forked from stealth/sshttp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnf-tproxy
executable file
·72 lines (46 loc) · 2 KB
/
nf-tproxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/sh
# sshttp tproxy netfilter rules
#
# sshttpd -L 1234 -S 22 -H 8080 -T
INDEV=eth1 # internal NIC
EXDEV=eth0 # external NIC
SSH_PORT=22 # ssh port on internal
HTTP_PORT=8080 # http(s) port on internal
LOCAL_PORT=1234 # -L for sshttp
SERVICE_PORT=80 # port to outside (external)
# only allow access to these internal hosts
SSH_HOSTS="192.168.0.33 192.168.0.34"
HTTP_HOSTS="192.168.0.33 192.168.0.34"
modprobe nf_conntrack_ipv4 || true
iptables -t mangle -F
iptables -t nat -F
iptables -t raw -F
iptables -F
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp --dport $SERVICE_PORT -j ACCEPT
iptables -A INPUT -i $INDEV -p tcp --sport $SSH_PORT -j ACCEPT
iptables -A INPUT -i $INDEV -p tcp --sport $HTTP_PORT -j ACCEPT
# we already have DROP policy, but in case its changed above
iptables -A INPUT -p tcp --dport $LOCAL_PORT -j DROP
iptables -A FORWARD -p tcp --dport $LOCAL_PORT -j DROP
iptables -A FORWARD -p tcp --dport $SSH_PORT -j DROP
iptables -A FORWARD -p tcp --dport $HTTP_PORT -j DROP
# !!! Add your other filtering rules for FORWARD and INPUT here
# !!! you may want to allow ssh access to your GW machine, and want to forbid some of
# !!! the HTTP or SSH access to ssh and http hosts (all of $SSH_HOSTS and $HTTP_HOSTS are
# !!! allowed to ssh AND http port). To forbid a http connect to a certain ssh machine,
# !!! add a REJECT target on the OUTPUT chain.
iptables -t mangle -N DIVERT || true
for h in $SSH_HOSTS; do
iptables -t mangle -A PREROUTING -i $EXDEV -p tcp -d $h --dport $SERVICE_PORT -j TPROXY --tproxy-mark 0x1/0x1 --on-port $LOCAL_PORT
done
for h in $HTTP_HOSTS; do
iptables -t mangle -A PREROUTING -i $EXDEV -p tcp -d $h --dport $SERVICE_PORT -j TPROXY --tproxy-mark 0x1/0x1 --on-port $LOCAL_PORT
done
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 123 || true
ip route add local 0.0.0.0/0 dev lo table 123