technotes:an_old_iptables_router

I should fix the line breaks at some point.
#!/bin/sh
# Snork's iptables script for Jimmerton
# Last modified 2021-06-06

# === Setup basic NAT and policies ===
echo "Set variables..."
INTIF="eth1"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet ' | awk '{print $2}' | sed -e
's/.*://'`"
INTIP="`/sbin/ifconfig eth1 | grep 'inet ' | awk '{print $2}' | sed -e
's/.*://'`"
INTNET="192.168.1.0/24"
echo "Internal interface is" $INTIF "with IP address" $INTIP
echo "External interface is" $EXTIF "with IP address" $EXTIP

echo "Loading the appropriate modules for iptables..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "Setup ipset:cidr-ca first because it is slow..."
ipset create cidr-ca hash:net -exist
ipset create tempset hash:net -exist
ipset flush tempset
ipset restore -f /root/cidr-ca
#xargs -n1 ipset add tempset < /root/cidr-ca
ipset swap tempset cidr-ca
echo "Adding Home LTE and Nextcloud to cidr-ca list so I can check my
email..."
ipset add cidr-ca 166.128.0.0/9
ipset add cidr-ca 198.46.160.42
ipset add cidr-ca 192.227.150.27

echo "Setup ipset:cidr-goofs..."
wget -O /root/cidr-goofs https://dnscrypt.ca/junkblock/cidr-goofs
if [ $? != 0 ]; then
   sendemail -f "JSF Router <jsfrouter@snork.jsf>" -t "snork@snork.ca"
-u "ALERT: Could not download cidr-goofs file!" -m "be
                           tter check that.\n\ns." -s "mail.snork.ca"
else
   ipset create cidr-goofs hash:net -exist
   ipset create tempset hash:net -exist
   ipset flush tempset
   grep ^[0-9] /root/cidr-goofs > /tmp/cidr-goofs-stripped
   xargs -n1 ipset add tempset < /tmp/cidr-goofs-stripped
   ipset swap tempset cidr-goofs
   ipset destroy tempset
   iptables -A INPUT -m set --match-set cidr-goofs src -j DROP
fi

echo "Setup ipset:azure..."
ipset create azure hash:net -exist
echo "Setup ipset:hmailblock..."
ipset create hmailblock hash:net -exist

echo "Clearing out any existing rules and setting default policy..."
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# === Blacklist rules come first ===
#echo "Blacklist IP's that have zero access to Snorkuserve..."
iptables -A FORWARD -m set --match-set cidr-goofs src -j DROP
iptables -A FORWARD -m set --match-set hmailblock src -j DROP
#iptables -A FORWARD -p tcp --dport 80 -m string --algo bm --string
"zoominfobot" -j DROP
#iptables -A FORWARD -p tcp --dport 25 -m string --algo bm --string
"security.ipip.net" -j DROP

# Then the traffic to allow ===
echo "Allow all traffic in and out of the loopback device..."
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.0/8 -j ACCEPT

echo "Allow all traffic on WG network..."
iptables -A INPUT -s 10.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/24 -j ACCEPT

echo "Allow return inbound traffic to router from Internet and from LAN..."
iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allow established, related, and masq for NAT forwarding..."
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

#echo "Allowing NAT reflection... THIS BREAKS THE POST FORWARDING RULES
FOR SOME REASON!"
#iptables -A FORWARD -i $INTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
#iptables -A POSTROUTING -t nat -o $INTIF -j MASQUERADE

# === Allow access to services on the router ===
echo "Allow ping requests and replies..."
iptables -A INPUT -p icmp -j ACCEPT
echo "Allow DHCP requests from internal network..."
iptables -A INPUT -i $INTIF -p udp --dport 67:68 --sport 67:68 -j ACCEPT
echo "Allow DNS requests from internal network..."
iptables -A INPUT -d $INTIP -s $INTNET -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -d $INTIP -s $INTNET -p udp --dport 53 -j ACCEPT
echo "Allow ssh connections from internal network, Gullo, and Buttercup..."
iptables -A INPUT -d $INTIP -s $INTNET -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d $EXTIP -s 192.99.6.159 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d $EXTIP -s 167.114.220.127 -p tcp --dport 22 -j ACCEPT
echo "Allow ntp for internal network..."
iptables -A INPUT -d $INTIP -s $INTNET -p udp --dport 123 -j ACCEPT
echo "Allow rsyslog for internal network for hmail logs..."
iptables -A INPUT -d $INTIP -s $INTNET -p udp --dport 514 -j ACCEPT

# === Services on other internal machines ===
echo "Forward 25 to mail server..."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 25 -j DNAT
--to-destination 192.168.1.136:25
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 25 -j ACCEPT

echo "Forward SMTP+TLS, and submission to mail server..."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 465 -m set
--match-set cidr-ca src -j DNAT --to-destination 192.168.1
                               .136:465
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 465 -j ACCEPT
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 587 -m set
--match-set cidr-ca src -j DNAT --to-destination 192.168.1
                               .136:587
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 587 -j ACCEPT

echo "Forward IMAP and POP3 to mail server.."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 993 -m set
--match-set cidr-ca src -j DNAT --to-destination 192.168.1
                               .136:993
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 993 -j ACCEPT
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 995 -m set
--match-set cidr-ca src -j DNAT --to-destination 192.168.1
                               .136:995
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 995 -j ACCEPT

echo "Forward http and https to MAIL server for Roundecube..."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.136:80
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 80 -j ACCEPT
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 443 -j DNAT
--to-destination 192.168.1.136:443
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 443 -j ACCEPT

echo "Forward 1273 to qbittorrent server..."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 1273 -j DNAT
--to-destination 192.168.1.136:1273
iptables -A FORWARD -d 192.168.1.136 -p tcp --dport 1273 -j ACCEPT
iptables -A PREROUTING -t nat -d $EXTIP -p udp --dport 1273 -j DNAT
--to-destination 192.168.1.136:1273
iptables -A FORWARD -d 192.168.1.136 -p udp --dport 1273 -j ACCEPT

echo "Forward ssh to backup box for Gullo, and Buttercup..."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 30001 -s
192.99.6.159 -j DNAT --to-destination 192.168.1.5:22
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 30001 -s
167.114.220.127 -j DNAT --to-destination 192.168.1.5:22
# TEMPORARY ALL PERMISSIONS SO I CAN COPY RWINJTER'S SHIT
#iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 30001 -j DNAT
--to-destination 192.168.1.5:22
iptables -A FORWARD -d 192.168.1.5 -p tcp --dport 22 -j ACCEPT

echo "Forward https to Proxmox server..."
iptables -A PREROUTING -t nat -d $EXTIP -p tcp --dport 8006 -j DNAT
--to-destination 192.168.1.200:8006
iptables -A FORWARD -d 192.168.1.200 -p tcp --dport 8006 -j ACCEPT