PasteSite.Com

Recent Pastes

Sign Up!

PasteSite is open to the public, but with limited features. Register to be able to modify access rights, track your pastes and more...

Change the theme

If you prefer reading light text on a dark background to dark text on a light background, then you might want to try the dark theme. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347

#!/bin/sh
 
# CaduGW - Internet Gateway/Firewall Framework
# By Cadu <cadu.coelho@gmail.com>
 
# WARNING: 
# default policies (see if it suits your environment):
# INPUT = DROP
# FORWARD = DROP
# OUTPUT = ACCEPT
 
# Config
#EXT1IP='10.0.10.128'
 
# -------------------------
VER="0.4"
 
# Define an alias to iptables
i=/sbin/iptables
 
# Variables
# Local failure
_L_F_A_I_L=0
# Global failure
_G_F_A_I_L=0
 
# colorstart
# - Change text color to <PARAM> <PARAM> (check Terminal color escape codes)
# Terminal Colors:
# Black   0;30
# Blue    0;34
# Green   0;32
# Cyan    0;36
# Red     0;31
# Purple  0;35
# Brown   0;33
# Blue    0;34
# Green   0;32
# Cyan    0;36
# Red     0;31
# Purple  0;35
# Brown   0;33
# <Light> 1;xxx
function colorstart
{
    echo -ne "\e[$1;$2m"
}
 
# colorstop
# - Change back to default fg/bg colors
function colorstop
{
    echo -ne "\e[m"
}
 
# ok
# - print [OK] on the screen
function ok
{
    echo -n "["
    colorstart 1 32
    echo -n "OK"
    colorstop
    echo "]"
}
 
# fail
# - print [Fail] on the screen
function fail
{
    echo -n "["
    colorstart 1 31
    echo -n "FAIL"
    colorstop
    echo "]"
}
 
# catchfail
# - catches if a command fails
function catchfail
{
    [ $? != "0" ] && {
        _L_F_A_I_L=1
        _G_F_A_I_L=1
    }
}    
 
# endval
# - shows if a command was successful or not
function endval
{
    [[ $_L_F_A_I_L == "0" ]] && ok || fail
    _L_F_A_I_L=0
}
 
# firewall_check_fail
# - checks if there was a failure inside some function, and warns
function firewall_check_fail
{
    [[ $_G_F_A_I_L == "1" ]] && {
        colorstart 1 31
        echo "---";
        echo "--- ERROR in firewall, check your firewall config and try again"
        echo "---"
        echo "--- Clearing rules..."
        colorstop
 
        # Incomplete firewall rules --> clear firewall, policy = ALLOW
        firewall_clear
        pol_allow
    } || {
        colorstart 1 32
        echo "--- All ok."
        colorstop
    }
}
 
# Prints program name/version banner
# <TEXT>
function banner
{
    echo "-"
    echo -n "- CaduGW v"
    colorstart 1 31
    echo -n "$VER"
    colorstop
    echo -n " for "
    colorstart 1 31
    echo "$1"
    colorstop
    echo "-"
}
 
# Sets INPUT and FORWARD's default policy to ACCEPT (Open the router)
function pol_allow
{
    $i -P INPUT ACCEPT
    $i -P FORWARD ACCEPT
}
 
# Sets INPUT and FORWARD's default policy to DROP (Close the router)
function pol_drop
{
    $i -P INPUT DROP
    $i -P FORWARD DROP
}
 
# Clears/Flushes all rules and custom tables
function firewall_clear
{
    $i -F
    $i -X
    $i -Z
 
    $i -t nat -F
    $i -t nat -X
    $i -t nat -Z
 
    $i -t mangle -F
    $i -t mangle -X
    $i -t mangle -Z
}
 
# Clears everything / Sets INPUT and FORWARD's default policy to DROP
function firewall_init
{
    echo -n "Initializing firewall..."
 
    # clear everything
    firewall_clear ; catchfail
        
    # Policy = DROP
    pol_drop ; catchfail
 
    # User chains
    # Machines that can have certain ports forwarded
    iptables -N FW_PORTGROUPS
 
    # Mac addresses from this chain have full forwarding enabled (full nat = proxy bypass)
    iptables -N MACADDRFULLFW ; catchfail
 
    endval
}
 
 
# Allows all "lo" interface interaction
function allow_loopback
{
    echo -n "Allowing loopback..."
    $i -A INPUT -i lo -j ACCEPT ; catchfail
    endval
}
 
# Open basic stuff on the INPUT CHAIN (SSH/etc)
# <IFNAME>
function open_input_basic
{
    echo -n "Opening basic stuff for \"$1\"..."    
 
