forked from CERTCC/tapioca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptables_noproxy.sh
executable file
·131 lines (111 loc) · 4.44 KB
/
iptables_noproxy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
# BEGIN LICENSE #
#
# CERT Tapioca
#
# Copyright 2018 Carnegie Mellon University. All Rights Reserved.
#
# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
# EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED
# TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY,
# OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON
# UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO
# FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
#
# Released under a BSD (SEI)-style license, please see license.txt or
# contact [email protected] for full terms.
#
# [DISTRIBUTION STATEMENT A] This material has been approved for
# public release and unlimited distribution. Please see Copyright
# notice for non-US Government use and distribution.
# CERT(R) is registered in the U.S. Patent and Trademark Office by
# Carnegie Mellon University.
#
# DM18-0637
#
# END LICENSE #
source ./tapioca.cfg
internal=`echo $internal_subnet | awk -F/ '{print $1}'`
if [ "$internal_net" == "LAN_DEVICE" ]; then
nmcli dev status
echo "Please edit tapioca.cfg to specify your LAN device"
sleep 10
exit 1
fi
if [ "$external_net" == "WAN_DEVICE" ]; then
nmcli dev status
echo "Did you run ./install_tapioca.sh first?"
sleep 10
exit 1
fi
detected_external=`netstat -rn | egrep "^0.0.0.0" | awk '{print $NF}' | head -n1`
detected_external_ip=`netstat -rn | egrep "^0.0.0.0" | awk '{print $2}' | head -n1`
detected_external_subnet=`echo $detected_external_ip | awk -F. '{print $1 "." $2 "." $3}'`
detected_internal=`netstat -rn | egrep "^$internal" | awk '{print $NF}' | head -n1`
echo "detected external network adapter: $detected_external"
echo "configured external network adapter: $external_net"
echo "detected internal network adapter: $detected_internal"
echo "configured internal network adapter: $internal_net"
if [[ $internal_subnet = $detected_external_subnet* ]]; then
# The external IP address is in internal subnet. This won't work
echo "*** External IP address $detected_external_ip$ is in the internal subnet ***"
echo "*** External connection $detected_external is using the same internal subnet specified in tapioca.cfg ***"
echo "*** If you have no control of your external subnet, you must edit both tapioca.cfg and /etc/dhcp/dhcpd.conf ***"
sleep 10
exit 1
fi
if [ "$detected_external" = "$detected_internal" ]; then
echo "Your upstream internet is using the same subnet as the default LAN side (10.0.0.0/24)"
echo "This will require some manual configuration to avoid conflicts."
sleep 10
fi
if [ "$detected_external" != "$external_net" ]; then
nmcli device status
echo ""
echo "*** tapioca.cfg doesn't seem to be configured properly! ***"
echo "*** $detected_external is detected as external, but $external_net is configured in tapioca.cfg ***"
sleep 10
fi
if [ "$detected_internal" != "$internal_net" ]; then
nmcli device status
echo ""
echo "*** tapioca.cfg doesn't seem to be configured properly! ***"
echo "*** $detected_internal is detected as internal, but $internal_net is configured in tapioca.cfg ***"
sleep 10
fi
if [ -z "$external_net" ]; then
Defaulting external interface to eth0
external_net=eth0
fi
if [ -z "$internal_net" ]; then
Defaulting internal interface to eth1
internal_net=eth1
fi
if [ -z "$internal_subnet" ]; then
Defaulting internal subnet to 10.0.0.0/24
internal_subnet=10.0.0.0/24
fi
# Flush established connections
conntrack -F
# Flush rules
iptables -P INPUT ACCEPT
iptables -F
# Default block incoming traffic
iptables -P INPUT DROP
# Accept on internal network
iptables -A INPUT -i $internal_net -j ACCEPT
iptables -A OUTPUT -o $internal_net -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# NAT magic
iptables -t nat -F PREROUTING
iptables -t nat -A POSTROUTING -o $external_net -s $internal_subnet -j MASQUERADE
iptables -A FORWARD -o $external_net -i $internal_net -s $internal_subnet -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i $external_net -o $internal_net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $internal_net -o $external_net -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o $external_net -j MASQUERADE