[[linux:firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux:firewall [2008/04/29 11:08]
greebo 		linux:firewall [2012/02/21 13:28]
greebo
Line 1: Line 1:
-  #!/bin/bash +[[linux:firewall6|Linux IPV6 firewall]]\\ 
-  echo "*************" +[[linux:firewall_blocktor| how to block TOR network in realtime]]\\  
-  echo "* Running $0" +[[http://www.fs-security.com/|FS security]]\\ 
-  echo "*************"+ 
 +<code bash |> 
 + 
 +#!/bin/bash 
 +echo "*************" 
 +echo "* Running $0" 
 +echo "*************
 +echo "* http://tnt.aufbix.org/ linux firewall script" 
 + 
 +echo 
 +echo  "It was sad music. But it waved its sadness like a battle flag." 
 +echo  " It said the universe had done all it could, but you were still alive." 
 +echo 
 +echo " Discworld" 
 + 
 +TNX_IDIOT="yes" 
 + 
 +echo " how iptables work in linux kernel" 
 +echo 
 +echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" 
 +echo " | |" 
 +echo " [input] >--->[output]" 
 + 
 +# path to iptables and iproute2 files 
 +IPTB="/sbin/iptables" 
 +IP="/sbin/ip" 
 + 
 +# name of our Internet and intranet interfaces 
 +# use INTRANET="eth1+" or INTERNET="eth0+" 
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet 
 +
 +# WAN Interface 
 +INTERNET="eth0" 
 +# ADSL - INTERNET="ppp0" 
 +
 +# LAN Interface 
 +INTRANET="eth1"
      
-  echo +# what IPs are used in intranet 
-  echo  "It was sad musicBut it waved its sadness like a battle flag.+LAN="192.168.6.0/24"
-  echo  " It said the universe had done all it could, but you were still alive.+
-  echo +
-  echo " Discworld"+
      
-  TNX_IDIOT="yes"+# what is our static  IP (if we have one) 
 +GW_IP="X.X.X.X"
      
-  echo " how iptables work in linux kernel 2.4.x/2.6.x+# what TCP ports/services we allow (and FORWARD) from Internet 
-  echo +# use " as delimiter 
-  echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->+TCP_PORTS="25 53 80" 
-  echo " | |+ 
-  echo " [input] >--->[output]"+# what UDP ports/services we allow (and FORWARD) from Internet 
 +# use ",as delimiter 
 +UDP_PORTS="53,123" 
 + 
 +# which ports we forward into our intranet 
 +# use ",as delimiter 
 +FWD_TCP_PORTS="1214,6346"
      
