summaryrefslogtreecommitdiff
path: root/sample-config-files/firewall.sh
diff options
context:
space:
mode:
Diffstat (limited to 'sample-config-files/firewall.sh')
-rwxr-xr-xsample-config-files/firewall.sh108
1 files changed, 0 insertions, 108 deletions
diff --git a/sample-config-files/firewall.sh b/sample-config-files/firewall.sh
deleted file mode 100755
index 19d75ee..0000000
--- a/sample-config-files/firewall.sh
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/bin/sh
-
-# A Sample OpenVPN-aware firewall.
-
-# eth0 is connected to the internet.
-# eth1 is connected to a private subnet.
-
-# Change this subnet to correspond to your private
-# ethernet subnet. Home will use HOME_NET/24 and
-# Office will use OFFICE_NET/24.
-PRIVATE=10.0.0.0/24
-
-# Loopback address
-LOOP=127.0.0.1
-
-# Delete old iptables rules
-# and temporarily block all traffic.
-iptables -P OUTPUT DROP
-iptables -P INPUT DROP
-iptables -P FORWARD DROP
-iptables -F
-
-# Set default policies
-iptables -P OUTPUT ACCEPT
-iptables -P INPUT DROP
-iptables -P FORWARD DROP
-
-# Prevent external packets from using loopback addr
-iptables -A INPUT -i eth0 -s $LOOP -j DROP
-iptables -A FORWARD -i eth0 -s $LOOP -j DROP
-iptables -A INPUT -i eth0 -d $LOOP -j DROP
-iptables -A FORWARD -i eth0 -d $LOOP -j DROP
-
-# Anything coming from the Internet should have a real Internet address
-iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
-iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
-iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
-iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
-iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
-
-# Block outgoing NetBios (if you have windows machines running
-# on the private subnet). This will not affect any NetBios
-# traffic that flows over the VPN tunnel, but it will stop
-# local windows machines from broadcasting themselves to
-# the internet.
-iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
-iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
-iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
-iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
-
-# Check source address validity on packets going out to internet
-iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
-
-# Allow local loopback
-iptables -A INPUT -s $LOOP -j ACCEPT
-iptables -A INPUT -d $LOOP -j ACCEPT
-
-# Allow incoming pings (can be disabled)
-iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-
-# Allow services such as www and ssh (can be disabled)
-iptables -A INPUT -p tcp --dport http -j ACCEPT
-iptables -A INPUT -p tcp --dport ssh -j ACCEPT
-
-# Allow incoming OpenVPN packets
-# Duplicate the line below for each
-# OpenVPN tunnel, changing --dport n
-# to match the OpenVPN UDP port.
-#
-# In OpenVPN, the port number is
-# controlled by the --port n option.
-# If you put this option in the config
-# file, you can remove the leading '--'
-#
-# If you taking the stateful firewall
-# approach (see the OpenVPN HOWTO),
-# then comment out the line below.
-
-iptables -A INPUT -p udp --dport 1194 -j ACCEPT
-
-# Allow packets from TUN/TAP devices.
-# When OpenVPN is run in a secure mode,
-# it will authenticate packets prior
-# to their arriving on a tun or tap
-# interface. Therefore, it is not
-# necessary to add any filters here,
-# unless you want to restrict the
-# type of packets which can flow over
-# the tunnel.
-
-iptables -A INPUT -i tun+ -j ACCEPT
-iptables -A FORWARD -i tun+ -j ACCEPT
-iptables -A INPUT -i tap+ -j ACCEPT
-iptables -A FORWARD -i tap+ -j ACCEPT
-
-# Allow packets from private subnets
-iptables -A INPUT -i eth1 -j ACCEPT
-iptables -A FORWARD -i eth1 -j ACCEPT
-
-# Keep state of connections from local machine and private subnets
-iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
-iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-# Masquerade local subnet
-iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE