Dadexter iptables
Jump to navigation
Jump to search
- Script is based on another one I got here
- allows connections to port 443 for web services
- allows connections to port 8080 for ssh access
- allows connections to port 8000 and 2323 for misc services (usually off anyway)
#!/bin/sh # This is a very basic LAN NAT script, allowing only SSH to the firewall from # the external interface, allowing all outbound LAN traffic, and allowing only # established/related traffic back into the LAN. # # eth1 = external NIC (ISP) # eth0 = internal NIC (LAN) # # allows connections to port 443 for web services # allows connections to port 8080 for ssh access # allows connections to port 2323 and 8000 for internal forwarding, and shoutcast ipt=/usr/sbin/iptables extip=66.130.x.x # replace with your EXTERNAL IP - eth1 lan=192.168.100.0/25 # your LAN CIDR range - eth0 # start firewall start_firewall() { echo "Enabling IP forwarding." echo 1 > /proc/sys/net/ipv4/ip_forward echo "Enabling iptables firewall." # default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP # NAT $ipt -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $extip # INPUT chain $ipt -A INPUT -i lo -j ACCEPT $ipt -A INPUT -i eth0 -s $lan -j ACCEPT $ipt -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -p tcp --destination-port 8080 -j ACCEPT $ipt -A INPUT -p tcp --destination-port 443 -j ACCEPT $ipt -A INPUT -p tcp --destination-port 8000 -j ACCEPT $ipt -A INPUT -p tcp --destination-port 2323 -j ACCEPT # FORWARD chain $ipt -A FORWARD -i eth0 -s $lan -j ACCEPT $ipt -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT } # stop firewall stop_firewall() { $ipt -P INPUT DROP $ipt -P OUTPUT DROP $ipt -P FORWARD DROP # allow internal traffic $ipt -A INPUT -i eth0 -j ACCEPT $ipt -A OUTPUT -o eth0 -j ACCEPT } # flushing, removing and zeroing tables reset_firewall() { chains=`cat /proc/net/ip_tables_names` for i in $chains; do $debug $ipt -t $i -F $debug $ipt -t $i -X $debug $ipt -t $i -Z done } case "$1" in start|restart|reload) reset_firewall start_firewall ;; stop) reset_firewall stop_firewall ;; *) echo "Usage: $0 {start|stop|restart|reload}"; exit 1 ;; esac