Firewall - CVP

From Skytech
Revision as of 19:46, 12 March 2011 by 192.168.0.250 (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
#!/bin/sh
# eth0 er ydersiden (default GW), eth1 er extra yderside fra 3 (.91), eth2 er TDC gammel yderside, eth3 er indersiden
#
# Disable OS fingerprinting

echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/ip_forward

IPT=/sbin/iptables

IP0=80.251.198.92
IP1=80.251.198.91
IP2=xxx
IP3=xxx

# Flush alle chains og slet user-chains
for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done

# Set default policy
$IPT -P INPUT DROP ## ACCEPT i testing
$IPT -P FORWARD DROP ## ACCEPT i testing
$IPT -P OUTPUT ACCEPT 

# Blok nye forbindelser - undtaget fra indersideinterface
$IPT -A INPUT -m state --state NEW -i eth1 -j ACCEPT
$IPT -A INPUT -m state --state NEW -i eth0 -j ACCEPT
$IPT -A INPUT -m state --state NEW -i lo -j ACCEPT

# Tillad ping af firewall
$IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

# Tillad ping gennem firewall
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Webmin + ssh
$IPT -A INPUT -m state --state NEW -s 212.37.141.188 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -m state --state NEW -s 212.37.141.188 -p tcp --dport 10000 -j ACCEPT

## NAT rules
# Mail
$IPT -t nat -A PREROUTING -p tcp -d $IP2 --dport 25 -j DNAT --to-destination xxx:25

# Accepter forbindelser der er etableret og relateret 
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT disse net
$IPT -t nat -A POSTROUTING -s xxx/24 -j MASQUERADE

# Tillad forbindelser der er bliver etableret, er etableret og relateret
$IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Reenable forward
echo 1 > /proc/sys/net/ipv4/ip_forward

## Add default routes
route add default gw 192.168.1.254 eth0