-  path to iptables and iproute2 files +set to 1 if we you have intranet 
-   +WE_HAVE_INTRANET="0
-  IPTB="/sbin/iptables" + 
-  IP="/sbin/ip" +#  
-   +TRUSTED_HOSTS="193.77.1.1/32 \ 
-  # name of our Internet and intranet interfaces +212.93.224.0/19 \ 
-  INTRANET="eth1+212.18.32.0/24
-  INTERNET="eth0" + 
-  ADSL - INTERNET="ppp0" +echo "0" > /proc/sys/net/ipv4/ip_forward 
-   + 
-  # what IPs are used in intranet +# first we flush the tables and policy 
-  LAN="192.168.6.0/24" +$IPTB -F 
-   +$IPTB -X 
-  # what is our static  IP (if we have one) +$IPTB -F INPUT 
-  GW_IP="X.X.X.X" +$IPTB -F FORWARD 
-   +$IPTB -F OUTPUT 
-  # what TCP ports/services we allow (and FORWARD) from Internet + 
-  # use " " as delimiter +$IPTB -t nat -F 
-  TCP_PORTS="22 25 53 80" + 
-   +# new chain for SSH and HTTP access 
-  # what UDP ports/services we allow (and FORWARD) from Internet +$IPTB -N ssh-access 
-  # use "," as delimiter +$IPTB -N http-access 
-  UDP_PORTS="53" + 
-   +# port redirection (transparent proxy) 
-  # which ports we forward into our intranet +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports 
-  # use "," as delimiter +# DNS (53/tcp and 53/udp) and SMTP (25/tcp) 
-  FWD_TCP_PORTS="1214,6346" +#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
-   +#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
-  # set to 1 if we you have intranet +#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 
-  WE_HAVE_INTRANET="0" + 
-   +# INPUT TABLE 
-  echo "0" > /proc/sys/net/ipv4/ip_forward +$IPTB -P INPUT DROP 
-   + 
-  # first we flush the tables and policy +# statefull firewall makes most hits 
-  $IPTB -F +$IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
-  $IPTB -F INPUT + 
-  $IPTB -F FORWARD +# move all SSH and HTTP traffic to apropriate chains 
-  $IPTB -F OUTPUT +$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access 
-  $IPTB -t nat -F +$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access 
-   + 
-  # port redirection (transparent proxy) +# ssh chain 
-  #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT +for sshhostese in $TRUSTED_HOSTS; 
-  #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT +        do 
-  #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 +        $IPTB -A ssh-access -s $sshhostese -j ACCEPT 
-   +        done 
-  # INPUT TABLE + # Connection limit for SSH connections (1 connection per minute PER source IP) 
-  $IPTB -P INPUT DROP + # - usefull against ssh scanners if you MUST open SSH for every IP! 
-   +$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT 
-  # statefull firewall +$IPTB -A ssh-access -j DROP 
-  $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +# ssh 
-   + 
-  # IPSEC +# http 
-  #$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500  -j ACCEPT +for httphostese in $TRUSTED_HOSTS; 
-  #$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT +        do 
-  #$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT +        $IPTB -A http-access -s $httphostese -j ACCEPT 
-   +        done 
-  # we allow all traffic from $INTRANET and localhost interfaces +# http 
-  $IPTB -A INPUT -i $INTRANET -j ACCEPT + 
-  $IPTB -A INPUT -i lo -j ACCEPT +# IPSEC 
-   +#$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500  -j ACCEPT 
-  #$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "INVALID packet> " +#$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT 
-  #$IPTB -A INPUT -m state --state INVALID -j DROP +#$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT 
-   + 
-  +# we allow all traffic from $INTRANET and localhost interfaces 
-  $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP +$IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
-  $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP +$IPTB -A INPUT -i lo  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
-    + 
-  #FIN is set and ACK is not +$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP +$IPTB -A INPUT -m state --state INVALID -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " + 
-   +
-  #PSH is set and ACK is not +$IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP +$IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " +  
-   +#FIN is set and ACK is not 
-  #URG is set and ACK is not +$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " 
-  $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP 
-  $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " + 
-   +#PSH is set and ACK is not 
-  # Block portscans: +$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j LOG --log-prefix "XMAS scan> " +$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j DROP + 
-   +#URG is set and ACK is not 
-  #no flag is set +$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> " +$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP + 
-   +# Block portscans: 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan>+$IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j LOG --log-prefix "XMAS scan> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j DROP 
-   + 
-  #SYN and FIN are both set +#no flag is set 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> " +$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> " 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP 
-   + 
-  #FIN and RST are both set +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan>
-  $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" + 
-   +#SYN and FIN are both set 
-   +$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> " 
-  $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT>+$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
-  $IPTB -A INPUT -f -j DROP + 
-   +#FIN and RST are both set 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN>" +$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-   + 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN>" +$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT>
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP +$IPTB -A INPUT -f -j DROP 
-   + 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN>" +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN>" 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP 
-   + 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID>" +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN>" 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP 
-   + 
-  #SYN and RST are both set +$IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN>" 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST>+$IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + 
-   +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID>" 
-  # Connection limit for SSH connections ( 1 connection per minute) +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP 
-  $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT + 
-  $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP +#SYN and RST are both set 
-   +$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST>
-  # what we allow from Internet +$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-  for i in $TCP_PORTS+ 
 +# what we allow from Internet - TCP ports 
 +for i in $TCP_PORTS
  do  do
- $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT + $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT 
-    done +        done 
-   + 
-  $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT +# what we allow from Internet - UDP ports 
-   +$IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT 
-  # identd requests + 
-  $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset +# identd requests 
-   +$IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 
-  # traceroute + 
-  $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT +# traceroute (udp - IOS, Uni*es) 
-   +$IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
-  # Log and drop ICMP fragments (shouldn'happen at all, but often used for DoS) + 
-  $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " +# Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) 
-  $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP +$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " 
-   +$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT 
-  # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough + 
-  $IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT +# thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough 
-  $IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT +# echo-reply 
-  $IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT +#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT 
-  $IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT 
-  $IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT 
-  #icmp-traceroute +$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT 
-  $IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT 
-   +#icmp-traceroute 
-  # echo-request +$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT 
-  $IPTB -A INPUT -p icmp --icmp-type 8  -m limit --limit 3/second -j ACCEPT +# echo-request 
-   +$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT 
-  # if the default policy is not DROP then we must use this + 
-  #$IPTB -A INPUT -p icmp -j DROP +if the default policy is not DROP then we must use this 
-   +#$IPTB -A INPUT -p icmp -j DROP
-  # FORWARD TABLE +
-  $IPTB -P FORWARD DROP +
-   +
-  # port forwarding +
-  #$IPTB -A FORWARD -p tcp -i $INTERNET -m multiport --dport $FWD_TCP_PORTS -j ACCEPT +
-   +
-  # START / port forwarding +
-  # list forwarder ports in separate command lines +
-  #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 1214  -j DNAT --to 192.168.1.10 +
-  #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 6346  -j DNAT --to 192.168.1.10 +
-  END / port forwarding  +
-   +
-  # statefull firewall +
-  #$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID:+
-  $IPTB -A FORWARD -m state --state INVALID -j DROP +
-  $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT +
-  $IPTB -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT +
-   +
-  $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP +
-  $IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP +
-   +
-  NAT (IP masquerading) +
-  #$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE+
      
