firewall.conf 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120
  1. #!/bin/sh
  2. echo "configure /etc/firewall.conf first."
  3. exit 1
  4. ### Interfaces
  5. WAN=ppp0
  6. LAN=br0
  7. WLAN=wlan0
  8. ######################################################################
  9. ### Default ruleset
  10. ######################################################################
  11. ### Create chains
  12. iptables -N input_rule
  13. iptables -N forwarding_rule
  14. iptables -t nat -N prerouting_rule
  15. iptables -t nat -N postrouting_rule
  16. ### Default policy
  17. iptables -P INPUT DROP
  18. iptables -P FORWARD DROP
  19. iptables -P OUTPUT DROP
  20. ### INPUT
  21. ### (connections with the router as destination)
  22. # base case
  23. iptables -A INPUT -m state --state INVALID -j DROP
  24. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  25. iptables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
  26. # custom rules
  27. iptables -A INPUT -j input_rule
  28. # allow access from anything but WAN
  29. iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
  30. # allow icmp messages
  31. iptables -A INPUT -p icmp -j ACCEPT
  32. # reject
  33. iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  34. iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
  35. ### OUTPUT
  36. ### (connections with the router as source)
  37. # base case
  38. iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
  39. iptables -A OUTPUT -p icmp -j ACCEPT
  40. ### FORWARD
  41. ### (connections routed through the router)
  42. # base case
  43. iptables -A FORWARD -m state --state INVALID -j DROP
  44. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  45. # fix for broken ISPs blocking ICMP "fragmentation needed" packets
  46. #iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  47. # custom rules
  48. iptables -A FORWARD -j forwarding_rule
  49. iptables -t nat -A PREROUTING -j prerouting_rule
  50. iptables -t nat -A POSTROUTING -j postrouting_rule
  51. # allow LAN
  52. iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
  53. ### MASQUERADING
  54. echo 1 > /proc/sys/net/ipv4/ip_dynaddr
  55. iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
  56. ######################################################################
  57. ### Default ruleset end
  58. ######################################################################
  59. ###
  60. ### Connections to the router
  61. ###
  62. # ssh
  63. #iptables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
  64. # IPSec
  65. #iptables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
  66. #iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
  67. # OpenVPN
  68. #iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
  69. # PPTP
  70. #iptables -A input_rule -i $WAN -p gre -j ACCEPT
  71. #iptables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
  72. ###
  73. ### VPN traffic
  74. ###
  75. # IPSec
  76. #iptables -A forwarding_rule -o ipsec+ -j ACCEPT
  77. #iptables -A forwarding_rule -i ipsec+ -j ACCEPT
  78. # OpenVPN
  79. #iptables -A forwarding_rule -o tun+ -j ACCEPT
  80. #iptables -A forwarding_rule -i tun+ -j ACCEPT
  81. ###
  82. ### Port forwardings to LAN
  83. ###
  84. #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.1.10
  85. #iptables -A forwarding_rule -i $WAN -p tcp --dport 3389 -d 192.168.1.10 -j ACCEPT
  86. # Transparent Bridging Proxy
  87. #ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
  88. # --ip-destination-port 80 -j redirect --redirect-target ACCEPT
  89. #iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
  90. # -j REDIRECT --to-port 8080