blob: 14b99711e1c6270e5eba4c712b54c79a75eef9e2
1 | #!/bin/sh |
2 | # |
3 | # firewall-masq This script sets up firewall rules for a machine |
4 | # acting as a masquerading gateway |
5 | # |
6 | # Copyright (C) 2000 Roaring Penguin Software Inc. This software may |
7 | # be distributed under the terms of the GNU General Public License, version |
8 | # 2 or any later version. |
9 | # LIC: GPL |
10 | |
11 | # Interface to Internet |
12 | EXTIF=ppp+ |
13 | |
14 | # NAT-Tables are different, so we can use ACCEPT everywhere (?) |
15 | iptables -t nat -P PREROUTING ACCEPT |
16 | iptables -t nat -P OUTPUT ACCEPT |
17 | iptables -t nat -P POSTROUTING ACCEPT |
18 | |
19 | # Flush the NAT-Table |
20 | iptables -t nat -F |
21 | |
22 | iptables -t filter -P INPUT DROP |
23 | iptables -t filter -F |
24 | |
25 | # Allow incoming SSH |
26 | #iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT |
27 | |
28 | # Log & Deny the rest of the privileged ports |
29 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG |
30 | iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG |
31 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP |
32 | iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP |
33 | |
34 | # Log & Deny NFS |
35 | iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG |
36 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG |
37 | iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP |
38 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP |
39 | |
40 | # Log & Deny X11 |
41 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG |
42 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP |
43 | |
44 | # Log & Deny XFS |
45 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG |
46 | iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP |
47 | |
48 | # Deny TCP connection attempts |
49 | iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG |
50 | iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP |
51 | |
52 | # Deny ICMP echo-requests |
53 | iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP |
54 | |
55 | # Do masquerading |
56 | iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE |
57 | |
58 | # Enable forwarding |
59 | echo 1 > /proc/sys/net/ipv4/ip_forward |
60 | |
61 | # no IP spoofing |
62 | if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then |
63 | for i in /proc/sys/net/ipv4/conf/*/rp_filter; do |
64 | echo 1 > $i |
65 | done |
66 | fi |
67 | |
68 | # Disable Source Routed Packets |
69 | for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do |
70 | echo 0 > $i |
71 | done |
72 |