Iptables-vpn-template

Aus xinux wiki
Wechseln zu: Navigation, Suche
  • cat /etc/firewall
#!/bin/bash
WANDEV="ens3"
LANDEV="ens6"
LAN="10.9.8.0/24"
VPNNET="10.76.76.0/24"
WANIP="94.130.248.217"
case $1 in
start)
echo "starte firewall"
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $VPNNET -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -s $VPNNET -d $LAN -m policy --dir in  --pol ipsec -m state --state NEW -j ACCEPT
iptables -A INPUT -m state -i $WANDEV --state NEW -p tcp --dport 8472 -j ACCEPT
iptables -A INPUT -m state -i $WANDEV --state NEW -p udp -m multiport --dport 500,4500,1701,8472 -j ACCEPT
iptables -A INPUT -m state -i $WANDEV --state NEW -p esp -j ACCEPT
iptables -A INPUT -m state -i $LANDEV    --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN -d $VPNNET -j RETURN
iptables -t nat -A POSTROUTING -s $LAN -j SNAT --to  $WANIP
iptables -A INPUT  -j LOG  --log-prefix "--iptables-in--"
iptables -A OUTPUT -j LOG  --log-prefix "--iptables-out--"
iptables -A FORWARD -j LOG --log-prefix "--iptables-for--"
;;
stop)
echo "stoppe firewall"
iptables -F
iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
esac