ip tables пример
Представляем пример настроек IP таблиц для разделения входящего и исходящего трафика на два канала, один канал для компьютеров (8) телефонии (10), так-же в компьютерной сети есть несколько привилегированных пользователей имеющих расширенные возможности в серфингу по просторам инетренета
#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET_WAN=xxx.xxx.xxx.xxx/24
INT_NET_8=xxx.xxx.xxx.xxx/24
INT_NET_10=xxx.xxx.xxx.xxx/24
IP_WAN=xxx.xxx.xxx.xxx
IP_LAN_8=xxx.xxx.xxx.xxx
IP_LAN_10=xxx.xxx.xxx.xxx
PRIVATE_LOCAL_IP=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx# ip adresses for directors
INTERFACE_WAN=eth5
INTERFACE_LAN_8=eth0
INTERFACE_LAN_10=eth1
UNPRIVPORTS=1024:65535 #непривилигированные порты
ANYWHERE=any/0 #произвольный адрес
MSSQL_LOCAL_SERVER=xxx.xxx.xxx.137
HTTPD_MS_LOCAL_SERVER=xxx.xxx.xxx.137
TEL_IP=xxx.xxx.xxx.0/27,xxx.xxx.xxx.0/24
#whatsApp PORTS tcp 5222;443; udp 3478 WHATSAPP_IP=31.13.81.48,31.13.81.53,157.240.20.51,31.13.84.48
# viber ports TCP 443 ( ? and UDP: 5242 4244 5243) VIBER_IP=178.162.219.152,151.101.112.233,77.88.21.90,35.210.148.251,77.88.21.90,87.250.247.182,18.201.7.5,18.201.5.105,18.201.7.4,74.125.232.246,64.233.162.95,209.85.233.95,
# 185.170.204.91 — platforma.ofd , ports 21101 PLATFORMAOFD_IP=185.170.204.91
# 194.186.207.162 sberbank pinpad ports 670 (650 , 666, 670) SBER_PINPAD_IP=194.186.207.162,194.54.14.89,194.54.14.62
# разрешенные группы доменных имен HTTPS_allow_sites=surgstore.ru, surgery.moscow
HTTPS_allow_sites_yandex=yandex.ru,yandex.net
HTTPS_allow_sites_google=www.google.com,google.com,maps.google.com,maps.gstatic.com,ssl.gstatic.com,fonts.gstatic.com,www.gstatic.com,clients1.google.com,tools.google.com,google.ru,csi.gstatic.com,google-analytics.com,tools.google.com
HTTPS_allow_sites_wiki=upload.wikimedia.org,wikimedia.org,ru.wikipedia.org,meta.wikimedia.org,login.wikimedia.org,www.wikidata.org,wikipedia.org,ru.wikipedia.org,wikimedia.org,ru.wikimedia.org,wikibooks.org,ru.wikibooks.org,wikidata.org
HTTPS_allow_sites_sber=online.sberbank.ru,stat.online.sberbank.ru,sberbank.ru
## existing rules and set chain policy setting to DROP
echo «[+] Flushing existing iptables rules…»
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
### load connection-tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
###### INPUT chain ######
echo «[+] Setting up INPUT chain…»
#### interface lo accept
$IPTABLES -A INPUT -i lo -j ACCEPT
### local dns rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 -d $IP_LAN_8 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $IP_LAN_8 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -s $INT_NET_10 -d $IP_LAN_10 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p tcp -s $INT_NET_10 -d $IP_LAN_10 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_WAN -p udp -d $IP_WAN —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_WAN -p tcp -d $IP_WAN —dport 53 -m state —state NEW -j ACCEPT ##################
### for HTTP from Internet to local server i think is nesesery $IPTABLES -A INPUT -i $INTERFACE_WAN -p tcp -d $IP_WAN —dport 80 -j ACCEPT
echo «[+] Setting up INPUT SAMBA chain…» ### samba rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 -d $INT_NET_8 —dport 137:138 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 445 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 139 -j ACCEPT
##### SQL rules # for local users from INT_NET_8
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 3389 -j ACCEPT # RDP
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 -m state —state ESTABLISHED,RELATED —dport 3306 -j ACCEPT # MySql
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 80 -j ACCEPT #http yum
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 21 -j ACCEPT # yum ftp
##### http rules # for local users from INT_NET_8 ### local dhcpd rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -d $IP_LAN_8 —dport 67:69 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -d $IP_LAN_10 —dport 67:69 -j ACCEPT
#dhcp for wan
$IPTABLES -A INPUT -i $INTERFACE_WAN -p udp -s $INT_NET_WAN -d $IP_WAN —dport 67:69 -j ACCEPT
#$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 —sport 137:139 —dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp —dport 67:69 -m state —state NEW -j ACCEPT
### proxy enable
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 3128 -j ACCEPT
### gpg port
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 11371 -j ACCEPT #gpg port
### ACCEPT rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 22 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p tcp -s $INT_NET_10 —dport 22 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp —icmp-type echo-request -j ACCEPT
### Accept rules for bank
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 443 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 9443:9452 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp —dport 123 -m state —state NEW -j ACCEPT $IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -s $INT_NET_10 —dport 123 -m state —state NEW -j ACCEPT #######################
