Book blfs.svn, Chapter iptables.txt

This page is part of my LFS Diary. HTML CSS
#!/bin/sh

modprobe ip_tables
modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
#modprobe ipt_LOG
#modprobe ipt_REJECT
modprobe xt_TCPMSS

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    # Enable broadcast echo Protection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route   # Disable Source Routed Packets
#not installed yet!  echo 1 > /proc/sys/net/ipv4/tcp_syncookies   # Enable TCP SYN Cookie Protection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects      # Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects        # Don't send Redirect Messages
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter             # Drop Spoofed Packets coming in on an
                                                           # interface where responses would result
                                                           # in the reply going out a different IF
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians          # Log packets with impossible addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr                     # Be verbose on dynamic ip-addresses
                                                           # not needed with static ip
echo 0 > /proc/sys/net/ipv4/tcp_ecn                        # Disable Explicit Congestion Notification
                                                           # Too many routers are still ignorant
# Clear everything
iptables -F   # flush (delete all rules)
iptables -X   # delete user-defined chains
iptables -Z   # reset packet and byte counters in all chains to zero
iptables -t nat -F   # delete and zero above doesn't apply to nat

# Set initial state
iptables -P INPUT   DROP
iptables -P FORWARD DROP   # default = drop every packet
iptables -P OUTPUT  DROP

# Port forward to LAN
iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to 192.168.0.6:5800   # VNC-http
iptables -A FORWARD -p tcp --dport 5800 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to 192.168.0.6:5900   # VNC
iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.0.6:3389   # RDP
#iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT

iptables -A INPUT  -i lo -j ACCEPT     # Allow any from/to local host
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i eth0 -j ACCEPT   # Allow any from/to LAN
iptables -A OUTPUT -o eth0 -j ACCEPT

iptables -A OUTPUT -o ppp+ -j ACCEPT                                       # Allow all outgoing to WAN
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT   # Allow incoming from WAN, if already established
iptables -A INPUT -i ppp+ -p tcp --dport 22 -j ACCEPT                      # Open SSH to WAN
iptables -A INPUT -i ppp+ -p tcp --dport 80 -j ACCEPT                      # Open HTTP to WAN

iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT               # Forward initializations not from WAN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT         # Forward all already established connections

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu   # Adjust MTU for PPPoE

iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE   # guess what

# Log everything for debugging (last of all rules, but before policy rules)
#iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
#iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
#iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

echo 1 > /proc/sys/net/ipv4/ip_forward   # Finally, enable IP Forwarding