Tags
Pages dans la catégorie :
Tags
Pages dans la catégorie :
Ceci est une ancienne révision du document !
#!/bin/sh ################### # Define variables ###################
## Public bridge holds physical interface (public IP, output gateway) PublicBridge=“vmbr0”
## WAN bridge ( holds WanNetwork ) WanBridge=“vmbr1”
## LAN bridge ( holds Lan Network ) LanBridge=“vmbr2”
## Network between hypervisor and firewall WanNetwork=“10.0.0.0/30”
## Network between firewall and VMs LanNetwork=“192.168.0.0/24”
## VPN network VpnNetwork=“10.2.2.0/24”
## IPV4 public IP of the physical interface PublicIP=“xxx.xxx.xxx.xxx.xxx”
## Hypervisor IP inside the WAN network HypervisorWanIP=“10.0.0.1”
## Hypervisor IP inside the LAN network HypervisorLanIP=“192.168.9.1”
## Firewall IP inside the WAN network FirewallWanIP=“10.0.0.2”
## SSH Port SshPort=“xxxxx”
################### # Cleanup ###################
# Delete all the rules of every chains ( table filter ) # iptables -F iptables –flush
# Delete all the rules of every chains ( table nat ) # iptables -t nat -F iptables –table nat –flush
# Delete all the rules of every chains ( table mangle ) #iptables -t mangle -F iptables –table mangle –flush
# Delete all user-defined chains #iptables -X iptables –delete-chain
# Cleanup IPv6 policies ip6tables –policy INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP
# Cleanup IPv4 policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
################### # Chains ###################
# Create chains iptables –new-chain TCP iptables -N UDP
# Define rules on capturing UDP and TCP connexions iptables –append INPUT –protocol udp –match conntrack –ctstate NEW –jump UDP iptables -A INPUT -p tcp –syn -m conntrack –ctstate NEW -j TCP
################### # Global rules ###################
# Allow localhost #iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT iptables –append INPUT –in-interface lo –jump ACCEPT iptables –append OUTPUT –out-interface lo –jump ACCEPT
# Don't break current or active connections iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow ICMP iptables -A INPUT -p icmp –icmp-type 8 -m conntrack –ctstate NEW -j ACCEPT
######################## # Incoming traffic rules ########################
# Allow SSH connections iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp –dport $SshPort -j ACCEPT
# Allow Proxmox WebUI iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp –dport 8006 -j ACCEPT
######################## # Outcoming traffic rules ########################
# Allow ping out iptables -A OUTPUT -p icmp -j ACCEPT
# Allow HTTPS/HTTP iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 80 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 80 -j ACCEPT iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 443 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 443 -j ACCEPT
# Allow DNS iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp –dport 53 -j ACCEPT
# Allow SSH iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –sport $SshPort -j ACCEPT
# Allow Proxmox WebUI iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –sport 8006 -j ACCEPT
# Allow to access VMs from Hypervisor iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT
########################### # Forwarding traffic rules ###########################
# Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI iptables -A PREROUTING -t nat -i $PublicBridge -p tcp –match multiport ! –dports $SshPort,8006 -j DNAT –to $FirewallWanIP
# Send all UDP traffic from Public IP to WAN network iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT –to $FirewallWanIP
# Allow request forwarding to firewall through WAN network iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT
# Allow request from LAN iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT
# Allow WAN network to use public IP gateway to go out iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE