Public Pastes
daily pastebin goal
62%
SHARE
TWEET

Chillispot iptables

a guest Mar 31st, 2010 529 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. #
  3. # Firewall script for ChilliSpot
  4. # A Wireless LAN Access Point Controller
  5. #
  6. # Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
  7. # $INTIF (eth1) as the internal interface (access points).
  8. #
  9. #
  10. # SUMMARY
  11. # * All connections originating from chilli are allowed.
  12. # * Only ssh is allowed in on external interface.
  13. # * Nothing is allowed in on internal interface.
  14. # * Forwarding is allowed to and from the external interface, but disallowed
  15. #   to and from the internal interface.
  16. # * NAT is enabled on the external interface.
  17.  
  18. IPTABLES="/sbin/iptables"
  19. EXTIF="eth0"
  20. EXTIF2="eth2"
  21. INTIF="eth1"
  22.  
  23. $IPTABLES -P INPUT DROP
  24. $IPTABLES -P FORWARD ACCEPT
  25. $IPTABLES -P OUTPUT ACCEPT
  26.  
  27. #Allow related and established on all interfaces (input)
  28. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  29.  
  30. #Allow releated, established and ssh on $EXTIF. Reject everything else.
  31. $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
  32. $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
  33. $IPTABLES -A INPUT -i $EXTIF2 -p tcp -m tcp --dport 80 --syn -j ACCEPT
  34. $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 3306 --syn -j ACCEPT
  35. $IPTABLES -A INPUT -i $EXTIF -j REJECT
  36.  
  37. #Allow related and established from $INTIF. Drop everything else.
  38. $IPTABLES -A INPUT -i $INTIF -j DROP
  39.  
  40. #Allow http and https on other interfaces (input).
  41. #This is only needed if authentication server is on same server as chilli
  42. $IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
  43. $IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
  44.  
  45. #Allow 3990 on other interfaces (input).
  46. $IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
  47.  
  48. #Allow everything on loopback interface.
  49. $IPTABLES -A INPUT -i lo -j ACCEPT
  50.  
  51. # Drop everything to and from $INTIF (forward)
  52. # This means that access points can only be managed from ChilliSpot
  53. $IPTABLES -A FORWARD -i $INTIF -j DROP
  54. $IPTABLES -A FORWARD -o $INTIF -j DROP
  55.  
  56. #Enable NAT on output device
  57. $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
RAW Paste Data
Top