On Sun, 2005-05-29 at 20:03 -0500, Travis Osterman wrote: > I've spent the weekend attempting to mold an old p3 400mHz machine > into a firewall/router so I can replace my current linksys box. > Basically, I read the howtos at netfilter.org and the > gentoo-home-router-howto and put together the following script for > loading my rules.
Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. Perhaps you can take a look , perhaps you will like it? > This meets the functionality I need at this point in the project (ssh > access from inside and outside, port forwarding, and masquerading), > but I'm not well versed on security concerns so I'm hoping a few > experienced users could point out redundancies and potential security > issues. > > Thanks in advance for taking the time to help. > > #!/bin/bash > IPT=/sbin/iptables > WAN_IFACE=eth0 > LAN_IFACE=eth1 > LAN_ADDY=192.168.0.0/24 > > # flush and reset rules > $IPT -F > $IPT -t nat -F > $IPT -t mangle -F > $IPT -X > $IPT -t nat -X > $IPT -t mangle -X > $IPT -P INPUT ACCEPT > $IPT -P FORWARD ACCEPT > $IPT -P OUTPUT ACCEPT > $IPT -t nat -P PREROUTING ACCEPT > $IPT -t nat -P POSTROUTING ACCEPT > $IPT -t nat -P OUTPUT ACCEPT > $IPT -t mangle -P PREROUTING ACCEPT > $IPT -t mangle -P OUTPUT ACCEPT > > # begin rules > $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT > $IPT -I INPUT 1 -i lo -j ACCEPT > $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT > $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT > $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT > $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT > $IPT -P INPUT DROP > $IPT -A INPUT -i ! $LAN_IFACE -j DROP > > $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \ > -j DNAT --to 192.168.0.20 > $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \ > -j DNAT --to 192.168.0.20:22 > > $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP > $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT > $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT > $IPT -P FORWARD DROP > > $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE > > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done > /etc/init.d/iptables save > > -- Travis Osterman > -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 17:18:11 up 2 days, 9:03, 8 users, load average: 0.95, 0.78, 1.10 -- gentoo-user@gentoo.org mailing list