This is a basic firewall which works for most Linux distro's. It's based on the Setting up a simple Debian gateway article from debian-administration.org and assumes eth0 to be the external WAN interface and eth1 the internal LAN interface. On Debian based machines, save this script as /etc/network/if-up.d/00-firewall and it will execute whenever the networking starts up.
|
<bash>
- !/bin/sh
- delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
- Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
- Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
- Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
- Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- Dont forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
- Example pinhole: forward packets on port 5900 to 192.168.1.100
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 5900 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.100
- Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
</bash>
|
|
See also