##/etc/network/interfaces# External interfaceauto eth0allow-hotplug eth0

1. ##/etc/network/interfaces
2.  
3. # External interface
4. auto eth0
5. allow-hotplug eth0
6. iface eth0 inet static
7. address
8. netmask
9. gateway
10.  
11. # Internal interface
12. auto eth1
13. allow-hotplug eth1
14. iface eth1 inet static
15. address 192.168.1.10
16. netmask 255.255.255.0
17.  
18.  
19.  
20. ##/etc/hosts
21.  
22. 192.168.1.20 hosting
23. 192.168.1.30 mail
24. 192.168.1.40 file
25. 192.168.1.50 db
26.  
27.  
28.  
29. ##/etc/resolv.conf
30.  
31. nameserver IP
32. nameserver IP
33.  
34.  
35.  
36. ##/etc/network/if-post-down.d/firewall-save
37.  
38. #!/bin/sh
39. echo
40. echo "Saving firewall..."
41. echo
42. /sbin/iptables-save -c > /etc/firewall.conf
43.  
44.  
45.  
46. ##/etc/network/if-pre-up.d/firewall-restore
47.  
48. #!/bin/sh
49. if [ -f /etc/firewall.conf ]; then
50. echo
51. echo "Restoring firewall..."
52. echo
53. /sbin/iptables-restore -c < /etc/firewall.conf
54. fi
55.  
56.  
57.  
58. ##/etc/init.d/iptables-setup
59.  
60. #!/bin/sh
61.  
62. echo
63. echo "Setting up firewall rules..."
64. echo
65.  
66. # Add conntrack modules if they are not loaded yet
67. modprobe ip_conntrack
68. modprobe ip_conntrack_ftp
69.  
70. # Enable broadcast echo Protection
71. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
72.  
73. # Disable Source Routed Packets
74. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
75.  
76. # Enable TCP SYN Cookie Protection
77. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
78.  
79. # Disable ICMP Redirect Acceptance
80. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
81.  
82. # Don¹t send Redirect Messages
83. echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
84.  
85. # Drop Spoofed Packets coming in on an interface where responses
86. # would result in the reply going out a different interface.
87. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
88.  
89. # Set default policy
90. iptables -P INPUT DROP
91. iptables -P FORWARD DROP
92. iptables -P OUTPUT ACCEPT
93.  
94. # Flush current firewall
95. iptables -F
96. iptables -X
97. iptables -t nat -F
98. iptables -t nat -X
99. iptables -t mangle -F
100. iptables -t mangle -X
101.  
102. # Create SSH chain
103. iptables -N SSH
104. iptables -A SSH -s 83.80.24.69/32 -j ACCEPT
105. iptables -A SSH -s 83.80.135.185/32 -j ACCEPT
106. iptables -A SSH -s 84.245.4.152/32 -j ACCEPT
107. iptables -A SSH -s 87.212.79.160/32 -j ACCEPT
108. iptables -A SSH -s 82.94.218.137/32 -j ACCEPT
109. iptables -A SSH -s 82.95.51.234/32 -j ACCEPT
110.  
111. # Drop invalid packets
112. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
113.  
114. # Allow local connections
115. iptables -A INPUT -i lo -j ACCEPT
116.  
117. # Allow all established connections through
118. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
119.  
120. # Allow intranet connections
121. iptables -A INPUT -i eth1 -j ACCEPT
122.  
123. # Allow forwarding on the intranet
124. iptables -A FORWARD -i eth1 --ctstate NEW -j ACCEPT
125. iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
126.  
127. # Allow http(s)
128. iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
129.  
130. # Allow ftp
131. iptables -A INPUT -m helper --helper ftp -j ACCEPT
132.  
133. # Send ssh to the ssh chain
134. iptables -A INPUT -p tcp -m tcp --dport ssh -j SSH