1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 |
- #!/usr/bin/env bash
- ################################################################################
- # FILE : yaks-apt-firewall.sh
- # DESCRIPTION: Firewall script for debian-ubuntu.
- # AUTHOR : SVAKSHA, http://svaksha.com/pages/Bio
- # SOURCE : http://svaksha.github.io/yaksha
- # COPYRIGHT© : 2005-Now SVAKSHA, All Rights Reserved.
- # LICENSE : GNU AGPLv3 and subject to meeting all the terms in the LICENSE
- # file: https://github.com/svaksha/yaksha/blob/master/LICENSE.md
- # DATES : Created:2015nov03 - Updated:2016jan14
- ################################################################################
- #
- # Credits: The amazing Carla Schroder's IPtables script posted on the techtalk list.
- # An IPtables firewall script for sharing a cable/DSL Internet connection, with no public services.
- #define variables
- ipt="/sbin/iptables"
- mod="/sbin/modprobe"
- LAN_IFACE="eth0"
- WAN_IFACE="wlan0"
- #load kernel modules
- $mod ip_tables
- $mod iptable_filter
- $mod iptable_nat
- $mod ip_conntrack
- $mod ipt_LOG
- $mod ipt_limit
- $mod ipt_state
- $mod iptable_mangle
- $mod ipt_MASQUERADE
- # Flush all active rules and delete all custom chains
- $ipt -F
- $ipt -t nat -F
- $ipt -t mangle -F
- $ipt -X
- $ipt -t nat -X
- $ipt -t mangle -X
- #Set default policies
- $ipt -P INPUT DROP
- $ipt -P FORWARD DROP
- $ipt -P OUTPUT ACCEPT
- $ipt -t nat -P OUTPUT ACCEPT
- $ipt -t nat -P PREROUTING ACCEPT
- $ipt -t nat -P POSTROUTING ACCEPT
- $ipt -t mangle -P PREROUTING ACCEPT
- $ipt -t mangle -P POSTROUTING ACCEPT
- #this line is necessary for the loopback interface
- #and internal socket-based services to work correctly
- $ipt -A INPUT -i lo -j ACCEPT
- #Enable IP masquerading
- $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
- #Enable unrestricted outgoing traffic, incoming
- #is restricted to locally-initiated sessions only
- $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state
- ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o
- $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- # Accept ICMP echo-request and time-exceeded
- $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
- $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
- #Reject connection attempts not initiated from inside the LAN
- $ipt -A INPUT -p tcp --syn -j DROP
|