### state tracking rules
#$IPTABLES -A INPUT -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options
#$IPTABLES -A INPUT -m state —state INVALID -j DROP
$IPTABLES -A INPUT -i $INTERFACE_WAN -m state —state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp —dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp —dport 53 -j ACCEPT ### anti-spoofing rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j DROP
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j DROP
### default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG —log-prefix «DROP-I » —log-ip-options —log-tcp-options
$IPTABLES -A INPUT ! -i lo -j DROP
###### OUTPUT chain ######
echo «[+] Setting up OUTPUT chain…»
### state tracking rules
$IPTABLES -A OUTPUT -o lo -j ACCEPT
### rules for OUTPUT packets
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -s $IP_WAN -p tcp —dport 80 -j ACCEPT # out packet to wan
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -s $IP_WAN -p tcp —dport 443 -j ACCEPT # out packet to wan
###############
$IPTABLES -A OUTPUT -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options
$IPTABLES -A OUTPUT -m state —state INVALID -j DROP
#$IPTABLES -A OUTPUT -m state —state ESTABLISHED,RELATED -j LOG —log-prefix «out_est » —log-ip-options —log-tcp-options
$IPTABLES -A OUTPUT -m state —state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp —dport 21 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 22 -s $INT_NET_8 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 25 —syn -m state —state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp —dport 43 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTERFACE_WAN -s $INT_NET_WAN —dport 123 -m state —state NEW -j LOG —log-prefix «port_123 »
$IPTABLES -A OUTPUT -p udp -o $INTERFACE_WAN -s $INT_NET_WAN —dport 123 -m state —state NEW -j ACCEPT
## this is rules for output packet from Wan inrerface to inretnet
$IPTABLES -A OUTPUT -p tcp -o $INTERFACE_LAN_10 -s $INT_NET_10 —dport 80 —sport 80 -j DROP
### local dhcpd rules
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p udp -s $IP_LAN_8 —dport 67:69 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p udp -s $IP_LAN_10 —dport 67:69 -j ACCEPT
$IPTABLES -A OUTPUT -p udp —dport 67:69 -m state —state NEW -j ACCEPT
#dhcp for wan
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p udp -d $INT_NET_WAN -s $IP_WAN —dport 67:69 -j ACCEPT
### local output dns rules
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p udp -d $INT_NET_8 -s $IP_LAN_8 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p tcp -d $INT_NET_8 -s $IP_LAN_8 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p udp -d $INT_NET_10 -s $IP_LAN_10 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p tcp -d $INT_NET_10 -s $IP_LAN_10 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p udp -s $IP_WAN —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p tcp -s $IP_WAN —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 9443:9452 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 11371 —syn -m state —state NEW -j ACCEPT # gpg port
$IPTABLES -A OUTPUT -p icmp —icmp-type echo-request -j ACCEPT
#additonall rules for sip-10-8
$IPTABLES -A OUTPUT -p tcp —dport 8080 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -d $INT_NET_10 -p tcp —dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -d $INT_NET_8 -p tcp —dport 8080 -j ACCEPT
### default OUTPUT LOG rule- super rules for monitoring
$IPTABLES -A OUTPUT ! -o lo -j LOG —log-prefix «DROP-O » —log-ip-options —log-tcp-options
###### FORWARD chain ######
echo «[+] Setting up FORWARD chain…»
# log rules
### state tracking rules
$IPTABLES -A FORWARD -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options
$IPTABLES -A FORWARD -m state —state INVALID -j DROP
####
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -p tcp -m state —state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -p tcp —dport 80 -j ACCEPT
###########################
# FTP forward
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -s $PRIVATE_LOCAL_IP -p tcp —dport 21 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -s $PRIVATE_LOCAL_IP -p tcp —dport 21 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -p tcp -m state —state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -p tcp —dport 80 -m state —state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 22 -j ACCEPT #ssh
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 1433 -j ACCEPT #MSSQL
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 3306 -j ACCEPT #MSSQL
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 2222 -j ACCEPT #ssh
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 3389 -j ACCEPT #rdp
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 9443 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -s $INT_NET_8 -p udp —dport 123 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_10 -s $INT_NET_10 -p udp —dport 123 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_yandex -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_google -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_wiki -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_sber -j ACCEPT
#$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p udp —sport 5060:5062 —dport 5060:5062 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p udp —sport 10000:20000 —dport 10000:20000 -j ACCEPT
#$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p udp —sport 5060:5062 —dport 5060:5062 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p udp —sport 10000:20000 —dport 10000:20000 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p tcp —sport 5060:5070 —dport 5060:5070 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p tcp —sport 5060:5070 —dport 5060:5070 -j ACCEPT
### anti-spoofing rules
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j DROP
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j DROP
### PLATFORMA_OFD Rules
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $PLATFORMAOFD_IP -p tcp —dport 21101 -j ACCEPT
## SBER PINPAD правило для работы pinPad от сбербанка
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $SBER_PINPAD_IP -p tcp —dport 650 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $SBER_PINPAD_IP -p tcp —dport 670 -j ACCEPT
## WhatsApp
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p tcp —dport 5222 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p tcp —dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p udp —dport 3478 -j ACCEPT
## viber 5242 4244 5243
#$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 1443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 4244 -j ACCEPT
### ACCEPT rules
# ping rules
$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp —icmp-type echo-request -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp —icmp-type port-unreachable -j ACCEPT
#$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp -j ACCEPT
#super log
$IPTABLES -A FORWARD ! -i lo -j LOG —log-prefix «DROP-F » —log-ip-options —log-tcp-options
###### NAT rules ######
echo «[+] Setting up NAT rules…»
# clear proxy enable
###$IPTABLES -t nat -A PREROUTING -i $INTERFACE_LAN_8 -s $INT_NET_8 -p tcp —dport 80 -j LOG —log-prefix «pre_eht0_to_proxy »
$IPTABLES -t nat -A PREROUTING -i $INTERFACE_LAN_8 -s $INT_NET_8 -p tcp —dport 80 -j DNAT —to $IP_LAN_8:3128
$IPTABLES -t nat -A POSTROUTING -s $INT_NET_8 -o $INTERFACE_WAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $INT_NET_10 -o $INTERFACE_WAN -j MASQUERADE
echo «[+] Enabling IP forwarding…»
echo 1 > /proc/sys/net/ipv4/ip_forward
#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET_WAN=xxx.xxx.xxx.xxx/24
INT_NET_8=xxx.xxx.xxx.xxx/24
INT_NET_10=xxx.xxx.xxx.xxx/24
IP_WAN=xxx.xxx.xxx.xxx
IP_LAN_8=xxx.xxx.xxx.xxx
IP_LAN_10=xxx.xxx.xxx.xxx
PRIVATE_LOCAL_IP=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx# ip adresses for directors
INTERFACE_WAN=eth5
INTERFACE_LAN_8=eth0
INTERFACE_LAN_10=eth1
UNPRIVPORTS=1024:65535 #непривилигированные порты
ANYWHERE=any/0 #произвольный адрес
MSSQL_LOCAL_SERVER=xxx.xxx.xxx.137
HTTPD_MS_LOCAL_SERVER=xxx.xxx.xxx.137
TEL_IP=xxx.xxx.xxx.0/27,xxx.xxx.xxx.0/24
#whatsApp PORTS tcp 5222;443; udp 3478 WHATSAPP_IP=31.13.81.48,31.13.81.53,157.240.20.51,31.13.84.48
# viber ports TCP 443 ( ? and UDP: 5242 4244 5243) VIBER_IP=178.162.219.152,151.101.112.233,77.88.21.90,35.210.148.251,77.88.21.90,87.250.247.182,18.201.7.5,18.201.5.105,18.201.7.4,74.125.232.246,64.233.162.95,209.85.233.95,
# 185.170.204.91 — platforma.ofd , ports 21101 PLATFORMAOFD_IP=185.170.204.91
# 194.186.207.162 sberbank pinpad ports 670 (650 , 666, 670) SBER_PINPAD_IP=194.186.207.162,194.54.14.89,194.54.14.62
# разрешенные группы доменных имен HTTPS_allow_sites=surgstore.ru, surgery.moscow
HTTPS_allow_sites_yandex=yandex.ru,yandex.net
HTTPS_allow_sites_google=www.google.com,google.com,maps.google.com,maps.gstatic.com,ssl.gstatic.com,fonts.gstatic.com,www.gstatic.com,clients1.google.com,tools.google.com,google.ru,csi.gstatic.com,google-analytics.com,tools.google.com
HTTPS_allow_sites_wiki=upload.wikimedia.org,wikimedia.org,ru.wikipedia.org,meta.wikimedia.org,login.wikimedia.org,www.wikidata.org,wikipedia.org,ru.wikipedia.org,wikimedia.org,ru.wikimedia.org,wikibooks.org,ru.wikibooks.org,wikidata.org
HTTPS_allow_sites_sber=online.sberbank.ru,stat.online.sberbank.ru,sberbank.ru
## existing rules and set chain policy setting to DROP
echo «[+] Flushing existing iptables rules…»
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
### load connection-tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
###### INPUT chain ######
echo «[+] Setting up INPUT chain…»
#### interface lo accept
$IPTABLES -A INPUT -i lo -j ACCEPT
### local dns rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 -d $IP_LAN_8 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $IP_LAN_8 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -s $INT_NET_10 -d $IP_LAN_10 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p tcp -s $INT_NET_10 -d $IP_LAN_10 —dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_WAN -p udp -d $IP_WAN —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_WAN -p tcp -d $IP_WAN —dport 53 -m state —state NEW -j ACCEPT ##################
### for HTTP from Internet to local server i think is nesesery $IPTABLES -A INPUT -i $INTERFACE_WAN -p tcp -d $IP_WAN —dport 80 -j ACCEPT
echo «[+] Setting up INPUT SAMBA chain…» ### samba rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 -d $INT_NET_8 —dport 137:138 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 445 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 139 -j ACCEPT
##### SQL rules # for local users from INT_NET_8
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 3389 -j ACCEPT # RDP
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 -m state —state ESTABLISHED,RELATED —dport 3306 -j ACCEPT # MySql
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 80 -j ACCEPT #http yum
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 21 -j ACCEPT # yum ftp
##### http rules # for local users from INT_NET_8 ### local dhcpd rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -d $IP_LAN_8 —dport 67:69 -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -d $IP_LAN_10 —dport 67:69 -j ACCEPT
#dhcp for wan
$IPTABLES -A INPUT -i $INTERFACE_WAN -p udp -s $INT_NET_WAN -d $IP_WAN —dport 67:69 -j ACCEPT
#$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 —sport 137:139 —dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp —dport 67:69 -m state —state NEW -j ACCEPT
### proxy enable
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 3128 -j ACCEPT
### gpg port
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 11371 -j ACCEPT #gpg port
### ACCEPT rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 22 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p tcp -s $INT_NET_10 —dport 22 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp —icmp-type echo-request -j ACCEPT
### Accept rules for bank
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 443 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 9443:9452 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp —dport 123 -m state —state NEW -j ACCEPT $IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -s $INT_NET_10 —dport 123 -m state —state NEW -j ACCEPT #######################
### state tracking rules
#$IPTABLES -A INPUT -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options
#$IPTABLES -A INPUT -m state —state INVALID -j DROP
$IPTABLES -A INPUT -i $INTERFACE_WAN -m state —state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp —dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp —dport 53 -j ACCEPT ### anti-spoofing rules
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j DROP
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j DROP
### default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG —log-prefix «DROP-I » —log-ip-options —log-tcp-options
$IPTABLES -A INPUT ! -i lo -j DROP
###### OUTPUT chain ######
echo «[+] Setting up OUTPUT chain…»
### state tracking rules
$IPTABLES -A OUTPUT -o lo -j ACCEPT
### rules for OUTPUT packets
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -s $IP_WAN -p tcp —dport 80 -j ACCEPT # out packet to wan
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -s $IP_WAN -p tcp —dport 443 -j ACCEPT # out packet to wan
###############
$IPTABLES -A OUTPUT -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options
$IPTABLES -A OUTPUT -m state —state INVALID -j DROP
#$IPTABLES -A OUTPUT -m state —state ESTABLISHED,RELATED -j LOG —log-prefix «out_est » —log-ip-options —log-tcp-options
$IPTABLES -A OUTPUT -m state —state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp —dport 21 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 22 -s $INT_NET_8 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 25 —syn -m state —state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp —dport 43 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTERFACE_WAN -s $INT_NET_WAN —dport 123 -m state —state NEW -j LOG —log-prefix «port_123 »
$IPTABLES -A OUTPUT -p udp -o $INTERFACE_WAN -s $INT_NET_WAN —dport 123 -m state —state NEW -j ACCEPT
## this is rules for output packet from Wan inrerface to inretnet
$IPTABLES -A OUTPUT -p tcp -o $INTERFACE_LAN_10 -s $INT_NET_10 —dport 80 —sport 80 -j DROP
### local dhcpd rules
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p udp -s $IP_LAN_8 —dport 67:69 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p udp -s $IP_LAN_10 —dport 67:69 -j ACCEPT
$IPTABLES -A OUTPUT -p udp —dport 67:69 -m state —state NEW -j ACCEPT
#dhcp for wan
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p udp -d $INT_NET_WAN -s $IP_WAN —dport 67:69 -j ACCEPT
