Main Contents

My iptables firewall script

March 6, 2008

This generic iptables script seems to work pretty well for myself and several sites I administer. It provides samples for a firewall with NAT, multiple public IP address, PPPoE, site-to-site VPN’s, port translation, packet logging and more.


#!/bin/bash

##Using PPPoE, set the Public Interface to ppp0
PUB_IF='ppp0'
PUB_IP='4.5.6.1'  

##Private Internal network
PRI_IF='eth0'
PRI_IP='10.1.0.1'
PRI_NET='10.1.0.0/24'
PRI_BC='10.1.0.255'  

##Private DSL network (only DSL modem lives here)
DSL_IF='eth1'
DSL_IP='192.168.0.2'
DSL_NET='192.168.0.0/24'
DSL_BC='192.168.0.255'  

#Additional Public IPs
PUB_2='4.5.6.2'
PUB_3='4.5.6.3'  

#Private IPs
HOST_PC1='10.1.0.101'
HOST_PC2='10.1.0.102'
HOST_SERVER1='10.1.0.25'
HOST_SERVER2='10.1.0.20'  

##flush rules and delete chains
iptables -F
iptables -t nat -F
iptables -X  

##Set up logging for dropped packets only
iptables -N DROP_LOG
iptables -A DROP_LOG -m limit --limit 2/second --limit-burst 10 -j LOG --log-prefix 'IPTABLES DROPPED:'
iptables -A DROP_LOG -j DROP  

##set default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP  

##allow all private network traffic
iptables -A INPUT -i $PRI_IF -j ACCEPT  

##allow stateful responses from Internet and DSL Modem
iptables -A INPUT -i $PUB_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $DSL_IF -m state --state ESTABLISHED,RELATED -j ACCEPT  

##Allow some ICMP traffic from Internet
iptables -A INPUT -i $PUB_IF -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i $PUB_IF -p icmp --icmp-type fragmentation-needed -j ACCEPT  

##PPPoE MTU Fix, helps avoid setting MTU on internal computers
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu  

##setup NAT between Public-Private and DSL-Private
iptables -A FORWARD -i $PRI_IF -j ACCEPT
iptables -t nat -A POSTROUTING -s $PRI_NET -o $PUB_IF -j MASQUERADE
iptables -t nat -A POSTROUTING -s $PRI_NET -o $DSL_IF -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT  

##loopback support
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT  

##allow fragments
iptables -A OUTPUT -f -j ACCEPT
iptables -A FORWARD -f -j ACCEPT  

##Block broadcasts to the Internet
iptables -A OUTPUT -o $PUB_IF -d 255.255.255.255 -j DROP
iptables -A FORWARD -o $PUB_IF -d 255.255.255.255 -j DROP  

##Allow local services to/from public  

##ssh
iptables -A INPUT -i $PUB_IF -p tcp --dport 22 -j ACCEPT  

##Reject SMTP on 2nd and 3rd Public IP
##(for "Nolisting" anti-spam method, MX priority 0 and 100)
iptables -A INPUT -i $PUB_IF -p tcp -d $PUB_2 --dport 25 -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $PUB_IF -p tcp -d $PUB_3 --dport 25 -j REJECT --reject-with tcp-reset  

##Allow internal services to/from public  

##SMTP server
iptables -A FORWARD -i $PUB_IF -p tcp --dport 25 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -i $PUB_IF -d $PUB_IP --dport 25 -j DNAT --to $HOST_SERVER1  

##HTTP and HTTPS
iptables -A FORWARD -i $PUB_IF -p tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -i $PUB_IF -d $PUB_IP --dport 80 -j DNAT --to $HOST_SERVER1
iptables -A FORWARD -i $PUB_IF -p tcp --dport 443 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -i $PUB_IF -d $PUB_IP --dport 443 -j DNAT --to $HOST_SERVER1  

##Public:8080 to internal Server2:80
iptables -A FORWARD -i $PUB_IF -p tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -i $PUB_IF -d $PUB_IP --dport 8080 -j DNAT --to $HOST_SERVER2:80  

##Server2 VNC on 2nd Public IP
iptables -A FORWARD -i $PUB_IF -p tcp --dport 5910 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -i $PUB_2 --dport 5910 -j DNAT --to $HOST_SERVER2  

##allow site-to-site openvpn traffic
iptables -A INPUT -i $PUB_IF -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT  

##Log all remaining packets
iptables -A INPUT -i $PUB_IF -j DROP_LOG
iptables -A FORWARD -i $PUB_IF -j DROP_LOG

Filed under: Linux, Network, Windows |

Sorry, the comment form is closed at this time.