forked from stealth/sshttp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnf6-tproxy
executable file
·71 lines (45 loc) · 2.01 KB
/
nf6-tproxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/bin/sh
# sshttp tproxy netfilter rules
#
# sshttpd -L 1234 -S 22 -H 4343 -T -6
INDEV=eth1 # internal NIC
EXDEV=eth0 # external NIC
SSH_PORT=22 # ssh port on internal
HTTP_PORT=4343 # http(s) port on internal
LOCAL_PORT=1234 # -L for sshttp
SERVICE_PORT=443 # port to outside (external)
# only allow access to these internal hosts
SSH_HOSTS="3000::1 3000::2"
HTTP_HOSTS="3000::1 3000::2"
modprobe nf_conntrack_ipv6 || true
ip6tables -t mangle -F
ip6tables -t raw -F
ip6tables -F
ip6tables -P FORWARD DROP
ip6tables -P INPUT ACCEPT # ip6tables needs ACCEPT here?
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -p tcp --dport $LOCAL_PORT -j DROP
ip6tables -A INPUT -p tcp --dport $SERVICE_PORT -j ACCEPT
ip6tables -A INPUT -i $INDEV -p tcp --sport $SSH_PORT -j ACCEPT
ip6tables -A INPUT -i $INDEV -p tcp --sport $HTTP_PORT -j ACCEPT
# we already have DROP policy, but in case its changed above
ip6tables -A FORWARD -p tcp --dport $LOCAL_PORT -j DROP
ip6tables -A FORWARD -p tcp --dport $SSH_PORT -j DROP
ip6tables -A FORWARD -p tcp --dport $HTTP_PORT -j DROP
# !!! Add your other filtering rules for FORWARD and INPUT here
# !!! you may want to allow ssh access to your GW machine, and want to forbid some of
# !!! the HTTP or SSH access to ssh and http hosts (all of $SSH_HOSTS and $HTTP_HOSTS are
# !!! allowed to ssh AND http port). To forbid a http connect to a certain ssh machine,
# !!! add a REJECT target on the OUTPUT chain.
ip6tables -t mangle -N DIVERT || true
for h in $SSH_HOSTS; do
ip6tables -t mangle -A PREROUTING -i $EXDEV -p tcp -d $h --dport $SERVICE_PORT -j TPROXY --tproxy-mark 0x1/0x1 --on-port $LOCAL_PORT
done
for h in $HTTP_HOSTS; do
ip6tables -t mangle -A PREROUTING -i $EXDEV -p tcp -d $h --dport $SERVICE_PORT -j TPROXY --tproxy-mark 0x1/0x1 --on-port $LOCAL_PORT
done
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip -6 rule add fwmark 1 lookup 123 || true
ip -6 route add local ::/0 dev lo table 123