#!/bin/bash # eth0 = wifi access point # wlan0@eth0 = VLAN 2 wifi # wlan1@eth0 = VLAN 3 wifi # eth1 = dsl modem line 1 (dsl0) # eth2 = dsl modem line 2 (dsl1) # eth3 = bond0 internal # eth4 = bond0 internal # eth5 = cable modem (cable0) # ppp0 = active dsl uplink sysctl -q -w net.ipv4.ip_forward=1 sysctl -q -w net.ipv4.conf.all.forwarding=1 # nfmark routing stuff # dsl ppp0dr=$(ip route ls | grep default | grep ppp0) ppp0gw=$(echo $ppp0dr | awk '{print $3}') ppp0ro=$(ip route ls | grep ppp0 | grep link | grep -v 192.168) ppp0ip=$(echo $ppp0ro | awk '{print $9}') # cable eth5dr=$(ip route ls | grep default | grep eth5) eth5gw=$(echo $eth5dr | awk '{print $3}') eth5ro=$(ip route ls | grep eth5 | grep link | grep -v 192.168) eth5ip=$(echo $eth5ro | awk '{print $9}') #ip rule del from $ppp0ip table dsl priority 100 ip rule del from all fwmark 0x100 ip rule del from $eth5ip table cable priority 200 ip rule del from all fwmark 0x200 #ip rule add from $ppp0ip table dsl priority 100 ip rule add fwmark 0x100 table dsl priority 101 ip rule add from $eth5ip table cable priority 200 ip rule add fwmark 0x200 table cable priority 201 ip route flush table dsl ip route flush table cable for TABLE in dsl cable do ip route | grep link | while read ROUTE do ip route add table $TABLE to $ROUTE done done ip route add table dsl default via $ppp0gw ip route add table cable default via $eth5gw for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done for f in /proc/sys/net/ipv4/conf/*/forwarding; do echo 1 > $f; done ip route flush cache IPTABLES=$(builtin type -P iptables) IP6TABLES=$(builtin type -P ip6tables) $IP6TABLES -t filter -F $IP6TABLES -t filter -X $IP6TABLES -t filter -Z $IP6TABLES -t filter -F INPUT $IP6TABLES -t filter -F OUTPUT $IP6TABLES -t filter -F FORWARD $IPTABLES -t filter -F $IPTABLES -t filter -X $IPTABLES -t filter -Z $IPTABLES -t filter -F INPUT $IPTABLES -t filter -F OUTPUT $IPTABLES -t filter -F FORWARD $IPTABLES -t mangle -F 2>/dev/null $IPTABLES -t mangle -X 2>/dev/null $IPTABLES -t mangle -Z 2>/dev/null $IPTABLES -t nat -F 2>/dev/null $IPTABLES -t nat -X 2>/dev/null $IPTABLES -t nat -Z 2>/dev/null # default policies $IP6TABLES -t filter -P INPUT DROP $IP6TABLES -t filter -P OUTPUT ACCEPT $IP6TABLES -t filter -P FORWARD ACCEPT $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P OUTPUT ACCEPT $IPTABLES -t filter -P FORWARD ACCEPT # basic v6 $IP6TABLES -t filter -A INPUT -i lo -j ACCEPT $IP6TABLES -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -t filter -A INPUT -j ACCEPT # logging chains limit=50 burst=100 $IPTABLES -t filter -N LOGDROP $IPTABLES -t filter -A LOGDROP -p tcp -m limit --limit $limit/s --limit-burst $burst -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-TCPDROP $IPTABLES -t filter -A LOGDROP -p udp -m limit --limit $limit/s --limit-burst $burst -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-UDPDROP $IPTABLES -t filter -A LOGDROP -p icmp -m limit --limit $limit/s --limit-burst $burst -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-ICMPDRP $IPTABLES -t filter -A LOGDROP -f -m limit --limit $limit/s --limit-burst 100 -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-FRAGDRP $IPTABLES -t filter -A LOGDROP -j DROP $IPTABLES -t filter -N LOGACPT $IPTABLES -t filter -A LOGACPT -p tcp -m limit --limit $limit/s --limit-burst $burst -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-TCPACPT $IPTABLES -t filter -A LOGACPT -p udp -m limit --limit $limit/s --limit-burst $burst -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-UDPACPT $IPTABLES -t filter -A LOGACPT -p icmp -m limit --limit $limit/s --limit-burst $burst -j ULOG --ulog-nlgroup 1 --ulog-prefix FW-ICMPACP $IPTABLES -t filter -A LOGACPT -j ACCEPT # pppoe tcp-mss fixes $IPTABLES -t mangle -A INPUT -i ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1403: -j TCPMSS --set-mss 1402 $IPTABLES -t mangle -A FORWARD -i ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1403: -j TCPMSS --set-mss 1402 $IPTABLES -t mangle -A OUTPUT -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1405: -j TCPMSS --set-mss 1404 $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1405: -j TCPMSS --set-mss 1404 #$IPTABLES -t mangle -A POSTROUTING -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1405: -j TCPMSS --set-mss 1404 #$IPTABLES -t mangle -A PREROUTING -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1403: -j TCPMSS --set-mss 1402 # port forwarding $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 2222 -j DNAT --to 10.0.0.2:22 $IPTABLES -t nat -A PREROUTING -i eth5 -p tcp --dport 2222 -j DNAT --to 10.0.0.2:22 # nfmark stuff $IPTABLES -t mangle -N DSL $IPTABLES -t mangle -A DSL -s 10.0.0.0/8 -d 10.0.0.0/8 -j RETURN $IPTABLES -t mangle -A DSL -m conntrack --ctstate NEW -j MARK --set-mark 0x100 $IPTABLES -t mangle -A DSL -m conntrack --ctstate NEW -j CONNMARK --save-mark $IPTABLES -t mangle -N CABLE $IPTABLES -t mangle -A CABLE -s 10.0.0.0/8 -d 10.0.0.0/8 -j RETURN $IPTABLES -t mangle -A CABLE -m conntrack --ctstate NEW -j MARK --set-mark 0x200 $IPTABLES -t mangle -A CABLE -m conntrack --ctstate NEW -j CONNMARK --save-mark $IPTABLES -t mangle -N RESTORE $IPTABLES -t mangle -A RESTORE -s 10.0.0.0/8 -d 10.0.0.0/8 -j RETURN $IPTABLES -t mangle -A RESTORE -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark # snat/masquerade our external interfaces (ppp0 is a static IP) $IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 76.10.173.13 $IPTABLES -t nat -A POSTROUTING -o eth5 -j MASQUERADE # this does nothing but allow access to the dsl modem web interfaces $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.0.1 # these rules allow local stateful traffic out the secondary non-default gateway $IPTABLES -t mangle -A OUTPUT -m owner --uid-owner sabnzbd -j CABLE #$IPTABLES -t mangle -A OUTPUT -m owner --uid-owner deluge -j CABLE $IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 500 -j CABLE # place force local routing outbound rules above these $IPTABLES -t mangle -A OUTPUT -o ppp0 -j RESTORE $IPTABLES -t mangle -A OUTPUT -o eth5 -j RESTORE $IPTABLES -t mangle -A PREROUTING -i bond0 -p tcp -m multiport --dports 500 -j CABLE $IPTABLES -t mangle -A PREROUTING -i wlan0 -m iprange --src-range 10.0.1.90-10.0.1.99 -j CABLE $IPTABLES -t mangle -A PREROUTING -i wlan1 -m iprange --src-range 10.0.2.0-10.0.2.255 -j CABLE # place lan forwarded force routing outbound rules above these $IPTABLES -t mangle -A PREROUTING -i ppp0 -j DSL $IPTABLES -t mangle -A PREROUTING -i eth5 -j CABLE $IPTABLES -t mangle -A PREROUTING -i bond0 -j RESTORE $IPTABLES -t mangle -A PREROUTING -i wlan0 -j RESTORE $IPTABLES -t mangle -A PREROUTING -i wlan1 -j RESTORE # block all internal access to guest wifi $IPTABLES -t filter -A FORWARD -i wlan1 -o ppp0 -j ACCEPT $IPTABLES -t filter -A FORWARD -i wlan1 -o eth5 -j ACCEPT $IPTABLES -t filter -A FORWARD -i wlan1 -j DROP # allow related/established $IPTABLES -t filter -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # local to box $IPTABLES -t filter -A INPUT -i lo -j ACCEPT $IPTABLES -t filter -A INPUT -i eth0 -s 10.1.0.0/30 -j ACCEPT $IPTABLES -t filter -A INPUT -i bond0 -s 10.0.0.0/24 -j ACCEPT $IPTABLES -t filter -A INPUT -i wlan0 -s 10.0.1.0/24 -j ACCEPT $IPTABLES -t filter -A INPUT -i wlan1 -s 10.0.2.0/24 -p tcp -m multiport --dports 53 -j ACCEPT $IPTABLES -t filter -A INPUT -i wlan1 -s 10.0.2.0/24 -p udp -m multiport --dports 53,67 -j ACCEPT # shunt forwarded/input traffic through inbound chain so we can log/filter ports no matter if local/forwarded $IPTABLES -t filter -N INBOUND $IPTABLES -t filter -A FORWARD -i ppp0 -j INBOUND $IPTABLES -t filter -A FORWARD -i eth5 -j INBOUND $IPTABLES -t filter -A INPUT -i ppp0 -j INBOUND $IPTABLES -t filter -A INPUT -i eth5 -j INBOUND $IPTABLES -t filter -A INBOUND -p tcp -m multiport --dports 22,2222,113,4000,5000 -j LOGACPT $IPTABLES -t filter -A INBOUND -i ppp0 -p tcp -m multiport --dports 25,443,465,993,8080:8087 -j ACCEPT $IPTABLES -t filter -A INBOUND -i eth5 -p tcp -m multiport --dports 993,443,7881,8080:8087 -j ACCEPT $IPTABLES -t filter -A INBOUND -i eth5 -p udp -m multiport --dports 68,7881 -j ACCEPT $IPTABLES -t filter -A INBOUND -i eth5 -p udp -m multiport --dports 3132 -j DROP $IPTABLES -t filter -A INBOUND -j LOGDROP $IPTABLES -t filter -A INPUT -j DROP /etc/init.d/iptables save /etc/init.d/fail2ban restart /etc/miniupnpd/iptables_init.sh