mirror of
https://gitlab.archlinux.org/tpowa/archboot.git
synced 2024-09-19 19:40:37 +02:00
109 lines
3.5 KiB
Bash
109 lines
3.5 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
# A Sample OpenVPN-aware firewall.
|
||
|
|
||
|
# eth0 is connected to the internet.
|
||
|
# eth1 is connected to a private subnet.
|
||
|
|
||
|
# Change this subnet to correspond to your private
|
||
|
# ethernet subnet. Home will use HOME_NET/24 and
|
||
|
# Office will use OFFICE_NET/24.
|
||
|
PRIVATE=10.0.0.0/24
|
||
|
|
||
|
# Loopback address
|
||
|
LOOP=127.0.0.1
|
||
|
|
||
|
# Delete old iptables rules
|
||
|
# and temporarily block all traffic.
|
||
|
iptables -P OUTPUT DROP
|
||
|
iptables -P INPUT DROP
|
||
|
iptables -P FORWARD DROP
|
||
|
iptables -F
|
||
|
|
||
|
# Set default policies
|
||
|
iptables -P OUTPUT ACCEPT
|
||
|
iptables -P INPUT DROP
|
||
|
iptables -P FORWARD DROP
|
||
|
|
||
|
# Prevent external packets from using loopback addr
|
||
|
iptables -A INPUT -i eth0 -s $LOOP -j DROP
|
||
|
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
|
||
|
iptables -A INPUT -i eth0 -d $LOOP -j DROP
|
||
|
iptables -A FORWARD -i eth0 -d $LOOP -j DROP
|
||
|
|
||
|
# Anything coming from the Internet should have a real Internet address
|
||
|
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
|
||
|
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
|
||
|
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
|
||
|
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
|
||
|
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
|
||
|
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
|
||
|
|
||
|
# Block outgoing NetBios (if you have windows machines running
|
||
|
# on the private subnet). This will not affect any NetBios
|
||
|
# traffic that flows over the VPN tunnel, but it will stop
|
||
|
# local windows machines from broadcasting themselves to
|
||
|
# the internet.
|
||
|
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
|
||
|
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
|
||
|
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
|
||
|
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
|
||
|
|
||
|
# Check source address validity on packets going out to internet
|
||
|
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
|
||
|
|
||
|
# Allow local loopback
|
||
|
iptables -A INPUT -s $LOOP -j ACCEPT
|
||
|
iptables -A INPUT -d $LOOP -j ACCEPT
|
||
|
|
||
|
# Allow incoming pings (can be disabled)
|
||
|
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||
|
|
||
|
# Allow services such as www and ssh (can be disabled)
|
||
|
iptables -A INPUT -p tcp --dport http -j ACCEPT
|
||
|
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
|
||
|
|
||
|
# Allow incoming OpenVPN packets
|
||
|
# Duplicate the line below for each
|
||
|
# OpenVPN tunnel, changing --dport n
|
||
|
# to match the OpenVPN UDP port.
|
||
|
#
|
||
|
# In OpenVPN, the port number is
|
||
|
# controlled by the --port n option.
|
||
|
# If you put this option in the config
|
||
|
# file, you can remove the leading '--'
|
||
|
#
|
||
|
# If you taking the stateful firewall
|
||
|
# approach (see the OpenVPN HOWTO),
|
||
|
# then comment out the line below.
|
||
|
|
||
|
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
|
||
|
|
||
|
# Allow packets from TUN/TAP devices.
|
||
|
# When OpenVPN is run in a secure mode,
|
||
|
# it will authenticate packets prior
|
||
|
# to their arriving on a tun or tap
|
||
|
# interface. Therefore, it is not
|
||
|
# necessary to add any filters here,
|
||
|
# unless you want to restrict the
|
||
|
# type of packets which can flow over
|
||
|
# the tunnel.
|
||
|
|
||
|
iptables -A INPUT -i tun+ -j ACCEPT
|
||
|
iptables -A FORWARD -i tun+ -j ACCEPT
|
||
|
iptables -A INPUT -i tap+ -j ACCEPT
|
||
|
iptables -A FORWARD -i tap+ -j ACCEPT
|
||
|
|
||
|
# Allow packets from private subnets
|
||
|
iptables -A INPUT -i eth1 -j ACCEPT
|
||
|
iptables -A FORWARD -i eth1 -j ACCEPT
|
||
|
|
||
|
# Keep state of connections from local machine and private subnets
|
||
|
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||
|
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
|
||
|
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||
|
|
||
|
# Masquerade local subnet
|
||
|
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
|