Notice: Undefined variable: title in /var/www/harald.ist.org/htdocs/stubs/lfs-diary/show_output.php on line 80
Notice: Undefined variable: ret in /var/www/harald.ist.org/htdocs/stubs/lfs-diary/show_output.php on line 39
#!/bin/sh
modprobe ip_tables
modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
#modprobe ipt_LOG
#modprobe ipt_REJECT
modprobe xt_TCPMSS
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable broadcast echo Protection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable Source Routed Packets
#not installed yet! echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable TCP SYN Cookie Protection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Don't send Redirect Messages
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Drop Spoofed Packets coming in on an
# interface where responses would result
# in the reply going out a different IF
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Log packets with impossible addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Be verbose on dynamic ip-addresses
# not needed with static ip
echo 0 > /proc/sys/net/ipv4/tcp_ecn # Disable Explicit Congestion Notification
# Too many routers are still ignorant
# Clear everything
iptables -F # flush (delete all rules)
iptables -X # delete user-defined chains
iptables -Z # reset packet and byte counters in all chains to zero
iptables -t nat -F # delete and zero above doesn't apply to nat
# Set initial state
iptables -P INPUT DROP
iptables -P FORWARD DROP # default = drop every packet
iptables -P OUTPUT DROP
# Port forward to LAN
iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to 192.168.0.6:5800 # VNC-http
iptables -A FORWARD -p tcp --dport 5800 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to 192.168.0.6:5900 # VNC
iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.0.6:3389 # RDP
#iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT # Allow any from/to local host
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT # Allow any from/to LAN
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT # Allow all outgoing to WAN
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow incoming from WAN, if already established
iptables -A INPUT -i ppp+ -p tcp --dport 22 -j ACCEPT # Open SSH to WAN
iptables -A INPUT -i ppp+ -p tcp --dport 80 -j ACCEPT # Open HTTP to WAN
iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT # Forward initializations not from WAN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Forward all already established connections
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Adjust MTU for PPPoE
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # guess what
# Log everything for debugging (last of all rules, but before policy rules)
#iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
#iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
#iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
echo 1 > /proc/sys/net/ipv4/ip_forward # Finally, enable IP Forwarding