#!/bin/sh # # Example iptables firewall configuration # Meant for a netwinder 2100 with two ethernet ports. # For the 3100 use INTDEV=eth+ and EXTDEV=ppp+ # # Define your ethernet ports EXTDEV=eth0 INTDEV=eth1 # Get external network interface parameters . /etc/sysconfig/network-scripts/ifcfg-$EXTDEV EXTIP=$IPADDR EXTNM=$NETMASK EXTNW=$NETWORK # Get internal network interface parameters . /etc/sysconfig/network-scrupts/ifcfg-$INTDEV INTIP=$IPADDR INTNM=$NETMASK INTNW=$NETWORK # Command to be used IPTABLES=iptables # Set default polcies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # Flush all tables $IPTABLES -F $IPTABLES -t nat -F # Allow local traffic $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i INTDEV -j ACCEPT # Ignore spoofed addresses $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s $INTIP -j DROP $IPTABLES -t nat -A PREROUTING -i $EXTDEV -d ! $INTIP -j DROP $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s 0.0.0.0/32 -j DROP $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s 255.255.255.255/32 -j DROP # Block private address spaces (should not come from internet) $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s 127.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s 172.16.0.0/12 -j DROP $IPTABLES -t nat -A PREROUTING -i $EXTDEV -s 192.168.0.0/16 -j DROP # Allow all ICMP traffic on all interfaces $IPTABLES -A INPUT -p icmp -j ACCEPT # Example of how to to port forwarding: # Redirect incoming port 8080 to 192.168.1.1:80 # $IPTABLES -A PREROUTING -t nat -p tcp \ # -d $EXTIP --dport 8080 -j DNAT --to 192.168.1.1:80 # Allow FTP traffic on port 20 and 21 $IPTABLES -A INPUT -p tcp --dport 20:21 -j ACCEPT # Allow ssh (incoming and a few outgoing ports) $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 1020:1023 -j ACCEPT # Allow smtp (mail) traffic $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT # Allow DNS lookups (tcp/udp 53) $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT # Allow ident (auth) traffic $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT # Allow ntp (time server) traffic $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT # Allow http and https traffic $IPTABLES -A WEB -p tcp --dport 80 -j ACCEPT $IPTABLES -A WEB -p tcp --dport 443 -j ACCEPT # NOTE: the following DENY rules are not really needed anymore # now that we are using connection tracking (see -m state below). # But i left the rules here out of paranoia. # Block NFS $IPTABLES -A COMMON -p tcp --dport 2049 -j DROP $IPTABLES -A COMMON -p udp --dport 2049 -j DROP # Block MySQL $IPTABLES -A COMMON -p tcp --dport 3306 -j DROP $IPTABLES -A COMMON -p udp --dport 3306 -j DROP # Block X server and X font server $IPTABLES -A COMMON -p tcp --dport 6000:6010 -j DROP $IPTABLES -A COMMON -p tcp --dport 7100 -j DROP # Accept replies to outbound packets $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state INVALID -j DROP # Do masquerading for internal subnet $IPTABLES -t nat -A POSTROUTING -s $INTNW/$INTNM -o $EXTDEV \ -j SNAT --to-source $EXTIP # or you can use the following for dynamic IP connections: # $IPTABLES -t nat -A POSTROUTING -o $EXTDEV -j MASQUERADE # Default DROP policy applies to any remaining packets.