-
Notifications
You must be signed in to change notification settings - Fork 5
/
iptables.save
96 lines (77 loc) · 3.3 KB
/
iptables.save
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# iptables based on the output from the fault tolerant router project
# https://github.com/drsound/fault_tolerant_router
#
# Hacked some more by Will Cooke
# 17 April 2018
# @8none1
#
# Using iptables-restore automatically clears any previously loaded chains.
*mangle
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT ACCEPT [0:0]
##Mark packets based on interface
[0:0] -A PREROUTING -i eth1 -j CONNMARK --restore-mark
[0:0] -A PREROUTING -i ppp1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
[0:0] -A PREROUTING -i ppp2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 2
[0:0] -A POSTROUTING -o ppp1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
[0:0] -A POSTROUTING -o ppp2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 2
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#DNAT: WAN --> LAN
# Allow SIP from specific hosts. Specifying host names here which will be hardcoded in the
# hosts file just in case DNS isn't up yet.
[0:0] -A PREROUTING -i ppp1 -p udp -m udp --dport 5060 -s voip.canonical.com -j DNAT --to-destination 192.168.42.100
[0:0] -A PREROUTING -i ppp1 -p udp -m udp --dport 5060 -s sipgate.co.uk -j DNAT --to-destination 192.168.42.100
#SNAT: LAN --> WAN
[0:0] -A POSTROUTING -o ppp1 -j SNAT --to-source 212.159.20.70
## This is from when we used to have the talktalk router doing NAT so we double NATed. Need to write this NAT
## in the shell script now as the source is dynamic.
#[0:0] -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.253
#[0:0] -A POSTROUTING -o eth0 -j SNAT --to-source 92.18.127.108
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LAN_WAN - [0:0]
:WAN_LAN - [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth1 -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## Allow connections to services on the WAN interface
[0:0] -A INPUT -p tcp --dport 443 -i ppp1 -j ACCEPT
[0:0] -A INPUT -p tcp --dport 80 -i ppp1 -j ACCEPT
[0:0] -A INPUT -p tcp --dport 801 -i ppp1 -j ACCEPT
## Allow pings to the WAN interface from the internet
#[0:0] -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 212.159.20.70 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth1 -o ppp1 -j LAN_WAN
[0:0] -A FORWARD -i eth1 -o ppp2 -j LAN_WAN
#[0:0] -A FORWARD -i eth1 -o tun0 -j LAN_WAN # Let's do this via a VPN script
[0:0] -A FORWARD -i ppp1 -o eth1 -j WAN_LAN
[0:0] -A FORWARD -i ppp2 -o eth1 -j WAN_LAN
## Clamp MSS (ideal for PPPoE connections)
[0:0] -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A LAN_WAN -j ACCEPT
[0:0] -A WAN_LAN -j REJECT
## Block internal clients from getting out
# Block IP camera from reaching the internet
[0:0] -I FORWARD -s 192.168.42.35 -j DROP
# Block DEAD ZONE ips
[0:0] -I FORWARD -s 192.168.42.200 -j DROP
[0:0] -I FORWARD -s 192.168.42.201 -j DROP
[0:0] -I FORWARD -s 192.168.42.202 -j DROP
[0:0] -I FORWARD -s 192.168.42.203 -j DROP
[0:0] -I FORWARD -s 192.168.42.204 -j DROP
[0:0] -I FORWARD -s 192.168.42.205 -j DROP
[0:0] -I FORWARD -s 192.168.42.206 -j DROP
[0:0] -I FORWARD -s 192.168.42.207 -j DROP
[0:0] -I FORWARD -s 192.168.42.208 -j DROP
[0:0] -I FORWARD -s 192.168.42.209 -j DROP
[0:0] -I FORWARD -s 192.168.42.210 -j DROP
COMMIT