{"id":1672,"date":"2016-11-24T12:39:47","date_gmt":"2016-11-24T11:39:47","guid":{"rendered":"http:\/\/www.daniel-ritter.de\/blog\/?p=1672"},"modified":"2024-05-13T01:10:05","modified_gmt":"2024-05-12T23:10:05","slug":"iptables-revisted","status":"publish","type":"post","link":"https:\/\/www.daniel-ritter.de\/blog\/iptables-revisted\/","title":{"rendered":"Iptables revised"},"content":{"rendered":"<p><a href=\"https:\/\/www.daniel-ritter.de\/blog\/wp-content\/uploads\/2016\/11\/640px-Hilofilter.agr_.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1681\" src=\"https:\/\/www.daniel-ritter.de\/blog\/wp-content\/uploads\/2016\/11\/640px-Hilofilter.agr_.jpg\" alt=\"640px-hilofilter-agr\" width=\"700\" height=\"403\" \/><\/a><\/p>\n<p>Just a backup of the updated iptables setup for my gateway box:<\/p>\n<p>[CABLE MODEM] &#8211; [eth0 GATEWAY eth1] &#8211; [LAN SWITCH] &#8211; &#8211; &#8211; [CLIENTS]<\/p>\n<p>Thanks to O&#8217;Reilly for this great book that helped me a lot: <a href=\"http:\/\/shop.oreilly.com\/product\/9780596005696.do\">Linux iptables Pocket Reference <\/a><\/p>\n<pre>#!\/bin\/bash                                                                                                                                                   \r\n                                                                                                                                                        \r\nwan_nic=eth0                                                                                                                                \r\nlan_nic=eth1                                                                                                                                 \r\nlan_nic_ip=192.168.1.69                                                                                                                     \r\nlan_network=192.168.1.0\/24                                                                                                                                                                                                                                                                                    \r\n# PORT MAPPING FUNCTION\r\nMAP(){\r\niptables -A PREROUTING -t nat -i $wan_nic -p $1 --dport $2 -j DNAT --to $3:$4\r\necho \"PORTMAP: Mapped a port. localhost:$2 ($1) -&gt; $3:$4 [$5]\"\r\n}\r\n\r\n\r\n# Del old rules\r\niptables -t filter -F\r\niptables -t nat -F\r\niptables -t mangle -F \r\necho \"Deleted old rules\"\r\n\r\n# Default Policies\r\n#iptables -P PREROUTING ACCEPT\r\niptables -P FORWARD ACCEPT\r\niptables -P INPUT DROP\r\niptables -P OUTPUT ACCEPT\r\n#iptables -P POSTROUTING ACCEPT\r\necho \"Set default policies\"\r\n\r\n# Enable NAT\r\necho 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward\r\necho \"Enabled ip_forward in kernel\"\r\n\r\n###### INPUT LOCAL\r\n\r\n# FROM EVERYWHERE\r\niptables -A INPUT -p icmp -j ACCEPT\r\n\r\n# FROM LOCAL TO LOCAL\r\niptables -A INPUT -i lo -j ACCEPT\r\n\r\n# FROM LAN TO LOCAL\r\n\r\n# Needed for DHCP clients (no ip yet so allow interface, not ip range)\r\niptables -A INPUT -i $lan_nic -j ACCEPT\r\n\r\n# Allow LAN TO LOCAL\r\niptables -A INPUT -s $lan_network -j ACCEPT\r\n\r\n# ALLOW PACKAGES SENT FROM GW TO WAN TO COME BACK\r\niptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\r\n\r\n# FROM WAN TO LOCAL\r\niptables -A INPUT ! -s $lan_network -j DROP\r\n\r\necho \"Configured INPUT CHAIN\"\r\n\r\n###### OUTPUT LOCAL (done with default policy)\r\n# FROM LOCAL TO LAN\r\n# FROM LOCAL TO WAN\r\n# FROM LOCAL TO LOCAL\r\n\r\n###### FORWARD\r\n# FORWARD FROM LAN TO WAN\r\n\r\n\r\n# LOCK BAD CLIENTS IN LAN\r\n#SONY TV\r\niptables -A FORWARD -s 192.168.1.20 -j DROP\r\n#NETGEAR\r\niptables -A FORWARD -s 192.168.1.100 -j DROP\r\n#DLINK\r\niptables -A FORWARD -s 192.168.1.101 -j DROP\r\n\r\necho \"Configured FORWARD chain\"\r\n\r\n\r\n# FORWARD FROM WAN TO LAN\r\n\r\n# NAT the LAN\r\n\/sbin\/iptables -t nat -A POSTROUTING -o $wan_nic -j MASQUERADE\r\n\r\necho \"Enabled MASQUERADEing\"\r\n\r\n# Don't forward unrelated packages from the outside\r\niptables -A FORWARD -i $wan_nic -m state --state INVALID -j DROP \r\n\r\necho \"DISABLED FORWARDING for connections from the outside\"\r\n\r\n# Portmappings from WAN to LAN\r\nMAP tcp 80    192.168.1.2 80  SRV_HTTP\r\n\r\n\r\n\r\n\r\n# FINALIZE\r\n\r\n\/etc\/init.d\/networking restart\r\necho\r\necho\r\ndhclient -v eth0\r\necho \r\necho\r\nping -c1 134.99.128.2\r\necho\r\necho\r\nping -c1 192.168.1.2\r\n\r\necho\r\necho \r\necho \"done\"\r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Just a backup of the updated iptables setup for my gateway box: [CABLE MODEM] &#8211; [eth0 GATEWAY eth1] &#8211; [LAN SWITCH] &#8211; &#8211; &#8211; [CLIENTS] Thanks to O&#8217;Reilly for this great book that helped me a lot: Linux iptables Pocket Reference #!\/bin\/bash wan_nic=eth0 lan_nic=eth1 lan_nic_ip=192.168.1.69 lan_network=192.168.1.0\/24 # PORT MAPPING FUNCTION MAP(){ iptables -A PREROUTING -t [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1681,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[227,224],"tags":[],"class_list":["post-1672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-network"],"_links":{"self":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts\/1672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/comments?post=1672"}],"version-history":[{"count":11,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts\/1672\/revisions"}],"predecessor-version":[{"id":1896,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/posts\/1672\/revisions\/1896"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/media\/1681"}],"wp:attachment":[{"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/media?parent=1672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/categories?post=1672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.daniel-ritter.de\/blog\/wp-json\/wp\/v2\/tags?post=1672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}