[Masq] IPTABLES: is that script okay?

Christian Gerner Sun, 20 Jan 2002 08:50:01 -0800

Hi,

I've attached (quoted printable!) an iptables-Script I want to use on my 
gateway-machine
with SuSE Linux 7.3.


I can't test it right now  because I haven't yet the cable-modem from
my provider.

Are there any bugs or things you would change?

eth0 is the LAN, eth1 the Internet.

All clients should be able to use HTTP and HTTPS.

The gateway-machine is allowed to do more (line 27).


Thanks in advance,

Christian

--
PHP, Freeware, Shareware, Computerseiten
http://www.christian-gerner.de

#!/bin/sh
# MASQUERADING und FIREWALL Script by Christian Gerner ([EMAIL PROTECTED])

------------------------------
# eth0 is local area network
# eth1 is internet
# ----------------------------

# delete all chains
        iptables -t filter -F
        iptables -t mangle -F
        iptables -t nat -F 

# drop as standard
        iptables -P INPUT DROP
        iptables -P FORWARD DROP

# masquerade everything to the internet
        iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 

# allow port 80 and 443 for all to the internet
        iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 
--dport 80 -j ACCEPT          #HTTP/TCP
        iptables -A FORWARD -i eth0 -o eth1 -p udp -s 192.168.0.0/24 -d 0.0.0.0/0 
--dport 80 -j ACCEPT          #HTTP/UDP
        iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 
--dport 443 -j ACCEPT         #HTTPS/TCP
        iptables -A FORWARD -i eth0 -o eth1 -p udp -s 192.168.0.0/24 -d 0.0.0.0/0 
--dport 443 -j ACCEPT         #HTTPS/UDP
        
# the gateway machine should be able to do the following
        iptables -A OUTPUT -o eth1 -p tcp --dport 42 -j ACCEPT                         
                         #NS/TCP
        iptables -A OUTPUT -o eth1 -p udp --dport 42 -j ACCEPT                         
                         #NS/UDP
        iptables -A OUTPUT -o eth1 -p tcp --dport 80 -j ACCEPT                         
                         #HTTP/TCP
        iptables -A OUTPUT -o eth1 -p udp --dport 80 -j ACCEPT                         
                         #HTTP/UDP
        iptables -A OUTPUT -o eth1 -p tcp --dport 443 -j ACCEPT                        
                         #HTTPS/TCP
        iptables -A OUTPUT -o eth1 -p udp --dport 443 -j ACCEPT                        
                         #HTTPS/UDP
        iptables -A OUTPUT -o eth1 -p tcp --dport 119 -j ACCEPT                        
                         #NEWS
        iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j ACCEPT                         
                         #SMTP
        iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j ACCEPT                        
                         #POP

# allow packets we requested
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow packets from the LAN (e.g. pop3-access)
        iptables -I INPUT 1 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        iptables -I OUTPUT 1 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        iptables -I INPUT 2 -i eth0 -j ACCEPT
        iptables -I OUTPUT 2 -o eth0 -j ACCEPT

[Masq] IPTABLES: is that script okay?

Reply via email to