>ppp0 ? значит, маскарад...
>правила файрвола в студию.... и - допускает ли игруха соединение через established,
>related? если нет - то либо проброска порта (но играет только
>один комп), либо смотреть в сторону того, не требует ли эта
>игруха подгрузки какого-либо модуля iptables. Если ни то, ни другое -
>увы, только смотреть, не написал ли кто-то модуль маскарада этой игрухи.
>
#!/bin/sh
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling: "
echo "Proverka modules ....."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_ULOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REJECT
echo "Povtornoe vkluchenie ..."
echo "1" > /proc/sys/net/ipv4/ip_forward
# ------------------------------------------------------------ ----------------
echo "Propisuem peremennie ......"
IPADDR="192.168.0.90"
INET_IP="0.0.0.0"
INET_BROADCAST="0.0.0.0"
EXTERNAL_INTERFACE="eth0" # Infoline connected interface - Moj Setevoj Interface
INTERNET_INTERFACE="ppp0" # Internet interface up when pptp up
LOOPBACK_INTERFACE="lo" # Your local naming convention
PRIMARY_NAMESERVER="213.179.232.78" # Your Primary Name Server
SECONDARY_NAMESERVER="195.5.6.10" # Your Secondary Name Server Internal Server
#SMTP_SERVER="195.2.72.152" # Your Central Mail Hub Server
LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/24" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="192.168.0.255" # Broadcast destination addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
CSPORTS="27005:27015"
DHCP_SERVER="192.168.0.90"
# ----------------------------------------------------------------------------
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
echo "Propisuem ports SSH & Traceroute"
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
echo "Ochistka vsex nastroek"
iptables -F
# Remove any existing user-defined chains.
iptables -X
# Set the default policy of the filter to deny.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# ------------------------------------------------------------ ----------------
# LOOPBACK
# --------
echo "Vklychaem loopback"
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ------------------------------------------------------------ ----------------
# пФВТБУЩЧБФШ ЧУЕ РБЛЕФЩ, ЛПФПТЩЕ ОЕ НПЗХФ ВЩФШ ЙДЕОФЙЖЙГЙТПЧБОЩ Й РПЬФПНХ ОЕ НПЗХФ ЙНЕФШ ПРТЕДЕМЕООПЗП УФБФХУБ.
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# ------------------------------------------------------------ ----------------
#Для VPN
#iptables -A INPUT -p 47 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
#iptables -A OUTPUT -p TCP --dport 1723 -o eth0 -j ACCEPT
#iptables -A OUTPUT -p 47 -o eth0 -j ACCEPT
# ------------------------------------------------------------ ----------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
echo "SPOOFING & BAD ADDRESSES Refuse spoofed packets."
iptables -A INPUT -s $IPADDR -j DROP
echo " Refuse incoming packets claiming to be from a Class A, B or C private network"
iptables -A INPUT --fragment -p ICMP -j ULOG
iptables -A OUTPUT --fragment -p ICMP -j ULOG
iptables -A INPUT --fragment -p ICMP -j DROP
iptables -A OUTPUT --fragment -p ICMP -j DROP
#------------
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j ACCEPT
echo "Refuse broadcast address SOURCE packets"
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
echo "Refuse special addresses defined as reserved by the IANA."
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at http://www.iana.org/ for the latest status.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
#iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
#iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ------------------------------------------------------------ ----------------
# UDP TRACEROUTE
# --------------
echo "Traceroute usually uses -S 32769:65535 -D 33434:33523"
iptables -A INPUT -i $INTERNET_INTERFACE -p udp --source-port $TRACEROUTE_SRC_PORTS --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $INTERNET_INTERFACE -p udp --source-port $TRACEROUTE_SRC_PORTS --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port $TRACEROUTE_SRC_PORTS -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# ------------------------------------------------------------ ----------------
echo " DNS forward-only nameserver (53)"
# --------------------------------
iptables -A INPUT -i $INTERNET_INTERFACE -p udp -s $PRIMARY_NAMESERVER --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p udp --source-port $UNPRIVPORTS -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn -s $PRIMARY_NAMESERVER --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p udp -s $SECONDARY_NAMESERVER --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p udp --source-port $UNPRIVPORTS -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn -s $SECONDARY_NAMESERVER --source-port 53 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
# ------------------------------------------------------------ ------
echo " HTTP server (80)"
#----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
#----------------
#echo "HTTPS server (443)"
# ------------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 443 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 443 --destination-port $UNPRIVPORTS -j ACCEPT
#-------------------------------------------------------------------
#echo "SQUID server (3128)"
# ------------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 3128 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 3128 --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
echo "DHCPD server (67,68)"
# ------------------
iptables -A INPUT -p udp -i $EXTERNAL_INTERFACE --dport 67 --sport 68 -j ACCEPT
iptables -A OUTPUT -p udp -o $EXTERNAL_INTERFACE --sport 68 --dport 67 -j ACCEPT
# ------------------------------------------------------------------
echo " MySQL server (3306)"
# -------------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 3306 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 3306 --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------
echo " SSH server (22) part 1 ACCEPT from LocalNet"
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $SSH_REMOTE_PORTS -d $IPADDR --dport 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 22 --destination-port $SSH_REMOTE_PORTS -j ACCEPT
#echo " SSH server (22) part 2 DENY from INET"
#iptables -A INPUT -i $INTERNET_INTERFACE -p tcp --source-port $SSH_REMOTE_PORTS -d $IPADDR --dport 22 -j REJECT
#iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 22 --destination-port $SSH_REMOTE_PORTS -j REJECT
echo " SSH client (22)"
# ---------------
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $SSH_LOCAL_PORTS --destination-port 22 -j REJECT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 22 --destination-port $SSH_LOCAL_PORTS -j REJECT
#
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 22 -d $IPADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $SSH_LOCAL_PORTS --destination-port 22 -j ACCEPT
# ------------------------------------------------------------------
#echo " IMAP server (143)"
# -----------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 143 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 143 --destination-port $UNPRIVPORTS -j ACCEPT
#echo "IMAP client (143)"
# -----------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 143 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 143 -j ACCEPT
# ------------------------------------------------------------ ------
# ------------------------------------------------------------ ------
#echo " SMTP client (25)"
# ----------------
#iptables -A INPUT -p TCP -i $INTERNET_INTERFACE --destination-port 25 -j DROP
# ------------------------------------------------------------ ------
echo " Samba client (135:139) Deny from Inet"
# ----------------
iptables -A INPUT -p UDP -i $INTERNET_INTERFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP
# ------------------------------------------------------------ ------
#echo " POP client (110)"
# ----------------
#iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 110 --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 110 -j ACCEPT
# ------------------------------------------------------------ ------
echo " HTTP client (80)"
# ----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 80 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 8083 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 8083 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 8080 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 8080 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 80 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 80 -j ACCEPT
echo "HTTPS client (443)"
# ----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 443 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 443 -j ACCEPT
# ------------------------------------------------------------ ------
#echo " IRC client (6667)"
# -----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 6667 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 6667 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# IRC client (6667)
# -----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 6667 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 6667 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# FTP server (21)
# ---------------
# incoming request
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 21 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 21 \
# --destination-port $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port 20 \
# --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 20 -j ACCEPT
# PASSIVE MODE data channel responses
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# SYSLOG client (514)
# -------------------
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR --source-port 514 \
# -d $SYSLOG_SERVER --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
echo " FTP client (21)"
# --------------
# outgoing request
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 21 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 21 --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp ! --syn --source-port $UNPRIVPORTS --destination-port 20 -j ACCEPT
# ---------------
# outgoing request
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 21 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 21 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port 20 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port $UNPRIVPORTS --destination-port 20 -j ACCEPT
# ------------------------------------------------------------ ------
# ------------------------------------------------------------ ----------------
echo "ICMP - Packets"
# ----
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp --icmp-type parameter-problem -j ACCEPT
#------------------------------------------------------------ ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type source-quench -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type parameter-problem -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ------------------------------------------------------------ ----------------
# Enable logging for selected denied packets
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p udp --destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p udp --destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type 5 -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp --icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $INTERNET_INTERFACE -j DROP
#Rasreshaem vnutrennuyu set
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --destination-port $PRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 5 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 13/255 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j ACCEPT
#echo "Setting up NAT (Network Address Translation)..."
#iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -j SNAT --to-source $INET_IP
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
#------ L2
#iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp --source-port $UNPRIVPORTS --destination-port 2106 -j ACCEPT
#iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn --source-port 2106 --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
#iptables -A INPUT -i $INTERNET_INTERFACE -p tcp --source-port 7777 --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp ! --syn --source-port $UNPRIVPORTS --destination-port 7777 -j ACCEPT
# outgoing request
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 2106 -j ACCEPT
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 2106 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port 7777 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port $UNPRIVPORTS --destination-port 7777 -j ACCEPT
#iptables -t nat -A PREROUTING -i $INTERNET_INTERFACE -p tcp --source-port 7777 --dport $UNPRIVPORTS -j DNAT --to-destination 192.168.0.13
#iptables -t nat -A PREROUTING -i $INTERNET_INTERFACE -p tcp --source-port 2106 --dport $UNPRIVPORTS -j DNAT --to-destination 192.168.0.13
#iptables -t nat -A PREROUTING -i $INTERNET_INTERFACE -p tcp -d $INET_IP --dport 7777 -j DNAT --to-destination 192.168.0.0-192.168.0.24
echo "Enable Forwarding............"
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNET_INTERFACE -j ACCEPT
iptables -A FORWARD -i $INTERNET_INTERFACE -o $EXTERNAL_INTERFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -s 83.222.2.102 -d 192.168.0.0/24 -j ACCEPT
#iptables -A FORWARD -d 83.222.2.102 -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# enable MASQUERADING
echo "Enable MASQURADE............"
#iptables -A POSTROUTING -s 192.168.0.13 -d 83.222.2.102 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
#--------------------
#iptables -A FORWARD -j LOG --log-level info
iptables -A INPUT -j LOG --log-level info
iptables -A OUTPUT -j LOG --log-level info
# ------------------------------------------------------------ ----------------
;;
stop)
echo -n "Shutting Firewalling: "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0