#-------------------------------MODULES-------------------------------------
#Load Mdules
/sbin/modprobe ip_tables
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
#Enable passive ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
#---------------------------------------------------------------------------
#----------------------------INTERFACES-------------------------------------
#Interface Definitions
int_nic="eth1"
ext_nic="eth0"
anywhere="0.0.0.0/0"
lan="192.168.1.0/24"
ext_ip="6x.x.x.4"
dns1="1x.x2.xx7.1xx"
dns2="2xx.5x.2x.5x"
#----------------------------FLUSH POLICIES AND RULES------------------------
#Clear out any existing firewall rules
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables -X
#-------------------------------------------------------------------------------------------
#----------------------------BASIC SECURITY RESTRICTIONS------------------------------------
#Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps. These have been the subject of a recent bugtraq
#thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill ICMP redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
# echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range
#PING OF DEATH
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT
#SYN-FLOOD PROTECTION
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#------------------------------------------------------------------------------
#---------------------------DENIAL OF SERVICE-----------------------------------
#Reduce DoS'ing ability by timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#---------------------------------------------------------------------------------------------------
#---------------------------FIREWALL POLICIES AND TRAFFIC DETAILS-----------------------------------
#Default POLICIES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
#LOOPBACK ALLOW TRAFFIC ON THE LOOPBACK INTERFACE
/sbin/iptables -A INPUT -i lo -j ACCEPT
#ALLOW ESTABLISHED AND RELATED TRAFFIC
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow every traffic from local lan
/sbin/iptables -A INPUT -s $lan -p all -j ACCEPT
/sbin/iptables -A FORWARD -s $lan -p all -j ACCEPT
#Masquerade all internal traffic reaching external world
/sbin/iptables -t nat -A POSTROUTING -s $lan -d ! 192.168.1.0/24 -j MASQUERADE
#----------------------------------------------------------------------------------------------------
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#--------------------------ICMP CONNECTIONS----------------------------------------------------------
#Allow and Accept icmp traffic with restrictions
/sbin/iptables -A INPUT -p 1 -s $lan -j ACCEPT
/sbin/iptables -A INPUT -p 1 -d $ext_ip --icmp-type 8 -j DROP
#--------------------------TCP CONNECTIONS------------------------------------
#Allow access to SSH from outside when required
/sbin/iptables -A INPUT -p tcp -s $anywhere -d $ext_ip --dport 222 -m limit -j ACCEPT
#------------------------------UDP CONNECTIONS----------------------------------------------------------
/sbin/iptables -A INPUT -p tcp -s $dns1 -d $ext_ip --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s $dns2 -d $ext_ip --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s $dns1 -d $ext_ip --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s $dns2 -d $ext_ip --dport 53 -j ACCEPT
#---------------------------------------------------------------------------------------------------------
#DNAT
# make internal mail server accessbile
$IPTABLES -t nat -A PREROUTING -i eth0 -d 99.90.80.70 -p tcp --dport 25 -j DNAT --to 10.0.0.3 $IPTABLES -t nat -A PREROUTING -i eth0 -d 99.90.80.70 -p tcp --dport 110 -j DNAT --to 10.0.0.3
$IPTABLES -t nat -A PREROUTING -i eth0 -d 99.90.80.70 -p tcp --dport 80 -j DNAT --to 10.0.0.3#SNAT
# Mask the internal IP address to appear as Public IP
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.0.0.3 -p tcp --sport 25 -j SNAT --to 99.90.80.70
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.0.0.3 -p tcp --sport 80 -j SNAT --to 99.90.80.70
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.0.0.3 -p tcp --sport 110 -j SNAT --to 99.90.80.70
# //Lin u x u niL