#!/bin/bash
# eth0 is connected to the Internet
# eth3 is network B
# flush all chains
iptables -F
# flush all chaines in nat table
iptables --table nat -F
# default policies
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
# allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# {{{ packet forwarding
# allow packet forwarding for the entire LAN
iptables -A FORWARD -i eth3 -o eth3 -j ACCEPT # network B
# masquerade
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# allow packet forwarding from internal network to the internet
# and allow packet forwarding from the internet to internal network
# if the packet is established or related from the internal network
iptables -A FORWARD -i eth3 -j ACCEPT # network B
iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# }}} packet forwarding
# ssh
iptables -A INPUT -i eth0 -p tcp -s external_ip_0,external_ip_1 --dport 22 \
-j ACCEPT
# mosh
iptables -A INPUT -i eth0 -p udp -s external_ip_0,external_ip_2 \
--dport 60000:61000 -j ACCEPT
# }}}
# allow incoming packets from related or established existing trusted
# connections so that we can connect to the Internet from this gateway
iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# eth0 is connected to the Internet
# eth3 is network B
# flush all chains
iptables -F
# flush all chaines in nat table
iptables --table nat -F
# default policies
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
# allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# {{{ packet forwarding
# allow packet forwarding for the entire LAN
iptables -A FORWARD -i eth3 -o eth3 -j ACCEPT # network B
# masquerade
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# allow packet forwarding from internal network to the internet
# and allow packet forwarding from the internet to internal network
# if the packet is established or related from the internal network
iptables -A FORWARD -i eth3 -j ACCEPT # network B
iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# }}} packet forwarding
# ssh
iptables -A INPUT -i eth0 -p tcp -s external_ip_0,external_ip_1 --dport 22 \
-j ACCEPT
# mosh
iptables -A INPUT -i eth0 -p udp -s external_ip_0,external_ip_2 \
--dport 60000:61000 -j ACCEPT
# }}}
# allow incoming packets from related or established existing trusted
# connections so that we can connect to the Internet from this gateway
iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
![[FSF Associate Member]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u50Q2ti-QWYDmo7v3RAzsoykRpznjHt7c7rTlgB19JND6nBf8JfO4a1jR4ZpWvyvSCi1ln7D3nBr57RSAQ3z6EZ0u8eFCKsMVSyOIaXO_7Fbj2q2dy5Q=s0-d)
Posts
0 comments:
Post a Comment