#!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # interface EXT_IF="eth0" IN_IF="eth1" EXT_IP=`/sbin/ifconfig $EXT_IF | sed -e 's/^.*inet addr:\([^ ]*\).*$/\1/p' -e d` EXT_MASK=`/sbin/ifconfig $EXT_IF | sed -e 's/^.*Mask:\([^ ]*\).*$/\1/p' -e d` EXT_BCAST=`/sbin/ifconfig $EXT_IF | sed -e 's/^.*Bcast:\([^ ]*\).*$/\1/p' -e d` IN_IP=`/sbin/ifconfig $IN_IF | sed -e 's/^.*inet addr:\([^ ]*\).*$/\1/p' -e d` IN_MASK=`/sbin/ifconfig $IN_IF | sed -e 's/^.*Mask:\([^ ]*\).*$/\1/p' -e d` IN_BCAST=`/sbin/ifconfig $IN_IF | sed -e 's/^.*Bcast:\([^ ]*\).*$/\1/p' -e d` IN_LAN=$IN_IP/$IN_MASK ANYWHERE="0.0.0.0/0" # stop forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # flush existing rules iptables -F iptables -F -t nat # defaults iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # SYN Cookies (for SYN Flood) echo 1 > /proc/sys/net/ipv4/tcp_syncookies # ignore Broadcast ping echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # reject Source-routed packets for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done # reject ICMP redirect for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i done ################################################################################## ### ### INPUT chain ### # drop private packets iptables -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP iptables -A INPUT -i $EXT_IF -d 10.0.0.0/8 -j DROP iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP iptables -A INPUT -i $EXT_IF -d 172.16.0.0/12 -j DROP iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP iptables -A INPUT -i $EXT_IF -d 192.168.0.0/16 -j DROP # drop spoofed packets (seem as from internal LAN) (logged) iptables -A INPUT -i $EXT_IF -s $IN_LAN -j LOG --log-prefix="spoofed " iptables -A INPUT -i $EXT_IF -s $IN_LAN -j DROP # drop spoofed packets (seem as from myself) (logged) iptables -A INPUT -i $EXT_IF -s $EXT_IP -j LOG --log-prefix="spoofed " iptables -A INPUT -i $EXT_IF -s $EXT_IP -j DROP # accept DHCP packets iptables -A INPUT -i $EXT_IF -p udp -s $ANYWHERE -d $ANYWHERE --sport bootps --dport bootpc -j ACCEPT # drop broadcast packets iptables -A INPUT -i $EXT_IF -d 255.255.255.255 -j DROP iptables -A INPUT -i $EXT_IF -d 224.0.0.0 -j DROP iptables -A INPUT -i $EXT_IF -d $EXT_BCAST -j DROP # return TCP_RESET to IDENT iptables -A INPUT -i $EXT_IF -p tcp --dport ident -j REJECT --reject-with tcp-reset # accept return packets iptables -A INPUT -i $EXT_IF -m state --state ESTABLISHED -j ACCEPT # logging droped packets iptables -A INPUT -i $EXT_IF -j LOG # accept from private network iptables -A INPUT -i $IN_IF -j ACCEPT ### accepting protocols # ssh iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 22 -j ACCEPT # smtp iptables -A INPUT -i $EXT_IF -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 25 -j ACCEPT # domain iptables -A INPUT -i $EXT_IF -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 53 -j ACCEPT # http iptables -A INPUT -i $EXT_IF -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 80 -j ACCEPT iptables -A INPUT -i $EXT_IF -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 8080 -j ACCEPT # ntp iptables -A INPUT -i $EXT_IF -p tcp --dport 123 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 123 -j ACCEPT # imap iptables -A INPUT -i $EXT_IF -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i $EXT_IF -p udp --dport 143 -j ACCEPT ################################################################################## ### ### FORWARD ### iptables -A FORWARD -i $EXT_IF -o $IN_IF -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $IN_IF -o $EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT ################################################################################## ### ### NAT ### # NAT iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE # start forwarding echo 1 > /proc/sys/net/ipv4/ip_forward exit 0 #EOF