#!/bin/sh # # Basic iptables firewall rules script # # Edited somewhat by: # # Joey Kelly # email: joey@joeykelly.net # web: http://joeykelly.net # # # The rules template originally came from: # # iptables script generator: V0.1-2002 # Comes with no warranty! # e-mail: michael@1go.dk # # The rules cranked out by the generator were pretty sloppy, so I cleaned them up a bit. # # This is just a BASIC script: quite a lot of stuff has been left out. # You should probably look for a script with a more comprehensive approach to filtering. # # This script assumes that you have an all-in-one firewall/router/server. # Forwarding ports to a separate server on the lan (or in a DMZ!) isn't covered by this script, unfortunately. # While you can forward ports with iptables, I prefer to use the rinetd utility instead. # # About half of the comments below are mine, by the way. # # As before, this script comes with no warranty. Use at your own risk. # # Here goes... # LAN_IP_NET='192.168.1.0/24' # change this to match you LAN address range LAN_NIC='eth1' # is this correct for your firewall? WAN_NIC='eth0' # is this correct? # First we disable packet forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # # Next we flush all existing iptables rules iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -F # Next we set our default policy (deny-by-default) iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Here we enable masquerade and forwarding iptables -A POSTROUTING -t nat -o $WAN_NIC -j MASQUERADE iptables -A FORWARD -i $LAN_NIC -s $LAN_IP_NET -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # The first thing we open up is localhost and the LAN side iptables -A INPUT -j ACCEPT -i lo iptables -A INPUT -j ACCEPT -i $LAN_NIC # We really need to have ICMP available iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Next we open desired ports on the firewall # Adjust for your particular needs... iptables -A INPUT -j ACCEPT -p tcp --dport 22 # ssh iptables -A INPUT -j ACCEPT -p tcp --dport 25 # smtp iptables -A INPUT -j ACCEPT -p tcp --dport 53 # dns iptables -A INPUT -j ACCEPT -p tcp --dport 80 # http iptables -A INPUT -j ACCEPT -p tcp --dport 110 # pop3 # STATE RELATED for router iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # if you want to forward ports to an internal host, use this format: #iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80 #iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT # if you want to restrict access to just one host for security reasons: #iptables -A PREROUTING -t nat -i eth1 -p tcp --source 11.22.33.44 --dport 80 -j DNAT --to 192.168.1.50:80