Difference between revisions of "Firewall"

From Organic Design wiki
(new syntax for negation)
(switched eth0 and 1)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
This is a basic firewall which works for most Linux distro's. It's based on the [http://www.debian-administration.org/articles/23 Setting up a simple Debian gateway] article from [http://www.debian-administration.org debian-administration.org] and assumes ''eth0'' to be the external WAN interface and ''eth1'' the internal LAN interface. On Debian based machines, save this script as ''/etc/network/if-up.d/00-firewall'' and it will execute whenever the networking starts up.
+
{{svn|tools|firewall.sh}}
  
{{code|<bash>
+
This is a basic firewall which works for most Linux distro's. It's based on the [http://www.debian-administration.org/articles/23 Setting up a simple Debian gateway] article from [http://www.debian-administration.org debian-administration.org] and assumes ''eth0'' to be the internal LAN interface and ''eth1'' the external WAN interface. On Debian based machines, save this script as ''/etc/network/if-up.d/00-firewall'' and it will execute whenever the networking starts up.
#!/bin/sh
 
 
 
# delete all existing rules.
 
iptables -F
 
iptables -t nat -F
 
iptables -t mangle -F
 
iptables -X
 
 
 
# Always accept loopback traffic
 
iptables -A INPUT -i lo -j ACCEPT
 
 
 
# Allow established connections, and those not coming from the outside
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
 
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 
 
# Allow outgoing connections from the LAN side.
 
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
 
 
 
# Masquerade.
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 
 
# Dont forward from the outside to the inside.
 
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
 
 
 
# Example pinhole: forward packets on port 5900 to 192.168.1.100
 
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 5900 -j ACCEPT
 
iptables -A PREROUTING -t nat -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.100
 
 
 
# Enable routing.
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
</bash>}}
 
  
 
== See also ==
 
== See also ==
 
*[http://packages.debian.org/search?keywords=dnsmasq dnsmasq]
 
*[http://packages.debian.org/search?keywords=dnsmasq dnsmasq]

Latest revision as of 05:30, 17 November 2009

Info.svg This code is in our Git repository here.

Note: If there is no information in this page about this code and it's a MediaWiki extension, there may be something at mediawiki.org.

This is a basic firewall which works for most Linux distro's. It's based on the Setting up a simple Debian gateway article from debian-administration.org and assumes eth0 to be the internal LAN interface and eth1 the external WAN interface. On Debian based machines, save this script as /etc/network/if-up.d/00-firewall and it will execute whenever the networking starts up.

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Firewall&oldid=95306"