Kerminy HackerSpace

Outils du site


ressources:hentou_iptable
#!/bin/sh
################### 
# Define variables
###################
 
## Public bridge holds physical interface (public IP, output gateway)
PublicBridge="vmbr0"
 
## WAN bridge ( holds WanNetwork )
WanBridge="vmbr1"
 
## LAN bridge ( holds Lan Network )
LanBridge="vmbr2"
 
## Network between hypervisor and firewall
WanNetwork="10.0.0.0/30"
 
## Network between firewall and VMs
LanNetwork="192.168.0.0/24"
 
## VPN network
VpnNetwork="10.2.2.0/24"
 
## IPV4 public IP of the physical interface 
PublicIP="xxx.xxx.xxx.xxx.xxx"
 
## Hypervisor IP inside the WAN network
HypervisorWanIP="10.0.0.1"
 
## Hypervisor IP inside the LAN network
HypervisorLanIP="192.168.9.1"
 
## Firewall IP inside the WAN network
FirewallWanIP="10.0.0.2"
 
## SSH Port
SshPort="xxxxx"
 
 
################### 
# Cleanup
###################
 
# Delete all the rules of every chains ( table filter )
# iptables -F
iptables --flush
 
# Delete all the rules of every chains ( table nat )
# iptables -t nat -F
iptables --table nat --flush
 
# Delete all the rules of every chains ( table mangle )
#iptables -t mangle -F
iptables --table mangle --flush
 
# Delete all user-defined chains 
#iptables -X
iptables --delete-chain
 
# Cleanup IPv6 policies
ip6tables --policy INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
 
# Cleanup IPv4 policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
################### 
# Chains
###################
 
# Create chains
iptables --new-chain TCP
iptables -N UDP
 
# Define rules on capturing UDP and TCP connexions
iptables --append INPUT --protocol udp --match conntrack --ctstate NEW --jump UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
 
 
################### 
# Global rules
###################
 
# Allow localhost
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
 
# Don't break current or active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
# Allow ICMP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
 
######################## 
# Incoming traffic rules
########################
 
# Allow SSH connections
iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport $SshPort -j ACCEPT
 
# Allow Proxmox WebUI
iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport 8006 -j ACCEPT
 
######################## 
# Outcoming traffic rules
########################
 
# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
 
# Allow HTTPS/HTTP
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT
# ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT
# ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT
 
# Allow DNS
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp --dport 53 -j ACCEPT
 
# Allow SSH
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport $SshPort -j ACCEPT
 
# Allow Proxmox WebUI
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport 8006 -j ACCEPT
 
# Allow to access VMs from Hypervisor
iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT
 
###########################
# Forwarding traffic rules
###########################
 
# Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI
iptables -A PREROUTING -t nat -i $PublicBridge -p tcp --match multiport ! --dports $SshPort,8006 -j DNAT --to $FirewallWanIP
 
# Send all UDP traffic from Public IP to WAN network
iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT --to $FirewallWanIP
 
# Allow request forwarding to firewall through WAN network
iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT
iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT
 
# Allow request from LAN
iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT
 
 
# Allow WAN network to use public IP gateway to go out
iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE
ressources/hentou_iptable.txt · Dernière modification : 2024/02/08 17:20 de 127.0.0.1