User:Catrope/Sandbox

Latest IPTables Firewall:

 * 1) !/bin/sh


 * 1) 1 - VPN
 * 2) 2 - NONVPN


 * 1) eth0 - 192.168.2.0/24
 * 2) eth1 - 192.168.1.0/24
 * 3) tun0 - 10.100.10.0/24
 * 4) ppp0 -

iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t mangle -F iptables -t filter -F
 * 1) Flush previous rules, delete chains and reset counters

iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
 * 1) Set default policies for INPUT, FORWARD and OUTPUT chains


 * 1) Anything related to the VPN allow
 * 2) iptables -A INPUT -i tun0 -j ACCEPT
 * 3) iptables -A OUTPUT -o tun0 -j ACCEPT
 * 4) iptables -A FORWARD -o tun0 -j ACCEPT

iptables -A PREROUTING -t mangle -i eth2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x1 iptables -A PREROUTING -t mangle -i eth3 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x2 iptables -A PREROUTING -t mangle -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x2 iptables -A PREROUTING -t mangle -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x1 iptables -A PREROUTING -t mangle -i tun0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x1 iptables -A OUTPUT -t mangle -p tcp --dport 53 -j CONNMARK --set-mark 1 iptables -A OUTPUT -t mangle -p udp --dport 53 -j CONNMARK --set-mark 1 iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
 * 1) Make sure all traffic is routed out of the correct interfaces
 * 2) also make sure DNS does not go over ISP link, so isp cant't see traffic.
 * 3) (If you send from the LAN to a DNS server that is _NOT_ your router, they *WILL* be marked according to lines 1-4 - otherwise they follow 5-6)

iptables -t mangle -o tun0 --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu iptables -t mangle -o ppp0 --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
 * 1) MTU PPP/TUN Fix:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 * 1) Allow inbound traffic for connections i establish..

iptables -A INPUT -i eth3 -s 192.168.4.0/24 -d 192.168.4.0/24 -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.3.0/24 -d 192.168.3.0/24 -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT iptables -A INPUT -i eth2 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i tun0 -s 10.100.10.0/24 -d 10.100.10.0/24 -j ACCEPT iptables -A INPUT -i tun0 -s 10.100.10.0/24 -j ACCEPT iptables -A INPUT -i lo -s localhost -d localhost -j ACCEPT
 * 1) Allow traffic from trusted networks

iptables -A INPUT -i eth1 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 67:68 -j ACCEPT
 * 1) see if we need both sets of rules?????
 * 2) Allow DHCP Broadcasts:

iptables -A INPUT -i eth2 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT iptables -A INPUT -i eth2 -p udp --dport 67:68 -j ACCEPT

iptables -A INPUT -i eth3 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT iptables -A INPUT -i eth3 -p udp --dport 67:68 -j ACCEPT

iptables -A FORWARD -o ppp0 -i eth0 -s 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
 * 1) NAT
 * 2) NAT eth0 subnet via ppp0

iptables -A FORWARD -o ppp0 -i eth2 -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
 * 1) NAT eth1 subnet via tun0

iptables -A FORWARD -o ppp0 -i eth1 -s 192.168.3.0/24 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 * 1) NAT wlan0 subnet via tun0

iptables -A FORWARD -o ppp0 -i eth3 -s 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 * 1) NAT  wlan1 subnet via ppp0

iptables -t nat -A PREROUTING -p udp --dport 88 -i ppp0 -j DNAT --to 192.168.1.41 iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ppp0 -j DNAT --to 192.168.1.41 iptables -t nat -A PREROUTING -p udp --dport 3074 -i ppp0 -j DNAT --to 192.168.1.41 iptables -t nat -A POSTROUTING -p udp -s 192.168.1.41 --sport 88 -j MASQUERADE --to-ports 88 iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.41 --sport 3074 -j MASQUERADE --to-ports 3074 iptables -t nat -A POSTROUTING -p udp -s 192.168.1.41 --sport 3074 -j MASQUERADE --to-ports 3074
 * 1) xbox stuff

iptables -A INPUT -j DROP
 * 1) A catchall that doesn't fit our rules, drop:
 * 1) iptables -A OUTPUT -j DROP
 * 2) iptables -A FORWARD -j DROP