ansible
/
firewall_iptables
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
/etc/iptables
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
firewall_iptables/ipt-static-ruleset

ipt-static-ruleset 7.7KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 
  1. #######################################################################################################################

  2. # Firewall configuration for this host ################################################################################

  3. #######################################################################################################################

  4. 

  5. # Allow minimum for all VLANS (ping, dhcp, dns, ntp)

  6. sudo iptables -A INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept incomming pings"

  7. sudo iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept outgoing pings"

  8. sudo iptables -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept incomming dhcp"

  9. sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept outgoing dhcp"

  10. sudo iptables -A INPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept incomming dns"

  11. sudo iptables -A INPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept incomming dns"

  12. sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept outgoing dns"

  13. sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept outgoing dns"

  14. sudo iptables -A INPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept incomming ntp"

  15. sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept outgoing ntp"

  16. 

  17. # Allow some usefull outgoing traffic for all VLANS (ssh)

  18. sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "accept outgoing ssh"

  19. sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "accept outgoing http"

  20. 

  21. # Allow established and related trafic

  22. sudo iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all incomming established and related trafic"

  23. sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all outgoing established and related trafic"

  24. 

  25. # Allow everything for trusted networks

  26. sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"

  27. sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"

  28. sudo iptables -A INPUT -j ACCEPT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device"

  29. sudo iptables -A OUTPUT -j ACCEPT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device"

  30. 

  31. sudo iptables -A OUTPUT -j ACCEPT -o eth0 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"

  32. 

  33. # Add reject rule for propper feedback

  34. sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"

  35. 

  36. 

  37. 

  38. #######################################################################################################################

  39. # Cros VLAN forwarding ################################################################################################

  40. #######################################################################################################################

  41. # General

  42. sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

  43. sudo iptables -A FORWARD -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "forward all established and related traffic"

  44. sudo iptables -A FORWARD -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "forward all pings"

  45. sudo iptables -A FORWARD -j ACCEPT -p udp --dport 123 -m comment --comment "forward all ntp request"

  46. sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forward all ntp request"

  47. 

  48. #---------------------

  49. # -> VLAN10 (Internet)

  50. #---------------------

  51. # Allow VLAN30 full access to the internet

  52. sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"

  53. sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"

  54. # Allow VLAN40 access to to http,https

  55. sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"

  56. sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"

  57. # Allow VLAN60 access to to http,https

  58. sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"

  59. 

  60. #--------------------

  61. # -> VLAN20 (Network)

  62. #--------------------

  63. # Allow VLAN30 full access

  64. sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"

  65. 

  66. #--------------------------------------

  67. # -> VLAN30 (Family) - VERY RESTRICTIVE

  68. #--------------------------------------

  69. # Allow VLAN40 and VLAN50 access to the mqtt port

  70. sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"

  71. sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"

  72. sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"

  73. 

  74. 

  75. #-------------------------------

  76. # -> VLAN40 (Untrusted Internet)

  77. #-------------------------------

  78. # Allow VLAN30 full access

  79. sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"

  80. 

  81. #---------------------------------

  82. # -> VLAN50 (Untrusted no Internet

  83. #---------------------------------

  84. # Allow VLAN30 full access

  85. sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"

  86. 

  87. #------------------

  88. # -> VLAN60 (Gäste)

  89. #------------------

  90. 

  91. 

  92. 

  93. #----------------------

  94. # Masquerade traffic to

  95. #----------------------

  96. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"

  97. sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"

  98. sudo iptables -t nat -A POSTROUTING -o eth0.30 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"

  99. sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"

  100. sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"

  101. 

  102. 

  103. 

  104. 

  105. #######################################################################################################################

  106. # Change policy to drop all remainig ##################################################################################

  107. #######################################################################################################################

  108. sudo iptables -P INPUT DROP

  109. sudo iptables -P OUTPUT DROP

  110. sudo iptables -P FORWARD DROP

  111. 

  112. 

  113. 

  114. #######################################################################################################################

  115. # Show configuration ##################################################################################################

  116. #######################################################################################################################

  117. sudo iptables -L -n -v --line-numbers

  118. 

  119. 

  120. echo "********************************************************************************************"

  121. echo "* -> Execute sudo sh -c \"iptables-save > /etc/iptables/rules.v4\""

  122. echo "********************************************************************************************"