Iptables revised

Linux Network

640px-hilofilter-agr

Just a backup of the updated iptables setup for my gateway box:

[CABLE MODEM] – [eth0 GATEWAY eth1] – [LAN SWITCH] – – – [CLIENTS]

Thanks to O’Reilly for this great book that helped me a lot: Linux iptables Pocket Reference

#!/bin/bash                                                                                                                                                   
                                                                                                                                                        
wan_nic=eth0                                                                                                                                
lan_nic=eth1                                                                                                                                 
lan_nic_ip=192.168.1.69                                                                                                                     
lan_network=192.168.1.0/24                                                                                                                                                                                                                                                                                    
# PORT MAPPING FUNCTION
MAP(){
iptables -A PREROUTING -t nat -i $wan_nic -p $1 --dport $2 -j DNAT --to $3:$4
echo "PORTMAP: Mapped a port. localhost:$2 ($1) -> $3:$4 [$5]"
}


# Del old rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F 
echo "Deleted old rules"

# Default Policies
#iptables -P PREROUTING ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#iptables -P POSTROUTING ACCEPT
echo "Set default policies"

# Enable NAT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabled ip_forward in kernel"

###### INPUT LOCAL

# FROM EVERYWHERE
iptables -A INPUT -p icmp -j ACCEPT

# FROM LOCAL TO LOCAL
iptables -A INPUT -i lo -j ACCEPT

# FROM LAN TO LOCAL

# Needed for DHCP clients (no ip yet so allow interface, not ip range)
iptables -A INPUT -i $lan_nic -j ACCEPT

# Allow LAN TO LOCAL
iptables -A INPUT -s $lan_network -j ACCEPT

# ALLOW PACKAGES SENT FROM GW TO WAN TO COME BACK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# FROM WAN TO LOCAL
iptables -A INPUT ! -s $lan_network -j DROP

echo "Configured INPUT CHAIN"

###### OUTPUT LOCAL (done with default policy)
# FROM LOCAL TO LAN
# FROM LOCAL TO WAN
# FROM LOCAL TO LOCAL

###### FORWARD
# FORWARD FROM LAN TO WAN


# LOCK BAD CLIENTS IN LAN
#SONY TV
iptables -A FORWARD -s 192.168.1.20 -j DROP
#NETGEAR
iptables -A FORWARD -s 192.168.1.100 -j DROP
#DLINK
iptables -A FORWARD -s 192.168.1.101 -j DROP

echo "Configured FORWARD chain"


# FORWARD FROM WAN TO LAN

# NAT the LAN
/sbin/iptables -t nat -A POSTROUTING -o $wan_nic -j MASQUERADE

echo "Enabled MASQUERADEing"

# Don't forward unrelated packages from the outside
iptables -A FORWARD -i $wan_nic -m state --state INVALID -j DROP 

echo "DISABLED FORWARDING for connections from the outside"

# Portmappings from WAN to LAN
MAP tcp 80    192.168.1.2 80  SRV_HTTP




# FINALIZE

/etc/init.d/networking restart
echo
echo
dhclient -v eth0
echo 
echo
ping -c1 134.99.128.2
echo
echo
ping -c1 192.168.1.2

echo
echo 
echo "done"

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Nach oben