#!/bin/sh IPTABLES=/sbin/iptables EXTIF=eth0 INTIF=eth1 TUNIF=tun+ # 80 (tcp) = Http # 443 (tcp) = Https # 22 (tcp) = Ssh # 6881:6999 (tcp/udp) = Bittorrent # 2222 (tcp) = Port for various stuffs # 6536/31522 (udp) = Freenet # 4660:4670 (udp/tcp) = Mldonkey # 3333 (tcp) = openvpn : helene-titi # 3334 (tcp) = openvpn : helene-hades # 3336 (tcp) = openvpn : helene-grosMinet # 6394, 6666 and 4660:4670 are used by mldonkey # 3000 & 40000:41000 are used for the ftp # 655 : Tinc # Not filtered # Masquaraded # 8.40 = Solveig # 82.42 = Dave # 82.35(.69) = Mc2 # 82.31 = Douille # 82.37 = Ostop # 82.16 = GAFA # 82.38 = Mr2000 # 10.106 = Zodiak # 11.25 = Chon # 83.68 = Gilles # 82.33 = Déroute # 82.19 = ... (nicolas Moreau) # 82.15 = Bucheron # 11.8 = Captain Igloo ASSHOLES="72.26.224.186 202.133.60.199" FULL_ACCESS_IPS=" 10.90.0.1 10.0.0.1 10.0.0.2 192.168.0.0/16 10.82.40.1 10.82.40.2 10.82.40.3 10.82.42.1 10.82.16.1 10.82.38.1 10.10.106.1 10.83.68.1 10.82.33.1 10.82.40.4 10.82.40.5 10.8.40.1 10.82.42.5 10.82.15.1 10.82.37.1 10.82.31.1 10.11.8.1 " EXTERNAL_PORTS_TCP=" 80 443 6881:6999 22 2222 4660:4670 6394 6666 1214 113 3000 40000:41000 655 3333 3334 3336 8000 53 1234 6667 6112 " EXTERNAL_PORTS_UDP=" 6536 6881:6999 4660:4670 6666 6394 1214 655 31522 53 " REDIRECT_TO_ZEUS_TCP=" 80 443 6881:6999 4660:4670 6666 6394 1214 8000 " REDIRECT_TO_ZEUS_UDP=" 6881:6999 4660:4670 6666 6394 1214 " FALLBACK_GATEWAY="10.6.146.1" echo "[FIREWALL]" # ======================================= echo Flushing ... $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -t nat -F POSTROUTING # ======================================= echo Activating fowarding ... echo 1 > /proc/sys/net/ipv4/ip_forward echo Autorizing loopback # ======================================= $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A FORWARD -i lo -j ACCEPT # ======================================= echo Droping redirects $IPTABLES -A OUTPUT -p icmp --icmp-type redirect -j DROP $IPTABLES -A INPUT -p icmp --icmp-type redirect -j DROP $IPTABLES -A INPUT -i $INTIF -j ACCEPT echo "[Rejecting assholes]" for ip in $ASSHOLES do $IPTABLES -A FORWARD -s $ip -j DROP $IPTABLES -A INPUT -s $ip -j DROP done echo "[/Rejection assholes]" echo "[Allowing known IPs]" $IPTABLES -A INPUT -i $TUNIF -j ACCEPT $IPTABLES -A FORWARD -i $TUNIF -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s 192.168.1.1 -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -s 192.168.1.1 -j ACCEPT for ip in $FULL_ACCESS_IPS do echo $ip $IPTABLES -A INPUT -i $INTIF -s $ip -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -s $ip -j ACCEPT done echo "[/Allowing known IPs]" # ======================================= echo "[Opening ports]" echo "[tcp]" for port in $EXTERNAL_PORTS_TCP do echo $port $IPTABLES -A INPUT -p tcp -m tcp --dport $port -j ACCEPT done echo "[/tcp]" echo "[udp]" for port in $EXTERNAL_PORTS_UDP do echo $port $IPTABLES -A INPUT -p udp -m udp --dport $port -j ACCEPT done echo "[/udp]" echo "[/Opening ports]" # ======================================= echo "[Redirect to Zeus]" echo "[tcp]" for port in $REDIRECT_TO_ZEUS_TCP do echo $port $IPTABLES -A FORWARD -d 10.82.40.2 -p tcp --dport $port -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport $port -j DNAT --to 10.82.40.2:`echo $port|tr \: \-` done echo "[/tcp]" echo "[udp]" for port in $REDIRECT_TO_ZEUS_UDP do echo $port $IPTABLES -A FORWARD -d 10.82.40.2 -p udp --dport $port -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport $port -j DNAT --to 10.82.40.2:`echo $port|tr \: \-` done echo "[/udp]" echo "[/Redirect to Zeus]" echo 6112 -> Solveig $IPTABLES -A FORWARD -d 10.8.40.1 -p tcp --dport 6112 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6112 -j DNAT --to 10.8.40.1:6112 # ======================================= #echo Logging non-forwared paquets #$IPTABLES -A FORWARD -j LOG echo NAT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE #$IPTABLES -t nat -A POSTROUTING -d $FALLBACK_GATEWAY -j MASQUERADE # ======================================= echo "[/FIREWALL]" echo Xdmcp iptables -A INPUT -p tcp --dport 6001 -j ACCEPT