From 1d3916e36af76d07ed039d59f307d39b5e2722eb Mon Sep 17 00:00:00 2001
From: Salvydas Lukosius <sall@w-ss.io>
Date: Sun, 28 Mar 2021 17:13:24 +0100
Subject: [PATCH 1/2] Fixed rest missing values

---
 example-full/public-server1/setup.sh             | 6 +++---
 example-internet-browsing-vpn/server/setup.sh    | 6 +++---
 example-lan-briding/montreal/setup.sh            | 6 +++---
 example-lan-briding/vancouver/setup.sh           | 6 +++---
 example-simple-client-to-server/server/setup.sh  | 6 +++---
 example-simple-server-to-server/server1/setup.sh | 4 ++--
 6 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/example-full/public-server1/setup.sh b/example-full/public-server1/setup.sh
index 385c4d8..b400ad1 100644
--- a/example-full/public-server1/setup.sh
+++ b/example-full/public-server1/setup.sh
@@ -6,9 +6,9 @@ apt update
 apt install wireguard
 
 # to enable kernel relaying/forwarding ability on bounce servers
-echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-echo "net.ipv4.conf.all.proxy_arp" >> /etc/sysctl.conf
-sudo sysctl -p /etc/sysctl.conf
+echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
+echo "net.ipv4.conf.all.proxy_arp = 1" >>/etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
 
 # to add iptables forwarding rules on bounce servers
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/example-internet-browsing-vpn/server/setup.sh b/example-internet-browsing-vpn/server/setup.sh
index 385c4d8..b400ad1 100644
--- a/example-internet-browsing-vpn/server/setup.sh
+++ b/example-internet-browsing-vpn/server/setup.sh
@@ -6,9 +6,9 @@ apt update
 apt install wireguard
 
 # to enable kernel relaying/forwarding ability on bounce servers
-echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-echo "net.ipv4.conf.all.proxy_arp" >> /etc/sysctl.conf
-sudo sysctl -p /etc/sysctl.conf
+echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
+echo "net.ipv4.conf.all.proxy_arp = 1" >>/etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
 
 # to add iptables forwarding rules on bounce servers
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/example-lan-briding/montreal/setup.sh b/example-lan-briding/montreal/setup.sh
index 385c4d8..b400ad1 100644
--- a/example-lan-briding/montreal/setup.sh
+++ b/example-lan-briding/montreal/setup.sh
@@ -6,9 +6,9 @@ apt update
 apt install wireguard
 
 # to enable kernel relaying/forwarding ability on bounce servers
-echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-echo "net.ipv4.conf.all.proxy_arp" >> /etc/sysctl.conf
-sudo sysctl -p /etc/sysctl.conf
+echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
+echo "net.ipv4.conf.all.proxy_arp = 1" >>/etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
 
 # to add iptables forwarding rules on bounce servers
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/example-lan-briding/vancouver/setup.sh b/example-lan-briding/vancouver/setup.sh
index 385c4d8..da8a726 100644
--- a/example-lan-briding/vancouver/setup.sh
+++ b/example-lan-briding/vancouver/setup.sh
@@ -6,9 +6,9 @@ apt update
 apt install wireguard
 
 # to enable kernel relaying/forwarding ability on bounce servers
-echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-echo "net.ipv4.conf.all.proxy_arp" >> /etc/sysctl.conf
-sudo sysctl -p /etc/sysctl.conf
+echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
+echo "net.ipv4.conf.all.proxy_arp =1" >>/etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
 
 # to add iptables forwarding rules on bounce servers
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/example-simple-client-to-server/server/setup.sh b/example-simple-client-to-server/server/setup.sh
index 385c4d8..b400ad1 100644
--- a/example-simple-client-to-server/server/setup.sh
+++ b/example-simple-client-to-server/server/setup.sh
@@ -6,9 +6,9 @@ apt update
 apt install wireguard
 
