Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- cat iptables
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- # wlan0 is WAN interface, #eth0 is LAN interface
- -A POSTROUTING -o wlan0 -j MASQUERADE
- # NAT pinhole: HTTP from WAN to LAN
- -A PREROUTING -p tcp -m tcp -i wlan0 --dport 80 -j DNAT --to-destination 192.168.10.10:80
- COMMIT
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- # Service rules
- # basic global accept rules - ICMP, loopback, traceroute, established all accepted
- -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -m state --state ESTABLISHED -j ACCEPT
- # enable traceroute rejections to get sent out
- -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
- # DNS - accept from LAN
- -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
- -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
- # SSH - accept from LAN
- -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
- # DHCP client requests - accept from LAN
- -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
- # drop all other inbound traffic
- -A INPUT -j DROP
- # Forwarding rules
- # forward packets along established/related connections
- -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # forward from LAN (eth0) to WAN (p4p1)
- -A FORWARD -i eth0 -o wlan0 -j ACCEPT
- # allow traffic from our NAT pinhole
- -A FORWARD -p tcp -d 192.168.10.10 --dport 80 -j ACCEPT
- # drop all other forwarded traffic
- -A FORWARD -j DROP
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
