I've spent the weekend attempting to mold an old p3 400mHz machine into a firewall/router so I can replace my current linksys box. Basically, I read the howtos at netfilter.org and the gentoo-home-router-howto and put together the following script for loading my rules.
This meets the functionality I need at this point in the project (ssh access from inside and outside, port forwarding, and masquerading), but I'm not well versed on security concerns so I'm hoping a few experienced users could point out redundancies and potential security issues. Thanks in advance for taking the time to help. #!/bin/bash IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 LAN_ADDY=192.168.0.0/24 # flush and reset rules $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # begin rules $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT $IPT -I INPUT 1 -i lo -j ACCEPT $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT $IPT -P INPUT DROP $IPT -A INPUT -i ! $LAN_IFACE -j DROP $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \ -j DNAT --to 192.168.0.20 $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \ -j DNAT --to 192.168.0.20:22 $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT $IPT -P FORWARD DROP $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done /etc/init.d/iptables save -- Travis Osterman -- gentoo-user@gentoo.org mailing list