|
PLACES TO GO:
|
|
FIREWALL SCRIPT
####################################################################
# Personal Linux IPTABLES Firewall Script
# Copyleft 2005 - Nathan E. Pralle
#
# DESCRIPTION: This is the firewall script I use on my personal network.
# If you can use some or all of this to setup your own
# Linux firewall, cool.
#
# SYNTAX: Put this somewhere useful on your firewall machine. I
# usually have it automatically run from /etc/rc.d/rc.local
# Tested on Slackware 9.0
#
# REQUIRED: IPTABLES support in the kernel
# Firewalling and NAT turned on
#
# CONTACT: Questions, comments, etc.
# http://www.nathanpralle.com/contact.html
####################################################################
########################
# CONFIGURATION OPTIONS
LANIF="eth1" #set to your LAN-side interface
WANIF="eth0" #set to your WAN (Internet) side interface
WANIP="12.214.80.147" #set to your WAN (Internet) side IP address
LANNET="10.2.1.0/24" #set to your LAN-side IP address and netmask range
LOGLEVEL="info" #set to the level of logging (see iptables manpage)
#######################
echo "Turning on forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo "Flushing the tables..."
iptables -t filter -F
iptables -t nat -F
#### POSTROUTING CHAIN ####
echo "Setting up POSTROUTING chain..."
#Masquerade all packets
iptables -A POSTROUTING -t nat -o $WANIF -j MASQUERADE
#### FORWARD CHAIN ####
echo "Setting up FORWARD chain..."
#flush the chain
iptables -F FORWARD
#drop all packets by default
iptables -P FORWARD DROP
#accept packets from the LAN to the WAN by default
iptables -A FORWARD -i $LANIF -o $WANIF -j ACCEPT
#accept any previously established streams
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept anything going out from the LAN automatically
iptables -A FORWARD -i $LANIF -s 0/0 -d 0/0 -j ACCEPT
#Accept anything going out from the localhost
iptables -A FORWARD -i lo -s 0/0 -d 0/0 -j ACCEPT
#Everything else deny and log it
iptables -A FORWARD -j LOG --log-level $LOGLEVEL --log-prefix 'FORWARD-DENY'
echo "Setting up INPUT chain..."
#Flush the chain
iptables -F INPUT
#Drop everything by default
iptables -P INPUT DROP
#Accept from the localhost
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
#Accept from the LAN
iptables -A INPUT -s $LANNET -i $LANIF -j ACCEPT
#Accept previously-established streams
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Anything that comes in on the WAN but looks like it came from the LAN should be dropped (spoofed)
iptables -A INPUT -i $WANIF -s $LANNET -j DROP
#Anything from the 192.168.0.0 range on the WAN is clearly spoofed. Drop.
iptables -A INPUT -i $WANIF -s 192.168.0.0/24 -j DROP
#Anything from the 127.0.0.1 address on the WAN is spoofed. Drop.
iptables -A INPUT -i $WANIF -s 127.0.0.1/8 -j DROP
#Any replies to DNS accept
iptables -A INPUT -p udp -s 0/0 --sport 53 --dport 1024:65535 -j ACCEPT
#DNS accept
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 53 -j ACCEPT
#SSH accept
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT
#Otherwise, if it's udp, drop.
iptables -A INPUT -p udp -s 0/0 -d 0/0 -j DROP
#Drop tcp packets that don't match a previous SYN
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --syn -j DROP
#Accept anything for 5190 for AIM
iptables -A INPUT -i $LANIF -p tcp --dport 5190 -j ACCEPT
#Deny everything else and log it
iptables -A INPUT -j LOG --log-level $LOGLEVEL --log-prefix 'INPUT-DENY '
echo "Setting up the OUTPUT chain..."
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
echo "Done with firewall setup"
This site and all content (C)2002-2008 Nathan E. Pralle (www.nathanpralle.com).
|
Kickass Phone Rates from 3U
