Created
March 16, 2023 21:03
-
-
Save noize-e/3c657be5fb71cd61409973ffc213d38c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set -o nounset | |
| set -o pipefail | |
| PATH="/sbin" | |
| EXT=enp3s0 | |
| INT_NET=192.168.0.0/24 | |
| echo "Flushing rules" | |
| iptables -F | |
| iptables -t nat -F | |
| iptables -t mangle -F | |
| iptables -X | |
| iptables -Z | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| echo "Allow loopback" | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| echo "Drop invalid states" | |
| iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
| iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP | |
| echo "Allow established and related connections" | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| echo "Allow ping replies" | |
| iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | |
| echo "Allow DHCP" | |
| iptables -I INPUT -i $INT -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT | |
| echo "Allow SSH from local Ethernet" | |
| iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT | |
| echo "Allow DNS (UDP and TCP for large replies)" | |
| iptables -A INPUT -i $INT -s $INT_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| echo "Allow all outgoing" | |
| iptables -A OUTPUT -o $EXT -p tcp -d 0.0.0.0/0 -j ACCEPT | |
| iptables -A OUTPUT -o $EXT -p udp -d 0.0.0.0/0 -j ACCEPT | |
| echo "Allow traffic from the firewall to local networks" | |
| iptables -A OUTPUT -o $INT -d $INT_NET -j ACCEPT | |
| echo "Enable network address translation" | |
| iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE | |
| iptables -A FORWARD -o $EXT -i $INT -s $INT_NET -m conntrack --ctstate NEW -j ACCEPT | |
| echo "Do not reply with Destination Unreachable messages" | |
| iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP | |
| echo "Log all dropped packets" | |
| iptables -A INPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPIN>" | |
| iptables -A OUTPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPOUT>" | |
| iptables -A FORWARD -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPFWD>" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment