t nat -F;
15.     iptables -t nat -X;
16.     iptables -t mangle -F;
17.     iptables -t mangle -X;
18.     echo "Rules flushed...";
19. }
20. fw_policy () {
21.     iptables -P INPUT DROP;
22.     iptables -P FORWARD DROP;
23.     iptables -P OUTPUT DROP;
24.     echo "Set default Policy...";
25. }
26. fw_loopback () {
27.     iptables -A INPUT -i lo -j ACCEPT;
28.     iptables -A OUTPUT -o lo -j ACCEPT;
29. }
30. fw_sesions () {
31.     iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT;
32.     iptables -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT;
33. }
34. fw_attack () {
35.     # Block zero-packets
36.     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP;
37.     # Block XMAS
38.     iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP;
39.     # Block syn-flood
40.     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP;
41. }
42. fw_forwarding () {
43.     iptables -A FORWARD -i $lan_int -o $wan_int -j ACCEPT;
44.     iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT;
45. }
46. fw_nat () {
47.     # Enable NAT 192.168.100.0/24 --> Ext_IP
48.     iptables -t nat -A POSTROUTING -s $lan_range -j MASQUERADE;
49. }
50. fw_port_forward () {
51.     iptables -t nat -A PREROUTING -p tcp -i $wan_int --dport 2222 -j DNAT --to-destination 192.168.100.2:22
52.     iptables -A FORWARD -p tcp -d 192.168.100.2 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
53. }
54. fw_services () {
55.     #
56.     ###### INCOMING ######
57.     #
58.     # SSH
59.     iptables -A INPUT -s $lan_range -p tcp --dport 22 -j ACCEPT;
60.     # HTTP
61.     iptables -A INPUT -p tcp --dport 80 -j ACCEPT;
62.     # HTTPS
63.     iptables -A INPUT -p tcp --dport 443 -j ACCEPT;
64.     # ICMP
65.     iptables -A INPUT -p icmp -j ACCEPT;
66.     #
67.     # Port-forwarding
68.     iptables -A INPUT -p tcp --dport 2222 -j ACCEPT;
69.     #
70.     ###### OUTGOING ######
71.     #
72.     # DHCP requests
73.     iptables -A OUTPUT -o $wan_int -p udp --sport 68 --dport 67 -j ACCEPT;
74.     #
75.     # DNS requests
76.     iptables -A OUTPUT -d $dns_ip -p udp --dport 53 -j ACCEPT;
77.     # ICMP
78.     iptables -A OUTPUT -p icmp -j ACCEPT;
79.     # System updates
80.     iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT;
81.     iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT;
82.     #
83.     echo "All services configured...";
84. }
85. fw_undefined () {
86.     iptables -N undef_in;
87.     iptables -N undef_fw;
88.     iptables -N undef_out;
89.     iptables -A INPUT -j undef_in;
90.     iptables -A FORWARD -j undef_fw;
91.     iptables -A OUTPUT -j undef_out;
92. }
93. fw_logging () {
94.     iptables -A undef_in -j LOG --log-level 7 --log-prefix "Iptables: DROP INPUT ";
95.     iptables -A undef_in -j DROP;
96.     iptables -A undef_fw -j LOG --log-level 7 --log-prefix "Iptables: DROP FORWARD ";
97.     iptables -A undef_fw -j DROP;
98.     iptables -A undef_out -j LOG --log-level 7 --log-prefix "Iptables: DROP OUTPUT ";
99.     iptables -A undef_out -j DROP;
100. }
101. fw_save_rules () {
102.     /sbin/service iptables save;
103.     echo "New rules saved";
104. }
105. fw_config () {
106.     echo "Config started"
107.     fw_setup;
108.     fw_clean;
109.     fw_policy;
110.     fw_loopback;
111.     fw_sesions;
112.     fw_attack;
113.     fw_forwarding;
114.     fw_nat;
115.     fw_port_forward;
116.     fw_services;
117.     fw_undefined;
118.     fw_logging;
119.     fw_save_rules;
120.     echo "END";
121. }
122. fw_config
123.  
124. exit 0