#!/bin/sh ################### # Define variables ################### ## Public bridge holds physical interface (public IP, output gateway) PublicBridge="vmbr0" ## WAN bridge ( holds WanNetwork ) WanBridge="vmbr1" ## LAN bridge ( holds Lan Network ) LanBridge="vmbr2" ## Network between hypervisor and firewall WanNetwork="10.0.0.0/30" ## Network between firewall and VMs LanNetwork="192.168.0.0/24" ## VPN network VpnNetwork="10.2.2.0/24" ## IPV4 public IP of the physical interface PublicIP="xxx.xxx.xxx.xxx.xxx" ## Hypervisor IP inside the WAN network HypervisorWanIP="10.0.0.1" ## Hypervisor IP inside the LAN network HypervisorLanIP="192.168.9.1" ## Firewall IP inside the WAN network FirewallWanIP="10.0.0.2" ## SSH Port SshPort="xxxxx" ################### # Cleanup ################### # Delete all the rules of every chains ( table filter ) # iptables -F iptables --flush # Delete all the rules of every chains ( table nat ) # iptables -t nat -F iptables --table nat --flush # Delete all the rules of every chains ( table mangle ) #iptables -t mangle -F iptables --table mangle --flush # Delete all user-defined chains #iptables -X iptables --delete-chain # Cleanup IPv6 policies ip6tables --policy INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP # Cleanup IPv4 policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP ################### # Chains ################### # Create chains iptables --new-chain TCP iptables -N UDP # Define rules on capturing UDP and TCP connexions iptables --append INPUT --protocol udp --match conntrack --ctstate NEW --jump UDP iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP ################### # Global rules ################### # Allow localhost #iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT iptables --append INPUT --in-interface lo --jump ACCEPT iptables --append OUTPUT --out-interface lo --jump ACCEPT # Don't break current or active connections iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow ICMP iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT ######################## # Incoming traffic rules ######################## # Allow SSH connections iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport $SshPort -j ACCEPT # Allow Proxmox WebUI iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport 8006 -j ACCEPT ######################## # Outcoming traffic rules ######################## # Allow ping out iptables -A OUTPUT -p icmp -j ACCEPT # Allow HTTPS/HTTP iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT # Allow DNS iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp --dport 53 -j ACCEPT # Allow SSH iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport $SshPort -j ACCEPT # Allow Proxmox WebUI iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport 8006 -j ACCEPT # Allow to access VMs from Hypervisor iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT ########################### # Forwarding traffic rules ########################### # Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI iptables -A PREROUTING -t nat -i $PublicBridge -p tcp --match multiport ! --dports $SshPort,8006 -j DNAT --to $FirewallWanIP # Send all UDP traffic from Public IP to WAN network iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT --to $FirewallWanIP # Allow request forwarding to firewall through WAN network iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT # Allow request from LAN iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT # Allow WAN network to use public IP gateway to go out iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE