#!/bin/sh # # Latest Version # -------------- # http://www.Linux-Sec.net/Firewalls/Scripts/rc.iptables # # # To Stop the Firewall # -------------------- # iptables -F # # # To View the Rules # ----------------- # iptables -N # # # 27-Feb-02 amo Excerpt from # http://lists.samba.org/pipermail/netfilter/2001-November/016812.html # 26-Apr-04 amo Added "AP" w/ simple firewall ( masquerade ) # 06-Nov-04 amo Cleanup simple firewall rules # # # VER="2004.1106" # NAME="rc.iptables" # # # Execute the Commands # -------------------- function docmd { cmd=$1 # # echo "$cmd" > /tmp/$NAME.log # comm=`cat /tmp/$NAME.log | grep ^# | cut -d " " -f 1 ` # if [ "$comm" = "#" ]; then # # Comments echo "$cmd" # else # echo "$cmd" # eval "$cmd" status=$? # echo "" # if [ "$status" != "0" ]; then echo "" echo "ERROR: Failed : $cmd" echo "" # exit 1 # fi # fi # } # docmd # # # Load the iptable modules # # /lib/modules/2.4.27-ow1/kernel/net/ipv4/netfilter # docmd "#" docmd "modprobe iptable_filter" docmd "modprobe iptable_mangle" docmd "modprobe iptable_nat" docmd "modprobe ipt_state" docmd "modprobe ipt_LOG" docmd "#" # # docmd "#" docmd "# Turn off packet forwarding for updating the firewall " docmd "#" docmd "echo 0 > /proc/sys/net/ipv4/ip_forward" # # # http://www.e-infomax.com/ipmasq/ # docmd "#" docmd "# Install a minimal firewall/gateway" #ocmd "# rc.firewall-2.2 ( ipchains ) " docmd "# rc.firewall-2.4 ( iptables ) " docmd "" # # # --------------------------------------------------- # 3-line ipchains firewall # ------------------------ # ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASK" # ## hains -A forward -i ppp0 -j MASQ # ipchains -P forward DENY" # echo 1 > /proc/sys/net/ipv4/ip_forward # # --------------------------------------------------- # 4-line iptable firewall # ----------------------- # iptables -F # iptables -t nat -F # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # echo 1 > /proc/sys/net/ipv4/ip_forward # # IPTABLES="iptables" EXTIF="eth0" INTIF="ath0" # OUTSIDE="157.22.35.141" # # docmd "#" docmd "# 7-commands to Clear the IPTables first" docmd "#" # # iptables -F # docmd "$IPTABLES -P INPUT ACCEPT" docmd "$IPTABLES -F INPUT" docmd "$IPTABLES -P OUTPUT ACCEPT" docmd "$IPTABLES -F OUTPUT" docmd "$IPTABLES -P FORWARD DROP" docmd "$IPTABLES -F FORWARD" docmd "$IPTABLES -t nat -F" docmd "#" # # # ToDo: # # Change to allow only specific 192.168.x.y ip# only # iptables -A FORWARD -s 192.168.11.12 -i eth0 -j ACCEPT ( works or not ?? ) # docmd "# FWD: Allow all connections OUT and only existing and related ones IN" docmd " $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT" docmd " $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT" docmd " $IPTABLES -A FORWARD -j LOG" echo "" # # # this works for the wireless box to get outside docmd " $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $OUTSIDE" # # # try to allow only 192.168.1.12 connectivity in or out # ------------------------------------------------------- #ocmd " $IPTABLES -t nat -A POSTROUTING -s 192.168.1.12 -o $EXTIF -j SNAT --to $OUTSIDE" docmd "" # docmd "# Check the rules:" docmd " $IPTABLES -L" docmd "" # # docmd "#" docmd "# Turn On the firewall and packet forwarding" docmd "# ------------------------------------------" docmd "echo 1 > /proc/sys/net/ipv4/ip_forward" # # docmd "#" docmd "# End of $NAME" docmd "#" # # # Masquerading # ------------- # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # # # Nat'ing rules # ------------- # iptables -P OUTPUT ACCEPT # iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # # iptables -t nat -F PREROUTING # # iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 192.168.1.4:80 # # # iptables -t nat -A PREROUTING -p tcp --dport 25 -i ppp0 -j DNAT --to 192.168.1.4:25 # iptables -t nat -A PREROUTING -p udp --dport 25 -i ppp0 -j DNAT --to 192.168.1.4:25 # # # iptables -t nat -A PREROUTING -p tcp --dport 110 -i ppp0 -j DNAT --to 192.168.2.4:110 # iptables -t nat -A PREROUTING -p udp --dport 110 -i ppp0 -j DNAT --to 192.168.2.4:110 # # # end of file