Kerminy HackSpace

Outils du site

Piste : hentou_iptable

Panneau latéral

Tags

alcool arts audio baecon balise basse_tension batteries capteur carburant cb cob communication eclairage esp esp8266 fluxon fm freak gnu_linux gps graph hacking huile led lithium mac mecanique media mobilier mqtt nas odroid radio radiok reseaux resilience rsp rss rtk serveur sonification sons streaming superstructure systeme tok vm 18650

liste des tags

Pages dans la catégorie :

ADMIN

ressources:hentou_iptable
#!/bin/sh
################### 
# Define variables
###################
 
## Public bridge holds physical interface (public IP, output gateway)
PublicBridge="vmbr0"
 
## WAN bridge ( holds WanNetwork )
WanBridge="vmbr1"
 
## LAN bridge ( holds Lan Network )
LanBridge="vmbr2"
 
## Network between hypervisor and firewall
WanNetwork="10.0.0.0/30"
 
## Network between firewall and VMs
LanNetwork="192.168.0.0/24"
 
## VPN network
VpnNetwork="10.2.2.0/24"
 
## IPV4 public IP of the physical interface 
PublicIP="xxx.xxx.xxx.xxx.xxx"
 
## Hypervisor IP inside the WAN network
HypervisorWanIP="10.0.0.1"
 
## Hypervisor IP inside the LAN network
HypervisorLanIP="192.168.9.1"
 
## Firewall IP inside the WAN network
FirewallWanIP="10.0.0.2"
 
## SSH Port
SshPort="xxxxx"
 
 
################### 
# Cleanup
###################
 
# Delete all the rules of every chains ( table filter )
# iptables -F
iptables --flush
 
# Delete all the rules of every chains ( table nat )
# iptables -t nat -F
iptables --table nat --flush
 
# Delete all the rules of every chains ( table mangle )
#iptables -t mangle -F
iptables --table mangle --flush
 
# Delete all user-defined chains 
#iptables -X
iptables --delete-chain
 
# Cleanup IPv6 policies
ip6tables --policy INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
 
# Cleanup IPv4 policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
################### 
# Chains
###################
 
# Create chains
iptables --new-chain TCP
iptables -N UDP
 
# Define rules on capturing UDP and TCP connexions
iptables --append INPUT --protocol udp --match conntrack --ctstate NEW --jump UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
 
 
################### 
# Global rules
###################
 
# Allow localhost
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
 
# Don't break current or active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
# Allow ICMP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
 
######################## 
# Incoming traffic rules
########################
 
# Allow SSH connections
iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport $SshPort -j ACCEPT
 
# Allow Proxmox WebUI
iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp --dport 8006 -j ACCEPT
 
######################## 
# Outcoming traffic rules
########################
 
# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
 
# Allow HTTPS/HTTP
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT
# ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT
# ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --dport 443 -j ACCEPT
 
# Allow DNS
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp --dport 53 -j ACCEPT
 
# Allow SSH
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport $SshPort -j ACCEPT
 
# Allow Proxmox WebUI
iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp --sport 8006 -j ACCEPT
 
# Allow to access VMs from Hypervisor
iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT
 
###########################
# Forwarding traffic rules
###########################
 
# Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI
iptables -A PREROUTING -t nat -i $PublicBridge -p tcp --match multiport ! --dports $SshPort,8006 -j DNAT --to $FirewallWanIP
 
# Send all UDP traffic from Public IP to WAN network
iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT --to $FirewallWanIP
 
# Allow request forwarding to firewall through WAN network
iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT
iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT
 
# Allow request from LAN
iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT
 
 
# Allow WAN network to use public IP gateway to go out
iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE
ressources/hentou_iptable.txt · Dernière modification : 2024/02/08 17:20 de 127.0.0.1

Outils de la page

Outils pour utilisateurs

Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Valid HTML5 Valid CSS Driven by DokuWiki