---------- +++++ Contributed by Matthew Sachs +++++ The init script I use to initialize my firewall is attached. It is configurable through /etc/firewall.conf (also attached). It does NAT and can also be configured to do IPSec and port redirection. ***** Begin firewall ***** #!/bin/sh # # Set up a firewall using iptables that works with NAT and can # be configured to work with IPSEC. See /etc/firewall.conf. set -x . /etc/firewall.conf getaddr () { if [ $1 = "addr" ] then FIELD=2 elif [ $1 = "bcast" ] then FIELD=3 elif [ $1 = "netmask" ] then FIELD=4 fi ifconfig $2 | grep 'inet addr' | awk "{print \$$FIELD}" | sed 's/.*://' } LOCAL_IF=lo LOCAL_IP=`getaddr addr $LOCAL_IF` LOCAL_NET=`getaddr netmask $LOCAL_IF` LOCAL_BCAST=`getaddr bcast $LOCAL_IF` LAN_IP=`getaddr addr $LAN_IF` LAN_NET=`getaddr netmask $LAN_IF` LAN_BCAST=`getaddr bcast $LAN_IF` WAN_IP=`getaddr addr $WAN_IF` WAN_NET=`getaddr netmask $WAN_IF` WAN_BCAST=`getaddr bcast $WAN_IF` case $1 in start|restart|force-reload) ;; stop) exit 0 ;; esac if [ -f /proc/sys/net/ipv4/ip_forward ] then if [ $FORWARDING ] then echo "Enabling IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward else echo "Disabling IP forwarding..." echo "0" > /proc/sys/net/ipv4/ip_forward fi fi if [ -f /proc/sys/net/ipv4/tcp_ecn ] then if [ $ECN ] then echo "Enabling ECN..." echo "1" > /proc/sys/net/ipv4/tcp_ecn else echo "Disabling ECN..." echo "0" > /proc/sys/net/ipv4/tcp_ecn fi fi for CHAIN in `$IPTABLES -L -n | grep Chain | awk '{ print $2 }'` do $IPTABLES -F $CHAIN done for TABLE in `cat /proc/net/ip_tables_names` do for CHAIN in `$IPTABLES -t $TABLE -L -n | grep Chain | awk '{ print $2 }'` do $IPTABLES -t $TABLE -F $CHAIN done done echo "Clearing tables..." $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT --to-source $WAN_IP $IPTABLES -A FORWARD -i ! $WAN_IF -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -j REJECT $IPTABLES -X icmp_packets 2>&1 > /dev/null $IPTABLES -N icmp_packets $IPTABLES -X tcp_packets 2>&1 > /dev/null $IPTABLES -N tcp_packets $IPTABLES -X udpincoming_packets 2>&1 > /dev/null $IPTABLES -N udpincoming_packets echo "Setting up rules..." for PORT in $TCPALLOW do $IPTABLES -A tcp_packets -p TCP -m state --state NEW --dport $PORT -j ACCEPT done $IPTABLES -A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A tcp_packets -j REJECT for PORT in $UDPALLOW do $IPTABLES -A udpincoming_packets -p UDP --sport $PORT -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP --dport $PORT -j ACCEPT done $IPTABLES -A udpincoming_packets -j REJECT $IPTABLES -A icmp_packets -p ICMP -j ACCEPT echo "Setting up forwarding..." for FORWARDER in ${FORWARD[*]} do TMPFWD=`echo $FORWARDER | sed 's/:/ /g'` PROTO=`echo $TMPFWD | awk '{print $1}'` LOCALPORT=`echo $TMPFWD | awk '{print $2}'` REMOTEHOST=`echo $TMPFWD | awk '{print $3}'` REMOTEPORT=`echo $TMPFWD | awk '{print $4}'` $IPTABLES -t nat -A PREROUTING -p $PROTO -i $WAN_IF --dport $LOCALPORT -j DNAT --to-destination $REMOTEHOST:$REMOTEPORT $IPTABLES -A FORWARD -p $PROTO -d $REMOTEHOST --dport $LOCALPORT -j ACCEPT done echo "Setting up protocol allows..." # Let in IPSec traffic for PROTO in $PROTOALLOW do $IPTABLES -A INPUT -p $PROTO -i $WAN_IF -j ACCEPT done echo "Setting up flow rules..." $IPTABLES -A INPUT -i ! $WAN_IF -j ACCEPT $IPTABLES -A INPUT -p ICMP -i $WAN_IF -j icmp_packets $IPTABLES -A INPUT -p TCP -i $WAN_IF -j tcp_packets $IPTABLES -A INPUT -p UDP -i $WAN_IF -j udpincoming_packets $IPTABLES -A INPUT -p ALL -i ! $WAN_IF -d $LOCAL_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i ! $WAN_IF -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $WAN_IP -s $WAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $WAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -j REJECT $IPTABLES -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $WAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s 0.0.0.0 -j ACCEPT $IPTABLES -A OUTPUT -j DROP echo "done."