#! /bin/sh local_net='192.168.1.0/24' server_ip='192.168.1.1' WAN='ppp0' LAN='br0' # /etc/sysctl.conf にて予め net.ipv4.ip_forward=1としておく # echo 1 > /proc/sys/net/ipv4/ip_forward ############## #Flush & Reset ############## iptables -F iptables -t nat -F iptables -X ############## #Deafult Rule ############## iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # LAN内からは全て許可 iptables -A INPUT -i $LAN -j ACCEPT ################################################# #IKE IPsec NAT-T Softether NATトラバーサル接続用 ################################################# iptables -A INPUT -p udp -m state --state NEW -i $WAN --dport 500 -j ACCEPT iptables -A INPUT -p udp -m state --state NEW -i $WAN --dport 4500 -j ACCEPT #################################### #For Softether Softethe仮想HUB接続用 #################################### iptables -A INPUT -p tcp --syn -m state --state NEW -i $WAN --dport 992 -j ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP ########## #Block SMB ########## iptables -A FORWARD -p tcp -i $LAN -o $WAN --dport 137:139 -j DROP iptables -A FORWARD -p udp -i $LAN -o $WAN --dport 137:139 -j DROP iptables -A FORWARD -p tcp -i $LAN -o $WAN --dport 445 -j DROP iptables -A FORWARD -p udp -i $LAN -o $WAN --dport 445 -j DROP ########## #Block RFC ########## iptables -A FORWARD -p tcp -i $LAN -o $WAN --dport 111 -j DROP iptables -A FORWARD -p udp -i $LAN -o $WAN --dport 111 -j DROP iptables -A FORWARD -i $LAN -o $WAN -s $local_net -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ######### #loopback ######### iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ################# #SNAT(masquerade) ################# iptables -t nat -A POSTROUTING -o $WAN -s $local_net -j MASQUERADE # DNATでLAN内のサーバーを公開 ################# #DNAT(HTTP) ################# http_port='80' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 80 -j DNAT --to-destination $server_ip:$http_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $http_port -j ACCEPT ################# #DNAT(HTTPS) ################# http_port='443' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 443 -j DNAT --to-destination $server_ip:$http_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $http_port -j ACCEPT ################# #DNAT(SMTP) ################# smtp_port='25' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 25 -j DNAT --to-destination $server_ip:$smtp_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $smtp_port -j ACCEPT ################# #DNAT(SUBMISSION) ################# submission_port='587' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 587 -j DNAT --to-destination $server_ip:$submission_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $submission_port -j ACCEPT #################### #DNAT(POP3 over SSL) #################### pop3s_port='995' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 995 -j DNAT --to-destination $server_ip:$pop3s_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $pop3s_port -j ACCEPT #################### #DNAT(IMAP over SSL) #################### imaps_port='993' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 993 -j DNAT --to-destination $server_ip:$imaps_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $imaps_port -j ACCEPT ################# #DNAT(SSH) ################# ssh_port='22' iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 22 -j DNAT --to-destination $server_ip:$ssh_port iptables -A FORWARD -i $WAN -o $LAN -p tcp -d $server_ip --dport $ssh_port -j ACCEPT ######################################################### #Outgoing packet should be real internet Address #但し、SoftetherのTCP接続で使用する内部アドレス宛はACCEPT #Softether NATトラバーサル接続のみであればDROPで問題無し ######################################################### iptables -A OUTPUT -o $WAN -d 10.0.0.0/8 -j DROP iptables -A OUTPUT -o $WAN -d 172.16.0.0/12 -j DROP iptables -A OUTPUT -o $WAN -d 127.0.0.0/8 -j DROP # iptables -A OUTPUT -o $WAN -d 192.168.0.0/16 -j DROP ######################################## #logging Logが欲しい場合はコメントアウト ######################################## # iptables -N LOGGING # iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit # iptables -A LOGGING -j DROP # iptables -A INPUT -j LOGGING # iptables -A FORWARD -j LOGGING