### local output dns rules
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p udp -d $INT_NET_8 -s $IP_LAN_8 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p tcp -d $INT_NET_8 -s $IP_LAN_8 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p udp -d $INT_NET_10 -s $IP_LAN_10 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p tcp -d $INT_NET_10 -s $IP_LAN_10 —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p udp -s $IP_WAN —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p tcp -s $IP_WAN —dport 53 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 9443:9452 —syn -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp —dport 11371 —syn -m state —state NEW -j ACCEPT # gpg port
$IPTABLES -A OUTPUT -p icmp —icmp-type echo-request -j ACCEPT
#additonall rules for sip-10-8
$IPTABLES -A OUTPUT -p tcp —dport 8080 -m state —state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -d $INT_NET_10 -p tcp —dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -d $INT_NET_8 -p tcp —dport 8080 -j ACCEPT
### default OUTPUT LOG rule- super rules for monitoring
$IPTABLES -A OUTPUT ! -o lo -j LOG —log-prefix «DROP-O » —log-ip-options —log-tcp-options
###### FORWARD chain ######
echo «[+] Setting up FORWARD chain…»
# log rules
### state tracking rules
$IPTABLES -A FORWARD -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options
$IPTABLES -A FORWARD -m state —state INVALID -j DROP
####
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -p tcp -m state —state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -p tcp —dport 80 -j ACCEPT
###########################
# FTP forward
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -s $PRIVATE_LOCAL_IP -p tcp —dport 21 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -s $PRIVATE_LOCAL_IP -p tcp —dport 21 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -p tcp -m state —state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -p tcp —dport 80 -m state —state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 22 -j ACCEPT #ssh
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 1433 -j ACCEPT #MSSQL
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 3306 -j ACCEPT #MSSQL
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 2222 -j ACCEPT #ssh
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 3389 -j ACCEPT #rdp
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 9443 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -s $INT_NET_8 -p udp —dport 123 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_10 -s $INT_NET_10 -p udp —dport 123 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_yandex -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_google -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_wiki -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_sber -j ACCEPT
#$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p udp —sport 5060:5062 —dport 5060:5062 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p udp —sport 10000:20000 —dport 10000:20000 -j ACCEPT
#$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p udp —sport 5060:5062 —dport 5060:5062 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p udp —sport 10000:20000 —dport 10000:20000 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p tcp —sport 5060:5070 —dport 5060:5070 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p tcp —sport 5060:5070 —dport 5060:5070 -j ACCEPT
### anti-spoofing rules
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j DROP
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j LOG —log-prefix «SPOOFED PKT »
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j DROP
### PLATFORMA_OFD Rules
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $PLATFORMAOFD_IP -p tcp —dport 21101 -j ACCEPT
## SBER PINPAD правило для работы pinPad от сбербанка
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $SBER_PINPAD_IP -p tcp —dport 650 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $SBER_PINPAD_IP -p tcp —dport 670 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p tcp —dport 5222 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p tcp —dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p udp —dport 3478 -j ACCEPT
## viber 5242 4244 5243
#$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 1443 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 4244 -j ACCEPT
### ACCEPT rules
# ping rules
$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp —icmp-type echo-request -j ACCEPT
$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp —icmp-type port-unreachable -j ACCEPT
#$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp -j ACCEPT
#super log
$IPTABLES -A FORWARD ! -i lo -j LOG —log-prefix «DROP-F » —log-ip-options —log-tcp-options
###### NAT rules ######
echo «[+] Setting up NAT rules…»
# clear proxy enable
###$IPTABLES -t nat -A PREROUTING -i $INTERFACE_LAN_8 -s $INT_NET_8 -p tcp —dport 80 -j LOG —log-prefix «pre_eht0_to_proxy »
$IPTABLES -t nat -A PREROUTING -i $INTERFACE_LAN_8 -s $INT_NET_8 -p tcp —dport 80 -j DNAT —to $IP_LAN_8:3128
$IPTABLES -t nat -A POSTROUTING -s $INT_NET_8 -o $INTERFACE_WAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $INT_NET_10 -o $INTERFACE_WAN -j MASQUERADE
echo «[+] Enabling IP forwarding…»
echo 1 > /proc/sys/net/ipv4/ip_forward