-
Notifications
You must be signed in to change notification settings - Fork 1
/
firewall.sh
68 lines (57 loc) · 2.34 KB
/
firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# usage: sudo sh firewall.sh
# flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# drop by default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# limited allows
## loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## openvpn by outbound request
#VPN="51.161.120.229"
VPN="54.86.95.138"
iptables -A OUTPUT -p udp -d $VPN --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $VPN --sport 1194 -m state --state ESTABLISHED -j ACCEPT
## dns by outbound request to trusted server
#DNS="172.16.67.2"
#for ip in $DNS; do
# iptables -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
#done
## http,https,ssh,rdp by outbound request
#PORTS="80 443 22 3389"
#for port in $PORTS; do
# iptables -A OUTPUT -p tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp --sport $port -m state --state ESTABLISHED -j ACCEPT
#done
## lab target range by outbound request
LABS="192.168.0.0-192.168.255"
#iptables -A OUTPUT -m iprange --dst-range $LABS -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -m iprange --src-range $LABS -m state --state ESTABLISHED -j ACCEPT
# RANGE="10.70.70.1-10.70.70.255"
#iptables -A OUTPUT -m iprange --dst-range $RANGE -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -m iprange --src-range $RANGE -m state --state ESTABLISHED -j ACCEPT
## everything by outbound request
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
## reverse shell from lab target range
LPORTS="80 443 445 8021 8022 8080 8443 8445"
for port in $LPORTS; do
iptables -A INPUT -p tcp --dport $port -m iprange --src-range $LABS -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport $port -m iprange --dst-range $LABS -m state --state ESTABLISHED -j ACCEPT
done
## last rule is drop all else
## (redundant, but just to be sure)
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
# display summary
iptables -L -v -n