#!/bin/sh #set -x IPT=/sbin/iptables IFACE_INET=ppp+ INSIDE_IFACE=eth0 INSIDE_IP=10.0.0.254 # currently unused OUTSIDE_IFACE=ppp+ OUTSIDE_IP=dynamic function forward_port() { $IPT -t nat -A PREROUTING -i $IFACE_INET -p $1 --dport $2 \ -j DNAT --to-destination $3 } case "$1" in start) # Log a packet and then reject it $IPT -N log-reject $IPT -A log-reject -m limit --limit 1/s -j LOG --log-level info --log-tcp-options --log-ip-options $IPT -A log-reject -j REJECT -p tcp --reject-with tcp-reset $IPT -A log-reject -j REJECT # Silently reject a packet $IPT -N quiet-reject $IPT -A quiet-reject -j REJECT -p tcp --reject-with tcp-reset $IPT -A quiet-reject -j REJECT # Reject new connections $IPT -N allow_related $IPT -A allow_related -m state --state ESTABLISHED,RELATED -j ACCEPT # except from inside the LAN $IPT -A allow_related -m state --state NEW -i ! $IFACE_INET -j ACCEPT # Drop new connections without SYN set # $IPT -N new_no_syn # $IPT -A new_no_syn -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New conn without SYN: " # $IPT -A new_no_syn -p tcp ! --syn -m state --state NEW -j DROP # Allow everything inside the LAN (for now?) $IPT -A INPUT -i eth0 -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -j allow_related # $IPT -A INPUT -j new_no_syn $IPT -A FORWARD -j allow_related # $IPT -A FORWARD -j new_no_syn # TCP: # allow ssh $IPT -A INPUT -p tcp --dport ssh -j ACCEPT # allow auth $IPT -A INPUT -p tcp --dport auth -j ACCEPT # allow http (?) $IPT -A INPUT -p tcp --dport ssh -j ACCEPT # deny socks $IPT -A INPUT -p tcp --dport socks -j log-reject # deny squid $IPT -A INPUT -p tcp --dport 3128 -j log-reject # deny distcc $IPT -A INPUT -p tcp --dport 3632 -j log-reject # reject all other ports <1024 $IPT -A INPUT -p tcp --dport 0:1023 -j log-reject # strip ECN for select sites # icq $IPT -t mangle -A POSTROUTING -p tcp -d 64.12.164.0/24 -j ECN --ecn-tcp-remove $IPT -t mangle -A POSTROUTING -p tcp -d 205.188.248.0/24 -j ECN --ecn-tcp-remove $IPT -t mangle -A POSTROUTING -p tcp -d 205.188.253.0/24 -j ECN --ecn-tcp-remove # # uoregon: 128.223.0.0/16 # $IPT -t mangle -A POSTROUTING -p tcp -d 128.223.0.0/16 -j ECN --ecn-tcp-remove # UDP: # deny icpv2 (squid) $IPT -A INPUT -p udp --dport icpv2 -j log-reject # deny unknown squid port (FIXME) $IPT -A INPUT -p udp --dport 3449 -j log-reject # deny squid # reject all other ports <1024 $IPT -A INPUT -p udp --dport 0:1023 -j log-reject # ICMP: # $IPT -A OUTPUT -p icmp -m limit --limit 4/s --icmp-type echo-request -j ACCEPT # $IPT -A OUTPUT -p icmp -m limit --limit 1/s -j ACCEPT # $IPT -A OUTPUT -p icmp -j LOG --log-prefix "ICMP over rate limit: " # $IPT -A OUTPUT -p icmp -j DROP # NAT: $IPT -t nat -I POSTROUTING -j MASQUERADE -s 10.0.0.0/24 # port forwards forward_port tcp 8080 10.0.0.1:80 forward_port tcp 9111 10.0.0.1:9111 # gnutella forward_port tcp 6346 10.0.0.1:6346 # freenet forward_port tcp 28480 10.0.0.1:28480 forward_port tcp 24383 10.0.0.1:24383 # worms armageddon forward_port tcp 17010 10.0.0.246:17010 forward_port tcp 17011 10.0.0.246:17011 forward_port tcp 17012 10.0.0.246:17012 forward_port tcp 1926 10.0.0.246:1926 # forward_port tcp 8888 10.0.0.1:8888 forward_port tcp 6991 10.0.0.1:6991 forward_port udp 6991 10.0.0.1:6991 forward_port tcp 6112 10.0.0.2:6112 forward_port udp 6112 10.0.0.2:6112 forward_port udp 27960 10.0.0.1:27960 forward_port udp 27961 10.0.0.1:27961 # mame forward_port udp 9000 10.0.0.1:9000 # doom legacy forward_port udp 5029 10.0.0.1:5029 # freenet forward_port tcp 2894 10.0.0.1:2894 # bittorrent forward_port tcp 6881 10.0.0.1:6881 # Need for Speed: Underground forward_port udp 3658 10.0.0.10:3658 forward_port udp 3659 10.0.0.10:3659 # Frequency forward_port udp 10075 10.0.0.10:10075 ;; stop) # Reset everything $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X ;; restart) $0 stop $0 start ;; esac