mbohun
12/27/2012 - 2:28 AM

gistfile1.sh

#!/bin/sh
#
#
IPT="/usr/local/sbin/iptables"

SSH_HOSTS_ALLOWED="11.11.11.11/16 22.22.22.22/24 33.33.33.0/16 44.44.44.44/24 55.55.55.55/16"

case "$1" in
        start)
                #/sbin/sysctl -w net.ipv4.ip_forward=1

                # flushing all rules
                ${IPT} -F
                ${IPT} -F -t nat
                ${IPT} -X

                # setting default filter policy
                ${IPT} -P INPUT   DROP
                ${IPT} -P OUTPUT  ACCEPT
                ${IPT} -P FORWARD DROP

                # allow unlimited traffic on loopback
                ${IPT} -A INPUT -i lo -j ACCEPT

                # allow local subnet 192.168.0.x connections (all = tcp & udp)
                ${IPT} -A INPUT -i eth0 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
                ${IPT} -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

                # forward port 443 to 22 - so we can connect from a remote IP going out on port 443
                # if they block outgoing traffic on 22
                ${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j REDIRECT --to-ports 22

                # 80 -> 8000
                ${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8000

                # allow incoming ssh from chosen IPs
                for s in $SSH_HOSTS_ALLOWED;
                do
                        ${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 22 --syn -m state --state NEW -j ACCEPT
                        ${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 443 --syn -m state --state NEW -j ACCEPT
                done

                # allow all packets ESTABLISHED,RELATED
                ${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

                # allow ICMP ping (or would be bteer to restrict it to the local net?)
                ${IPT} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

                ${IPT} -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
                ${IPT} -A INPUT -d 224.0.0.1 -j DROP

                ${IPT} -A INPUT -m limit --limit 5/min -j LOG #log is good/handy for 'debugging'
#               ${IPT} -A INPUT -m limit --limit 5/min -j ULOG #log is good/handy for 'debugging'

                ${IPT} -A INPUT -j DROP #or REJECT/DROP
                ;;

        stop)
                #/sbin/sysctl -w net.ipv4.ip_forward=0

                # flushing all rules
                ${IPT} -F
                ${IPT} -F -t nat
                ${IPT} -X

                # setting default filter policy
                ${IPT} -P INPUT   ACCEPT
                ${IPT} -P OUTPUT  ACCEPT
                ${IPT} -P FORWARD ACCEPT
                ;;
        *)
                $0 start
                ;;
esac

exit 0