 # to enable kernel relaying/forwarding ability on bounce servers
-echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-echo "net.ipv4.conf.all.proxy_arp" >> /etc/sysctl.conf
-sudo sysctl -p /etc/sysctl.conf
+echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
+echo "net.ipv4.conf.all.proxy_arp = 1" >>/etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
 
 # to add iptables forwarding rules on bounce servers
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/example-simple-server-to-server/server1/setup.sh b/example-simple-server-to-server/server1/setup.sh
index 3d6b76f..b400ad1 100644
--- a/example-simple-server-to-server/server1/setup.sh
+++ b/example-simple-server-to-server/server1/setup.sh
@@ -6,8 +6,8 @@ apt update
 apt install wireguard
 
 # to enable kernel relaying/forwarding ability on bounce servers
-echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
+echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
+echo "net.ipv4.conf.all.proxy_arp = 1" >>/etc/sysctl.conf
 sysctl -p /etc/sysctl.conf
 
 # to add iptables forwarding rules on bounce servers

From ad8096ef997dbe27d73a58df4ce1604a9907c6ca Mon Sep 17 00:00:00 2001
From: Salvydas Lukosius <sall@w-ss.io>
Date: Sun, 28 Mar 2021 17:14:16 +0100
Subject: [PATCH 2/2] iptables example

---
 example-iptables/iptables.sh | 80 ++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 example-iptables/iptables.sh

diff --git a/example-iptables/iptables.sh b/example-iptables/iptables.sh
new file mode 100644
index 0000000..20017f5
--- /dev/null
+++ b/example-iptables/iptables.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+IPT="/sbin/iptables"
+
+# Server IP
+SERVER_IP="$(ip addr show eth0 | grep 'inet ' | cut -f2 | awk '{ print $2}')"
+
+# Your DNS servers you use: cat /etc/resolv.conf
+DNS_SERVER="8.8.4.4 8.8.8.8"
+
+# Allow connections to this package servers
+PACKAGE_SERVER="ftp.us.debian.org security.debian.org"
+
+echo "flush iptable rules"
+$IPT -F
+$IPT -X
+$IPT -t nat -F
+$IPT -t nat -X
+$IPT -t mangle -F
+$IPT -t mangle -X
+
+echo "Set default policy to 'DROP'"
+$IPT -P INPUT DROP
+$IPT -P FORWARD DROP
+$IPT -P OUTPUT DROP
+
+## This should be one of the first rules.
+## so dns lookups are already allowed for your other rules
+for ip in $DNS_SERVER; do
+    echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
+    $IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
+done
+
+echo "allow all and everything on localhost"
+$IPT -A INPUT -i lo -j ACCEPT
+$IPT -A OUTPUT -o lo -j ACCEPT
+
+for ip in $PACKAGE_SERVER; do
+    echo "Allow connection to '$ip' on port 21"
+    $IPT -A OUTPUT -p tcp -d "$ip" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A INPUT -p tcp -s "$ip" --sport 21 -m state --state ESTABLISHED -j ACCEPT
+
+    echo "Allow connection to '$ip' on port 80"
+    $IPT -A OUTPUT -p tcp -d "$ip" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A INPUT -p tcp -s "$ip" --sport 80 -m state --state ESTABLISHED -j ACCEPT
+
+    echo "Allow connection to '$ip' on port 443"
+    $IPT -A OUTPUT -p tcp -d "$ip" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A INPUT -p tcp -s "$ip" --sport 443 -m state --state ESTABLISHED -j ACCEPT
+done
+
+#######################################################################################################
+## Global iptable rules. Not IP specific
+
+echo "Allowing new and established incoming connections to port 21, 80, 443"
+$IPT -A INPUT -p tcp -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow all outgoing connections to port 22"
+$IPT -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow outgoing icmp connections (pings,...)"
+$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+echo "Allow outgoing connections to port 123 (ntp syncs)"
+$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
+
+# Log before dropping
+$IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: '
+$IPT -A INPUT -j DROP
+
+$IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: '
+$IPT -A OUTPUT -j DROP
+
+exit 0