-  NAT but to certain IP (if we have multiple Internet IPs) +FORWARD TABLE 
-  $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP+$IPTB -P FORWARD DROP
      
-  adsl +port forwarding 
-  #$IPTB -FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +#$IPTB -FORWARD -tcp -i $INTERNET -m multiport --dport $FWD_TCP_PORTS -j ACCEPT 
-  $IPTB -FORWARD -$INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu+ 
 +# START / port forwarding 
 +# list forwarder ports in separate command lines 
 +#$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 1214  -j DNAT --to 192.168.1.10 
 +#$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 6346  -j DNAT --to 192.168.1.10 
 +# END / port forwarding  
 + 
 +# statefull firewall 
 +#$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID: " 
 +$IPTB -FORWARD -m state --state INVALID -j DROP 
 +$IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
 +$IPTB -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT 
 + 
 +$IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP 
 +$IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP
      
-  # we allow only access to network cards (NIC) that have their MAC addresses listed +# NAT (IP masquerading) 
-  # in "valid-macs" file +#$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE 
-  #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done+ 
 +# NAT but to certain IP (if we have multiple Internet IPs) 
 +$IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP 
 + 
 +# ADSL (PPPoE connections) 
 +#$IPTB -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
 +$IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu 
 + 
 +# we allow only access to network cards (NIC) that have their MAC addresses listed 
 +# in "valid-macs" file 
 +#for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done 
 + 
 +# OUTPUT 
 +$IPTB -P OUTPUT DROP 
 + 
 +# only allow NEW and related connections out 
 +$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      
-  # list the rules +# list the rules 
-  $IPTB -L -v -n+$IPTB -L -v -n --line 
 +$IPTB -t nat -L -v -n --line
      
-  echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward+echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward 
 + 
 +</code>
linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready