Thursday, June 5, 2014

a working iptables firewall rules

#!/bin/bash

# eth0 is connected to the Internet
# eth3 is network B

# flush all chains
iptables -F
# flush all chaines in nat table
iptables --table nat -F

# default policies
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP

# allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# {{{ packet forwarding
# allow packet forwarding for the entire LAN
iptables -A FORWARD -i eth3 -o eth3 -j ACCEPT # network B

# masquerade
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

# allow packet forwarding from internal network to the internet
# and allow packet forwarding from the internet to internal network
# if the packet is established or related from the internal network
iptables -A FORWARD -i eth3 -j ACCEPT # network B
iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# }}} packet forwarding

# ssh
iptables -A INPUT -i eth0 -p tcp -s external_ip_0,external_ip_1 --dport 22 \
  -j ACCEPT

# mosh
iptables -A INPUT -i eth0 -p udp -s external_ip_0,external_ip_2 \
  --dport 60000:61000 -j ACCEPT
# }}}

# allow incoming packets from related or established existing trusted
# connections so that we can connect to the Internet from this gateway
iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

0 comments:

Post a Comment