Difference between revisions of "Firewall"

Revision as of 05:13, 25 May 2009

This is a basic firewall which works for most Linux distro's. It's based on the Setting up a simple Debian gateway article from debian-administration.org and assumes eth0 to be the external WAN interface and eth1 the internal LAN interface. On Debian based machines, save this script as /etc/network/if-up.d/00-firewall and it will execute whenever the networking starts up.

<bash>

!/bin/sh

delete all existing rules.

iptables -F iptables -t nat -F iptables -t mangle -F iptables -X

Always accept loopback traffic

iptables -A INPUT -i lo -j ACCEPT

Allow established connections, and those not coming from the outside

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow outgoing connections from the LAN side.

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Masquerade.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Dont forward from the outside to the inside.

iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Example pinhole: forward packets on port 5900 to 192.168.1.100

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 5900 -j ACCEPT iptables -A PREROUTING -t nat -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.100

Enable routing.

echo 1 > /proc/sys/net/ipv4/ip_forward </bash>

@@ Line 26: / Line 26: @@
 # Dont forward from the outside to the inside.
 iptables -A FORWARD -i eth0 -o eth0 -j REJECT
+# Example pinhole: forward packets on port 5900 to 192.168.1.100
+iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 5900 -j ACCEPT
+iptables -A PREROUTING -t nat -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.100
 # Enable routing.

Difference between revisions of "Firewall"

Revision as of 05:13, 25 May 2009

See also

Navigation menu

Views

Personal tools

Navigation

Search

Navigation

Blogs

Recent activity

Site map

Tools