#!/bin/sh #iptables firewall script for sharing a cable or DSL Internet #connection, with no public services #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="lan" WAN_IFACE="wan" #load kernel modules $mod ip_tables $mod iptable_filter $mod iptable_nat $mod ip_conntrack $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod iptable_mangle $mod ipt_MASQUERADE # Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT #Enable IP masquerading #$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 12.34.56.78 #AlLow incoming SSH from the LAN only to the gateway box $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT #Enable Webmin access from the LAN only $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 10000 -m state --state NEW -j ACCEPT #Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Accept ICMP echo-request and time-exceeded $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT #Reject connection attempts not initiated from inside the LAN $ipt -A INPUT -p tcp --syn -j DROP echo "The firewall has now started up and is faithfully protecting your system"