I've spent the weekend attempting to mold an old p3 400mHz machine
into a firewall/router so I can replace my current linksys box.
Basically, I read the howtos at netfilter.org and the
gentoo-home-router-howto and put together the following script for
loading my rules.
This meets the functionality I need at this point in the project (ssh
access from inside and outside, port forwarding, and masquerading),
but I'm not well versed on security concerns so I'm hoping a few
experienced users could point out redundancies and potential security
issues.
Thanks in advance for taking the time to help.
#!/bin/bash
IPT=/sbin/iptables
WAN_IFACE=eth0
LAN_IFACE=eth1
LAN_ADDY=192.168.0.0/24
# flush and reset rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# begin rules
$IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT
$IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT
$IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT
$IPT -P INPUT DROP
$IPT -A INPUT -i ! $LAN_IFACE -j DROP
$IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \
-j DNAT --to 192.168.0.20
$IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \
-j DNAT --to 192.168.0.20:22
$IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT
$IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
/etc/init.d/iptables save
-- Travis Osterman
--
gentoo-user@gentoo.org mailing list
