| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108 |
- #!/bin/sh
- # A Sample OpenVPN-aware firewall.
- # eth0 is connected to the internet.
- # eth1 is connected to a private subnet.
- # Change this subnet to correspond to your private
- # ethernet subnet. Home will use HOME_NET/24 and
- # Office will use OFFICE_NET/24.
- PRIVATE=10.0.0.0/24
- # Loopback address
- LOOP=127.0.0.1
- # Delete old iptables rules
- # and temporarily block all traffic.
- iptables -P OUTPUT DROP
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -F
- # Set default policies
- iptables -P OUTPUT ACCEPT
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- # Prevent external packets from using loopback addr
- iptables -A INPUT -i eth0 -s $LOOP -j DROP
- iptables -A FORWARD -i eth0 -s $LOOP -j DROP
- iptables -A INPUT -i eth0 -d $LOOP -j DROP
- iptables -A FORWARD -i eth0 -d $LOOP -j DROP
- # Anything coming from the Internet should have a real Internet address
- iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
- iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
- iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
- iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
- iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
- iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
- # Block outgoing NetBios (if you have windows machines running
- # on the private subnet). This will not affect any NetBios
- # traffic that flows over the VPN tunnel, but it will stop
- # local windows machines from broadcasting themselves to
- # the internet.
- iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
- iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
- iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
- iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
- # Check source address validity on packets going out to internet
- iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
- # Allow local loopback
- iptables -A INPUT -s $LOOP -j ACCEPT
- iptables -A INPUT -d $LOOP -j ACCEPT
- # Allow incoming pings (can be disabled)
- iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- # Allow services such as www and ssh (can be disabled)
- iptables -A INPUT -p tcp --dport http -j ACCEPT
- iptables -A INPUT -p tcp --dport ssh -j ACCEPT
- # Allow incoming OpenVPN packets
- # Duplicate the line below for each
- # OpenVPN tunnel, changing --dport n
- # to match the OpenVPN UDP port.
- #
- # In OpenVPN, the port number is
- # controlled by the --port n option.
- # If you put this option in the config
- # file, you can remove the leading '--'
- #
- # If you taking the stateful firewall
- # approach (see the OpenVPN HOWTO),
- # then comment out the line below.
- iptables -A INPUT -p udp --dport 1194 -j ACCEPT
- # Allow packets from TUN/TAP devices.
- # When OpenVPN is run in a secure mode,
- # it will authenticate packets prior
- # to their arriving on a tun or tap
- # interface. Therefore, it is not
- # necessary to add any filters here,
- # unless you want to restrict the
- # type of packets which can flow over
- # the tunnel.
- iptables -A INPUT -i tun+ -j ACCEPT
- iptables -A FORWARD -i tun+ -j ACCEPT
- iptables -A INPUT -i tap+ -j ACCEPT
- iptables -A FORWARD -i tap+ -j ACCEPT
- # Allow packets from private subnets
- iptables -A INPUT -i eth1 -j ACCEPT
- iptables -A FORWARD -i eth1 -j ACCEPT
- # Keep state of connections from local machine and private subnets
- iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Masquerade local subnet
- iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
|
