firewalls

Introduction

This file includes some very simple examples of scripts to set up iptables.

A router

The following script is meant to be used at a router. As you can see, it provides a very simple firewall:

Connections from the internal network are always allowed.
External connections are only allowed to certain ports.

#!/bin/sh

# The external (internet) interface:

EXTIF="eth1"
INTIF="eth0"

OPENTCPPORTS="ssh,time,www,ftp-data,ftp,auth,https,webcache,6624,7993";
OPENUDPPORTS="time,domain,6724";

# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Set the default policies:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Flush chains:

iptables -F
iptables -t nat -F
iptables -X

# Create a new chain to use for both the input and the forward chains:

iptables -N block

# Accept all packages for existing connections

iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all packets from internal networks
#
# In this example, 192.168.0.0/24 is the internal network and $INTIF its
# corresponding interface.  You could add multiple similar lines if you
# have many "internal" networks.

iptables -A block -i lo -j ACCEPT
iptables -A block -i $INTIF --source 192.168.0.0/24 -j ACCEPT

# Allow new connections for a few "safe" ports:

iptables -A block -m multiport -p tcp --dports $OPENTCPPORTS -j ACCEPT
iptables -A block -m multiport -p udp --dports $OPENUDPPORTS -j ACCEPT

# Log unwanted packages.  Since this can generate quite a lot of
# output, it is disabled by default.

#iptables -A block -j LOG

# Reject everything else

iptables -A block -j REJECT

# Add the block chain to both the INPUT and OUTPUT chains:

iptables -A INPUT   -j block
iptables -A FORWARD -j block

# Allow output of local packets; use one of the following rules for all your
# network addresses.  Note that if at least one of your interfaces uses a
# dynamically assigned address, you might want to drop the --source parameter
# (or, if you know the network, specify the network rather than the IP
# address (as in 192.168.0.0/24)).

iptables -A OUTPUT -o $INTIF --source 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -o $EXTIF --source 200.118.61.108 -j ACCEPT


# If you need to allow pings
# iptables  -A INPUT -i $EXTIF -d 200.118.61.108 -p icmp --icmp-type echo-request -j ACCEPT

# Allow output of any packets on the loopback interface:

iptables -A OUTPUT -o lo -j ACCEPT

Edit Link Top

A router with Network Address Translation of the source address

The following scripts can be used at a router to provide Network Address Translation of the source address. You are supposed to use the former script to set up the router first.

If your router has a static address in the external interface, use the following:

# Perform SNAT at the external interface ($EXTIF) to our IP address
# (200.118.61.108)

iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 200.118.61.108

If, on the other hand, your IP address changes dynamically (for example, you obtain it using PPP or DHCP), you'll want to use MASQUERADE rather than NAT. You could do this as follows:

# Perform SNAT at the external interface ($EXTIF)

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Last update: 2007-09-06 (Rev 12918)