Difference between revisions of "Firewall"

From Organic Design wiki
(add an example pinhole)
(new syntax for negation)
Line 15: Line 15:
 
# Allow established connections, and those not coming from the outside
 
# Allow established connections, and those not coming from the outside
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
+
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
 
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
  

Revision as of 04:45, 17 November 2009

This is a basic firewall which works for most Linux distro's. It's based on the Setting up a simple Debian gateway article from debian-administration.org and assumes eth0 to be the external WAN interface and eth1 the internal LAN interface. On Debian based machines, save this script as /etc/network/if-up.d/00-firewall and it will execute whenever the networking starts up.


<bash>
  1. !/bin/sh
  1. delete all existing rules.

iptables -F iptables -t nat -F iptables -t mangle -F iptables -X

  1. Always accept loopback traffic

iptables -A INPUT -i lo -j ACCEPT

  1. Allow established connections, and those not coming from the outside

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

  1. Allow outgoing connections from the LAN side.

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

  1. Masquerade.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  1. Dont forward from the outside to the inside.

iptables -A FORWARD -i eth0 -o eth0 -j REJECT

  1. Example pinhole: forward packets on port 5900 to 192.168.1.100

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 5900 -j ACCEPT iptables -A PREROUTING -t nat -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.100

  1. Enable routing.

echo 1 > /proc/sys/net/ipv4/ip_forward </bash>

See also