#!/bin/sh # This is a more complex setup, for a home firewal

1. #this is a more complex firewall setup script
2.  
3. #!/bin/sh
4. # This is a more complex setup, for a home firewall:
5. # * One interface plug to the ISP conection (eth0). Using DHCP.
6. # * One interface plug to the local LAN switch (eth1). Using 192.168.0.0/24.
7. # * Traffic open from the LAN to the SSH in the firewall.
8. # * Traffic open and translated, from the local LAN to internet.
9. # * Traffic open from internet, to a local web server.
10. # * Logging of dropped traffic, using a specific ''log level'' to configure a separate file in syslog/rsyslog.
11. PATH='/sbin'
12. ## INIT
13. # Flush previous rules, delete chains and reset counters
14. iptables -F
15. iptables -X
16. iptables -Z
17. iptables -t nat -F
18. # Default policies
19. iptables -P INPUT DROP
20. iptables -P OUTPUT DROP
21. iptables -P FORWARD DROP
22. echo -n '1' > /proc/sys/net/ipv4/ip_forward
23. echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
24. echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
25. echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
26. echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
27. # Enable loopback traffic
28. iptables -A INPUT -i lo -j ACCEPT
29. iptables -A OUTPUT -o lo -j ACCEPT
30. # Enable statefull rules (after that, only need to allow NEW conections)
31. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
32. iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
33. iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
34. # Drop invalid state packets
35. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
36. iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
37. iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
38. ## INPUT
39. # Incoming ssh from the LAN
40. iptables -A INPUT -i eth1 -s 192.168.0.0/24 \
41. -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
42. ## OUTPUT
43. # Enable al outgoing traffic to internet
44. iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
45. # Enable access traffic, from the firewall to the LAN network
46. iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -j ACCEPT
47. ## FORWARD
48. # We have dinamic IP (DHCP), so we've to masquerade
49. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
50. iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 \
51. -m conntrack --ctstate NEW -j ACCEPT
52. # Redirect HTTP (tcp/80) to the web server (192.168.0.2)
53. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
54. -j DNAT --to-destination 192.168.0.2:80
55. iptables -A FORWARD -i eth0 -p tcp --dport 80 \
56. -o eth1 -d 192.168.0.2 \
57. -m conntrack --ctstate NEW -j ACCEPT
58. ## LOGGING
59. iptables -A INPUT -j LOG --log-level DEBUG --log-prefix '[FW INPUT]: '
60. iptables -A OUTPUT -j LOG --log-level DEBUG --log-prefix '[FW OUTPUT]: '
61. iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix '[FW FORWARD ]: '