1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
| #!/bin/bash
#########################
### Variables ###
#########################
### Variable iptables
IPTABLES="/sbin/iptables"
### Variables for input tcp & udp ports (input)
INPUT_TCP_PORTS="43,53,80,3128,443,1194,1197,1198,1723,5001,5080"
INPUT_UDP_PORTS="21,43,22,53,3128,80,1194,1197,1198,1723,5001"
### Variables for forward tcp & udp ports (forward)
FORWARD_TCP_PORTS="21,43,25,53,80,143,443,465,587,993,5938,8081,9003,3389,1194"
FORWARD_UDP_PORTS="20,43,21,53,123,1723,8081,3389,69,87,1194,5080,5938,8000"
ADD_FORWARD_TCP_PORTS="9,20,23,69,110,123,995,1024,1723,33899,5190,8000,8080,9443,7002"
ADD_FORWARD_TCP_PORTS_2="9000,49154"
### Variables for output tcp & udp ports (output)
OUTPUT_TCP_PORTS="43,53,80,443,8081,8080,1723,1194,1197,1198,5080"
OUTPUT_UDP_PORTS="43,53,80,1723,8080,8081,443,1194,1197,1198"
################
### Flushing ###
################
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
########################
### lOADING MODULES ###
########################
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_gre
/sbin/modprobe ip_nat_pptp
###########################################################
### DROP ALL POLICY ###
###########################################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###########################################################################################
### Chain for for incoming from Internet connections. I show view accepted ports. #
### Permission is granted to new and initiated packets and their subsidiaries to output #
###########################################################################################
$IPTABLES -A INPUT -p tcp -m multiport --dports $INPUT_TCP_PORTS -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport --dports $INPUT_UDP_PORTS -j ACCEPT
$IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
### Drop "bad" input ip
if [ -f /etc/rc.d/bad_input.ip ]; then
for BAD_INPUT_IP in `grep -v ^# /etc/rc.d/bad_input.ip`; do
$IPTABLES -I INPUT -s $BAD_INPUT_IP -j DROP
done
fi
### Accept ping
$IPTABLES -A INPUT -p icmp -j ACCEPT
### Rules for openvpn
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A INPUT -i tap+ -j ACCEPT
$IPTABLES -A INPUT -i bond+ -j ACCEPT
### Drop invlaid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP
###########################################################################################
### Chain for for forwarding to the Internet connections. I show view accepted ports. #
### Permission is granted to new and initiated packets and their subsidiaries to output #
###########################################################################################
$IPTABLES -A FORWARD -p tcp -m multiport --dports $FORWARD_TCP_PORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dports $ADD_FORWARD_TCP_PORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dports $ADD_FORWARD_TCP_PORTS_2 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport --dports $FORWARD_UDP_PORTS -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
### Accept pptp port
$IPTABLES -A FORWARD -p gre -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 1723 -j ACCEPT
### Drop "bad" input ip
if [ -f /etc/rc.d/bad_input.ip ]; then
for BAD_INPUT_IP in `grep -v ^# /etc/rc.d/bad_input.ip`; do
$IPTABLES -I FORWARD -s $BAD_INPUT_IP -j DROP
done
fi
### Accept destination IP. File "/etc/rc.d/dest.ip"
if [ -f /etc/rc.d/dest.ip ]; then
for DEST_IP in `grep -v ^# /etc/rc.d/dest.ip`; do
$IPTABLES -I FORWARD -d $DEST_IP -j ACCEPT
done
fi
### "Bad" destination IP. File "/etc/rc.d/bad_dest.ip"
if [ -f /etc/rc.d/bad_dest.ip ]; then
for BAD_DEST_IP in `grep -v ^# /etc/rc.d/bad_dest.ip`; do
$IPTABLES -I FORWARD -d $BAD_DEST_IP -j DROP
done
fi
#################################################################
######################################### This rule with problem#
#################################################################
if [ -f /etc/rc.d/bad.sites ]; then
for DNS in `grep -v ^# /etc/rc.d/bad.sites`; do
address=$(nslookup $DNS | tail -2 | awk -F ":" '{print $2}')
echo $address
origin=$(whois -h whois.radb.net $address | awk '/origin:/ {print $2}')
echo $origin
nets=$(whois -h whois.radb.net '!g'$origin'' | grep /)
echo $nets
for ip in $nets
do
$IPTABLES -I FORWARD -d $ip -j DROP
done
done
fi
### Vip users over squid. File "/etc/rc.d/vip.ip". File "/etc/rc.d/vip.ip"
if [ -f /etc/rc.d/vip.ip ]; then
for VIP_IP in `grep -v ^# /etc/rc.d/vip.ip`; do
$IPTABLES -I FORWARD -s $VIP_IP -j ACCEPT
done
fi
### Bad users over squid. File "/etc/rc.d/bad.ip". File "/etc/rc.d/bad.ip"
if [ -f /etc/rc.d/bad.ip ]; then
for BAD_IP in `grep -v ^# /etc/rc.d/bad.ip`; do
$IPTABLES -I FORWARD -s $BAD_IP -j DROP
done
fi
### rules for openvpn
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -o tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tap+ -j ACCEPT
$IPTABLES -A FORWARD -o tap+ -j ACCEPT
$IPTABLES -A FORWARD -i bond+ -j ACCEPT
$IPTABLES -A FORWARD -o bond+ -j ACCEPT
### drop invlaid packets
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
############################################################################################
### Chain for output connections to the Internet. Permission is granted to new and , #
### initiated packets and their subsidiaries to output #
############################################################################################
$IPTABLES -A OUTPUT -p tcp -m multiport --dports $OUTPUT_TCP_PORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport --dports $OUTPUT_UDP_PORTS -j ACCEPT
$IPTABLES -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
### accept ping
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
### rules for openvpn
$IPTABLES -A OUTPUT -o tun+ -j ACCEPT
$IPTABLES -A OUTPUT -o tap+ -j ACCEPT
$IPTABLES -A OUTPUT -o bond+ -j ACCEPT
##############################################################
# accept traffic to looback and local network #
##############################################################
# Accept all from lo and to lo
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
# Accept all from eth1 and to eth1
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -j ACCEPT
#######
# NAT #
#######
### Redirect pptp port
$IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 1723 -j DNAT --to-destination 192.168.110.8
$IPTABLES -t nat -A POSTROUTING -p tcp --dst 192.168.110.8 --dport 1723 -j SNAT --to-source xxx.xxx.xxx.xxx
$IPTABLES -t nat -A OUTPUT -p tcp -d xxx.xxx.xxx.xxx --dport 1723 -j DNAT --to-destination 192.168.110.8
### Vip users over squid. File "/etc/rc.d/vip.ip"
if [ -f /etc/rc.d/vip.ip ]; then
for VIP_IP in `grep -v ^# /etc/rc.d/vip.ip`; do
$IPTABLES -t nat -A PREROUTING -s $VIP_IP -j ACCEPT
done
fi
### Bad users over squid. File "/etc/rc.d/bad.ip"
if [ -f /etc/rc.d/bad.ip ]; then
for BAD_IP in `grep -v ^# /etc/rc.d/bad.ip`; do
$IPTABLES -t nat -A PREROUTING -s $BAD_IP -j ACCEPT
done
fi
### Redirect to squid port (networks 192.168.0.0/16 & 172.16.170.0/24)
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport 80 -j REDIRECT --to-port 3128
### Masqurade
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE |