platform/external/pppoe.git - Unnamed repository; edit this file 'description' to name the repository.

1 #!/bin/sh
2 #
3 # firewall-masq		This script sets up firewall rules for a machine
4 #                       acting as a masquerading gateway
5 #
6 # Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
7 # be distributed under the terms of the GNU General Public License, version
8 # 2 or any later version.
9 # LIC: GPL
10
11 # Interface to Internet
12 EXTIF=ppp+
13
14 # NAT-Tables are different, so we can use ACCEPT everywhere (?)
15 iptables -t nat -P PREROUTING ACCEPT
16 iptables -t nat -P OUTPUT ACCEPT
17 iptables -t nat -P POSTROUTING ACCEPT
18
19 # Flush the NAT-Table
20 iptables -t nat -F
21
22 iptables -t filter -P INPUT DROP
23 iptables -t filter -F
24
25 # Allow incoming SSH
26 #iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
27
28 # Log & Deny the rest of the privileged ports
29 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
30 iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
31 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
32 iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
33
34 # Log & Deny NFS
35 iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
36 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
37 iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
38 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP
39
40 # Log & Deny X11
41 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
42 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP
43
44 # Log & Deny XFS
45 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
46 iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP
47
48 # Deny TCP connection attempts
49 iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
50 iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP
51
52 # Deny ICMP echo-requests
53 iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP
54
55 # Do masquerading
56 iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
57
58 # Enable forwarding
59 echo 1 > /proc/sys/net/ipv4/ip_forward
60
61 # no IP spoofing
62 if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
63    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
64       echo 1 > $i
65    done
66 fi
67
68 # Disable Source Routed Packets
69 for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
70    echo 0 > $i
71 done
72
1	#!/bin/sh
2	#
3	# firewall-masq This script sets up firewall rules for a machine
4	# acting as a masquerading gateway
5	#
6	# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
7	# be distributed under the terms of the GNU General Public License, version
8	# 2 or any later version.
9	# LIC: GPL
10
11	# Interface to Internet
12	EXTIF=ppp+
13
14	# NAT-Tables are different, so we can use ACCEPT everywhere (?)
15	iptables -t nat -P PREROUTING ACCEPT
16	iptables -t nat -P OUTPUT ACCEPT
17	iptables -t nat -P POSTROUTING ACCEPT
18
19	# Flush the NAT-Table
20	iptables -t nat -F
21
22	iptables -t filter -P INPUT DROP
23	iptables -t filter -F
24
25	# Allow incoming SSH
26	#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
27
28	# Log & Deny the rest of the privileged ports
29	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
30	iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
31	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
32	iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
33
34	# Log & Deny NFS
35	iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
36	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
37	iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
38	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP
39
40	# Log & Deny X11
41	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
42	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP
43
44	# Log & Deny XFS
45	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
46	iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP
47
48	# Deny TCP connection attempts
49	iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
50	iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP
51
52	# Deny ICMP echo-requests
53	iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP
54
55	# Do masquerading
56	iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
57
58	# Enable forwarding
59	echo 1 > /proc/sys/net/ipv4/ip_forward
60
61	# no IP spoofing
62	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
63	for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
64	echo 1 > $i
65	done
66	fi
67
68	# Disable Source Routed Packets
69	for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
70	echo 0 > $i
71	done
72