chilli.iptables

#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
# to and from the internal interface.
# * NAT is enabled on the external interface.

IPTABLES=”/sbin/iptables”
EXTIF=”eth0″
INTIF=”eth1″

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

##### chalee edit
#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 22 –syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 3306 –syn -j ACCEPT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 443 –syn -j ACCEPT

####chalee edit
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp –dport 3990 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 3128 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 3306 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 22 –syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp –dport 3128 –syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp –dport 3128 –syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.0.0/16 –dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 172.16.0.0/12 –dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 10.0.0.0/8 –dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Drop package wrom Virus Input, Output (chalee1/1)
$IPTABLES -A INPUT -p tcp –dport 135 -j DROP
$IPTABLES -A INPUT -p udp –dport 135 -j DROP
$IPTABLES -A INPUT -p tcp –dport 445 -j DROP
$IPTABLES -A INPUT -p udp –dport 445 -j DROP
$IPTABLES -A INPUT -p tcp –dport 4444 -j DROP
$IPTABLES -A INPUT -p udp –dport 4444 -j DROP
$IPTABLES -A INPUT -p tcp –dport 5554 -j DROP
$IPTABLES -A INPUT -p udp –dport 5554 -j DROP
$IPTABLES -A INPUT -p tcp –dport 9996 -j DROP
$IPTABLES -A INPUT -p udp –dport 9996 -j DROP
$IPTABLES -A INPUT -p tcp –dport 137 -j DROP
$IPTABLES -A INPUT -p udp –dport 137 -j DROP
$IPTABLES -A INPUT -p tcp –dport 138 -j DROP
$IPTABLES -A INPUT -p udp –dport 138 -j DROP
$IPTABLES -A INPUT -p tcp –dport 139 -j DROP
$IPTABLES -A INPUT -p udp –dport 139 -j DROP

$IPTABLES -A OUTPUT -p tcp –dport 135 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 135 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 445 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 445 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 4444 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 4444 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 5554 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 5554 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 9996 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 9996 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 137 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 137 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 138 -j DROP
$IPTABLES -A OUTPUT -p udp –dport 138 -j DROP
$IPTABLES -A OUTPUT -p tcp –dport 139 -j DROP

อ้างถึง http://www.linuxthai.org

ใส่ความเห็น

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / เปลี่ยนแปลง )

Twitter picture

You are commenting using your Twitter account. Log Out / เปลี่ยนแปลง )

Facebook photo

You are commenting using your Facebook account. Log Out / เปลี่ยนแปลง )

Google+ photo

You are commenting using your Google+ account. Log Out / เปลี่ยนแปลง )

Connecting to %s