1#!/bin/sh 2# 3# firewall-masq This script sets up firewall rules for a machine 4# acting as a masquerading gateway 5# 6# Copyright (C) 2000 Roaring Penguin Software Inc. This software may 7# be distributed under the terms of the GNU General Public License, version 8# 2 or any later version. 9# LIC: GPL 10 11# Interface to Internet 12EXTIF=ppp+ 13 14# NAT-Tables are different, so we can use ACCEPT everywhere (?) 15iptables -t nat -P PREROUTING ACCEPT 16iptables -t nat -P OUTPUT ACCEPT 17iptables -t nat -P POSTROUTING ACCEPT 18 19# Flush the NAT-Table 20iptables -t nat -F 21 22iptables -t filter -P INPUT DROP 23iptables -t filter -F 24 25# Allow incoming SSH 26#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT 27 28# Log & Deny the rest of the privileged ports 29iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG 30iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG 31iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP 32iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP 33 34# Log & Deny NFS 35iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG 36iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG 37iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP 38iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP 39 40# Log & Deny X11 41iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG 42iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP 43 44# Log & Deny XFS 45iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG 46iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP 47 48# Deny TCP connection attempts 49iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG 50iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP 51 52# Deny ICMP echo-requests 53iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP 54 55# Do masquerading 56iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 57 58# Enable forwarding 59echo 1 > /proc/sys/net/ipv4/ip_forward 60 61# no IP spoofing 62if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then 63 for i in /proc/sys/net/ipv4/conf/*/rp_filter; do 64 echo 1 > $i 65 done 66fi 67 68# Disable Source Routed Packets 69for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do 70 echo 0 > $i 71done 72