iptables home router

1. sudo iptables -F
2. sudo iptables -t nat -F
3. sudo iptables -X
4.  
5. sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
6. sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
7. sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
8.  
9. sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
10. sudo iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
11. sudo iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
12.  
13. sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -m state --state NEW -m statistic --mode random --probability .25
14. sudo iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 443 -m state --state NEW -m statistic --mode random --probability .33
15. sudo iptables -t nat -A PREROUTING -i tun2 -p tcp --dport 443 -m state --state NEW -m statistic --mode random --probability .50
16.  
17. sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
18.  
19. =====================
20.  
21. *nat
22. :PREROUTING ACCEPT [0:0]
23. :INPUT ACCEPT [0:0]
24. :OUTPUT ACCEPT [0:0]
25. :POSTROUTING ACCEPT [0:0]
26.  
27. # p4p1 is WAN interface, #p1p1 is LAN interface
28. sudo iptables -A POSTROUTING -o eth1 -j MASQUERADE
29.  
30. # NAT pinhole: HTTP from WAN to LAN
31. sudo iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.15:80
32.  
33. COMMIT
34.  
35. *filter
36. :INPUT ACCEPT [0:0]
37. :FORWARD ACCEPT [0:0]
38. :OUTPUT ACCEPT [0:0]
39.  
40. # Service rules
41.  
42. # basic global accept rules - ICMP, loopback, traceroute, established all accepted
43. sudo iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
44. sudo iptables -A INPUT -p icmp -j ACCEPT
45. sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
46.  
47. # enable traceroute rejections to get sent out
48. sudo iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
49.  
50. # DNS - accept from LAN
51. sudo iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
52. sudo iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
53.  
54. # SSH - accept from LAN
55. sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
56.  
57. # DHCP client requests - accept from LAN
58. sudo iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
59.  
60. # drop all other inbound traffic
61. sudo iptables -A INPUT -j DROP
62.  
63. # Forwarding rules
64.  
65. # forward packets along established/related connections
66. sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
67.  
68. # forward from LAN (p1p1) to WAN (p4p1)
69. sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
70.  
71. # allow traffic from our NAT pinhole
72. -A FORWARD -p tcp -d 192.168.0.15 --dport 80 -j ACCEPT
73.  
74. # drop all other forwarded traffic
75. -A FORWARD -j DROP
76.  
77. COMMIT