HEX
Server: Apache
System: Linux msm5694.mjhst.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: camjab_ssh (1000)
PHP: 5.3.29
Disabled: NONE
$ pwd: /usr/share/doc/rp-pppoe-3.11/configs/
Upload Files
File: //usr/share/doc/rp-pppoe-3.11/configs/firewall-masq
#!/bin/sh
#
# firewall-masq		This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# LIC: GPL

# Interface to Internet
EXTIF=ppp+

# NAT-Tables are different, so we can use ACCEPT everywhere (?)
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# Flush the NAT-Table
iptables -t nat -F

iptables -t filter -P INPUT DROP
iptables -t filter -F

# Allow incoming SSH
#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

# Log & Deny the rest of the privileged ports
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP

# Log & Deny NFS
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP

# Log & Deny X11
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP

# Log & Deny XFS
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP

# Deny TCP connection attempts
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP

# Deny ICMP echo-requests
iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# no IP spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
   for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $i
   done
fi

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $i
done
@ Telegram