    # Allow ping
    #$i -A INPUT -i $1 -p icmp -j ACCEPT ; catchfail
 
    # Allow related connections' packets originated from us to come back
    $i -A INPUT -i $1 -m state --state ESTABLISHED,RELATED -j ACCEPT ; catchfail
 
    # Allow SSH
    $i -A INPUT -i $1 -p tcp --dport 22 -j ACCEPT ; catchfail
    endval
}
 
# Open a TCP port on the INPUT chain for the specified interface
# <IFNAME> <PORT> <DESCRIPTION>
function open_input_port_tcp
{
    echo -n "Opening TCP port $2 on \"$1\" interface ($3)..."    
    $i -A INPUT -i $1 -p tcp --dport $2 -j ACCEPT ; catchfail
    endval
}
 
# Open a UDP port on the INPUT chain for the specified interface
# <IFNAME> <PORT> <DESCRIPTION>
function open_input_port_udp
{
    echo -n "Opening UDP port $2 on \"$1\" interface ($3)..."    
    $i -A INPUT -i $1 -p udp --dport $2 -j ACCEPT ; catchfail
    endval
}
 
# Allows locally generated DNS requests to come back from the OUTSIDE (Upstream DNS servers)
# <IFNAME>
function allow_dns_external
{
    echo -n "Allowing DNS replies from \"$1\"..."
    $i -A INPUT -i $1 -p udp --sport 53 -j ACCEPT ; catchfail
    endval
}
 
# Allows INSIDE machines to use the gateway's DNS service
# <IFNAME>
function allow_dns_internal
{
    echo -n "Allowing DNS requests from \"$1\"..."
    $i -A INPUT -i $1 -p udp --dport 53 -j ACCEPT ; catchfail
    endval
}
 
# Allows receiving of packets from the OUTSIDE which are related to requests from the INSIDE NAT'D machines.
# <IFNAME>
function open_forward_external 
{
    echo -n "Allowing FORWARDed packets to come back from \"$1\"..."
    $i -A FORWARD -i $1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ; catchfail
    endval
}
 
# Allows machines from the INSIDE to have their packets traversed to the outside (allowed to NAT)
# <IFNAME>
function open_forward_internal
{
    echo -n "Allowing machines from \"$1\" to go to the outside network..."
 
    $i -A FORWARD -i $1 -j FW_PORTGROUPS ; catchfail
    $i -A FORWARD -i $1 -j MACADDRFULLFW ; catchfail
 
    # $i -A FORWARD -j LOG ; $i -A FORWARD -i $1 -j ACCEPT # DEBUG
    endval
}
 
# Creates a new Port Group
# <PORT GROUP NAME>
function portgroup_create
{
    echo -n "Creating port group \"$1\"..."
    $i -N PG_$1 ; catchfail
    endval
}
 
# Adds a UDP port to a Port Group
# <PORTNUMBER> <PORT GROUP NAME>
function portgroup_addport_tcp
{
    echo -n "Opening tcp port $1 for port group \"$2\"..."
    $i -A PG_$2 -p tcp --dport $1 -j ACCEPT ; catchfail
    endval
}
 
# Adds a UDP port to a Port Group
# <PORTNUMBER> <PORT GROUP NAME>
function portgroup_addport_udp
{
    echo -n "Opening udp port $1 for port group \"$2\"..."
    $i -A PG_$2 -p udp --dport $1 -j ACCEPT ; catchfail
    endval
}
 
# Ties given MAC --> Port Group
# <MACADDR> <PORT GROUP NAME>
function portgroup_addmac 
{
    echo -n "Adding MAC \"$1\" to port group \"$2\"..."
    $i -A FW_PORTGROUPS -m mac --mac-source $1 -j PG_$2 ; catchfail
    endval
}
 
# Adds a mac address that can do full port forwarding (proxy bypass)
# <MACADDR>
function macaddrfullfw_addmac
{
    echo -n "Adding $1 to privileged mac address list..."
    $i -A MACADDRFULLFW -m mac --mac-source $1 -j ACCEPT ; catchfail
    endval
}
 
# Redirects TCP packets from interface: <port> --> <newport>
# <IFNAME> <PORTNUMBER> <NEW PORTNUMBER>
function redirect_to_gw_tcp
{
    echo -n "Redirecting port $2 to $3 at gateway's interface $1..."
    $i -t nat -A PREROUTING -p tcp -i $1 --dport $2 -j REDIRECT --to-port $3 ; catchfail
    $i -A INPUT -p tcp -i $1 --dport $3 -j ACCEPT ; catchfail
    endval
}
 
# Portforward a port from the outside to a host:port on the inside network
# <OUTSIDE PORTNUMBER> <EXTERNAL IFNAME> <INSIDE IP> <NEW PORTNUMBER> <COMMENT>
function redirect_to_internal_host
{
    echo -n "Forwarding port $2 from \"$1\" interface to $3:$4 ($5)..."
    $i -t nat -A PREROUTING -p tcp -i $1 --dport $2 -j DNAT --to $3:$4 ; catchfail
    endval
}
 
# Enables IP FORWARDING and uses <INTERFACE> as the outside world
# <IFNAME>
function nat_enable
{
    echo -n "Enabling NAT/IP Forwarding..."
    
    $i -t nat -A POSTROUTING -o $1 -j MASQUERADE ; catchfail
    
    # Enable IP Forwarding in Kernel
    echo 1 > /proc/sys/net/ipv4/ip_forward ; catchfail
 
    endval
}

Reply to This Paste

(leave blank to make this paste permanent)
(if set as private)