firewall.conf 3.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
  1. #!/bin/sh
  2. echo "configure /etc/firewall.conf first."
  3. exit 1
  4. ### Interfaces
  5. WAN=ppp0
  6. LAN=br0
  7. WLAN=wlan0
  8. ######################################################################
  9. ### Default ruleset
  10. ######################################################################
  11. ### Create chains
  12. iptables -N input_rule
  13. iptables -N forwarding_rule
  14. iptables -t nat -N prerouting_rule
  15. iptables -t nat -N postrouting_rule
  16. ### Default policy
  17. iptables -P INPUT DROP
  18. iptables -P FORWARD DROP
  19. ### INPUT
  20. ### (connections with the router as destination)
  21. # base case
  22. iptables -A INPUT -m state --state INVALID -j DROP
  23. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  24. iptables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
  25. # custom rules
  26. iptables -A INPUT -j input_rule
  27. # allow access from anything but WAN
  28. iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
  29. # allow icmp messages
  30. iptables -A INPUT -p icmp -j ACCEPT
  31. # reject
  32. iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  33. iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
  34. ### OUTPUT
  35. ### (connections with the router as source)
  36. # base case
  37. iptables -A OUTPUT -m state --state INVALID -j DROP
  38. iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  39. ### FORWARD
  40. ### (connections routed through the router)
  41. # base case
  42. iptables -A FORWARD -m state --state INVALID -j DROP
  43. iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  44. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  45. # custom rules
  46. iptables -A FORWARD -j forwarding_rule
  47. iptables -t nat -A PREROUTING -j prerouting_rule
  48. iptables -t nat -A POSTROUTING -j postrouting_rule
  49. # allow LAN
  50. iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
  51. ### MASQUERADING
  52. echo 1 > /proc/sys/net/ipv4/ip_dynaddr
  53. iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
  54. ######################################################################
  55. ### Default ruleset end
  56. ######################################################################
  57. ###
  58. ### Connections to the router
  59. ###
  60. # ssh
  61. #iptables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
  62. # IPSec
  63. #iptables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
  64. #iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
  65. # OpenVPN
  66. #iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
  67. # PPTP
  68. #iptables -A input_rule -i $WAN -p gre -j ACCEPT
  69. #iptables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
  70. ###
  71. ### VPN traffic
  72. ###
  73. # IPSec
  74. #iptables -A forwarding_rule -o ipsec+ -j ACCEPT
  75. #iptables -A forwarding_rule -i ipsec+ -j ACCEPT
  76. # OpenVPN
  77. #iptables -A forwarding_rule -o tun+ -j ACCEPT
  78. #iptables -A forwarding_rule -i tun+ -j ACCEPT
  79. ###
  80. ### Port forwardings to LAN
  81. ###
  82. #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.1.10
  83. #iptables -A forwarding_rule -i $WAN -p tcp --dport 3389 -d 192.168.1.10 -j ACCEPT
  84. # Transparent Bridging Proxy
  85. #ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
  86. # --ip-destination-port 80 -j redirect --redirect-target ACCEPT
  87. #iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
  88. # -j REDIRECT --to-port 8080