Kerminy HackSpace

Outils du site

Piste : hentou_iptable

Panneau latéral

Tags

alcool arts audio baecon balise basse_tension batteries capteur carburant cb cob communication eclairage esp esp8266 fluxon fm freak gnu_linux gps graph hacking huile led lithium mac mecanique media mobilier mqtt nas odroid radio radiok reseaux resilience rsp rss rtk serveur sonification sons streaming superstructure systeme tok vm 18650

liste des tags

Pages dans la catégorie :

ADMIN

ressources:hentou_iptable

Ceci est une ancienne révision du document !

#!/bin/sh ################### # Define variables ###################

## Public bridge holds physical interface (public IP, output gateway) PublicBridge=“vmbr0”

## WAN bridge ( holds WanNetwork ) WanBridge=“vmbr1”

## LAN bridge ( holds Lan Network ) LanBridge=“vmbr2”

## Network between hypervisor and firewall WanNetwork=“10.0.0.0/30”

## Network between firewall and VMs LanNetwork=“192.168.0.0/24”

## VPN network VpnNetwork=“10.2.2.0/24”

## IPV4 public IP of the physical interface PublicIP=“xxx.xxx.xxx.xxx.xxx”

## Hypervisor IP inside the WAN network HypervisorWanIP=“10.0.0.1”

## Hypervisor IP inside the LAN network HypervisorLanIP=“192.168.9.1”

## Firewall IP inside the WAN network FirewallWanIP=“10.0.0.2”

## SSH Port SshPort=“xxxxx”

################### # Cleanup ###################

# Delete all the rules of every chains ( table filter ) # iptables -F iptables –flush

# Delete all the rules of every chains ( table nat ) # iptables -t nat -F iptables –table nat –flush

# Delete all the rules of every chains ( table mangle ) #iptables -t mangle -F iptables –table mangle –flush

# Delete all user-defined chains #iptables -X iptables –delete-chain

# Cleanup IPv6 policies ip6tables –policy INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP

# Cleanup IPv4 policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

################### # Chains ###################

# Create chains iptables –new-chain TCP iptables -N UDP

# Define rules on capturing UDP and TCP connexions iptables –append INPUT –protocol udp –match conntrack –ctstate NEW –jump UDP iptables -A INPUT -p tcp –syn -m conntrack –ctstate NEW -j TCP

################### # Global rules ###################

# Allow localhost #iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT iptables –append INPUT –in-interface lo –jump ACCEPT iptables –append OUTPUT –out-interface lo –jump ACCEPT

# Don't break current or active connections iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP iptables -A INPUT -p icmp –icmp-type 8 -m conntrack –ctstate NEW -j ACCEPT

######################## # Incoming traffic rules ########################

# Allow SSH connections iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp –dport $SshPort -j ACCEPT

# Allow Proxmox WebUI iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp –dport 8006 -j ACCEPT

######################## # Outcoming traffic rules ########################

# Allow ping out iptables -A OUTPUT -p icmp -j ACCEPT

# Allow HTTPS/HTTP iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 80 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 80 -j ACCEPT iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 443 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 443 -j ACCEPT

# Allow DNS iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp –dport 53 -j ACCEPT

# Allow SSH iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –sport $SshPort -j ACCEPT

# Allow Proxmox WebUI iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –sport 8006 -j ACCEPT

# Allow to access VMs from Hypervisor iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT

########################### # Forwarding traffic rules ###########################

# Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI iptables -A PREROUTING -t nat -i $PublicBridge -p tcp –match multiport ! –dports $SshPort,8006 -j DNAT –to $FirewallWanIP

# Send all UDP traffic from Public IP to WAN network iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT –to $FirewallWanIP

# Allow request forwarding to firewall through WAN network iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT

# Allow request from LAN iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT

# Allow WAN network to use public IP gateway to go out iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE

ressources/hentou_iptable.1705928073.txt.gz · Dernière modification : 2024/02/08 17:20 (modification externe)

Outils de la page

Outils pour utilisateurs

Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Valid HTML5 Valid CSS Driven by DokuWiki