SHOW:
|
|
- or go back to the newest paste.
1 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
2 | ||
3 | # Flush tables | |
4 | iptables -F | |
5 | iptables -t nat -F | |
6 | ||
7 | # Set policies | |
8 | iptables -P INPUT DROP | |
9 | iptables -P OUTPUT DROP | |
10 | iptables -P FORWARD DROP | |
11 | ||
12 | # NAT | |
13 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
14 | iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
15 | ||
16 | # Allow INPUT for existing connections | |
17 | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
18 | ||
19 | # Allow HTTP from internal network? | |
20 | iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT | |
21 | iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 443 -j ACCEPT | |
22 | - | #iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT |
22 | + | |
23 | # Outbound rules for DNS (d'oh) | |
24 | iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT | |
25 | iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT | |
26 | ||
27 | # Access to device services from inside only | |
28 | iptables -A INPUT -i eth1 -d 172.16.0.1 -j ACCEPT | |
29 | iptables -A OUTPUT -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT |