SHOW:
|
|
- or go back to the newest paste.
| 1 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
| 2 | ||
| 3 | # Flush tables | |
| 4 | iptables -F | |
| 5 | iptables -t nat -F | |
| 6 | ||
| 7 | # Set policies | |
| 8 | iptables -P INPUT DROP | |
| 9 | iptables -P OUTPUT DROP | |
| 10 | iptables -P FORWARD DROP | |
| 11 | ||
| 12 | # NAT | |
| 13 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| 14 | iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 15 | ||
| 16 | # Allow INPUT for existing connections | |
| 17 | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 18 | ||
| 19 | # Allow HTTP from internal network? | |
| 20 | iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT | |
| 21 | iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 443 -j ACCEPT | |
| 22 | - | #iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT |
| 22 | + | |
| 23 | # Outbound rules for DNS (d'oh) | |
| 24 | iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT | |
| 25 | iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT | |
| 26 | ||
| 27 | # Access to device services from inside only | |
| 28 | iptables -A INPUT -i eth1 -d 172.16.0.1 -j ACCEPT | |
| 29 | iptables -A OUTPUT -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT |
