Difference between revisions of "Firewall"

From Organic Design wiki
(new firewall, old azzuro one out of date)
 
Line 1: Line 1:
 
This is a basic firewall which works for most Linux distro's. It's based on the [http://www.debian-administration.org/articles/23 Setting up a simple Debian gateway] article from [http://www.debian-administration.org debian-administration.org] and assumes ''eth0'' to be the external WAN interface and ''eth1'' the internal LAN interface. On Debian based machines, save this script as ''/etc/network/if-up.d/00-firewall'' and it will execute whenever the networking starts up.
 
This is a basic firewall which works for most Linux distro's. It's based on the [http://www.debian-administration.org/articles/23 Setting up a simple Debian gateway] article from [http://www.debian-administration.org debian-administration.org] and assumes ''eth0'' to be the external WAN interface and ''eth1'' the internal LAN interface. On Debian based machines, save this script as ''/etc/network/if-up.d/00-firewall'' and it will execute whenever the networking starts up.
  
{{code|<pre>
+
{{code|<bash>
 
#!/bin/sh
 
#!/bin/sh
  
Line 24: Line 24:
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  
# Don't forward from the outside to the inside.
+
# Dont forward from the outside to the inside.
 
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
 
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
  
 
# Enable routing.
 
# Enable routing.
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
echo 1 > /proc/sys/net/ipv4/ip_forward
</pre>}}
+
</bash>}}
  
 
== See also ==
 
== See also ==
 
*[http://packages.debian.org/search?keywords=dnsmasq dnsmasq]
 
*[http://packages.debian.org/search?keywords=dnsmasq dnsmasq]

Revision as of 11:46, 7 May 2009

This is a basic firewall which works for most Linux distro's. It's based on the Setting up a simple Debian gateway article from debian-administration.org and assumes eth0 to be the external WAN interface and eth1 the internal LAN interface. On Debian based machines, save this script as /etc/network/if-up.d/00-firewall and it will execute whenever the networking starts up.


<bash>
  1. !/bin/sh
  1. delete all existing rules.

iptables -F iptables -t nat -F iptables -t mangle -F iptables -X

  1. Always accept loopback traffic

iptables -A INPUT -i lo -j ACCEPT

  1. Allow established connections, and those not coming from the outside

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

  1. Allow outgoing connections from the LAN side.

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

  1. Masquerade.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  1. Dont forward from the outside to the inside.

iptables -A FORWARD -i eth0 -o eth0 -j REJECT

  1. Enable routing.

echo 1 > /proc/sys/net/ipv4/ip_forward </bash>

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Firewall&oldid=93096"