#!/bin/sh INTERNAL_NET="192.168.1.0/24" INTERNAL_IFACE="eth1" EXTERNAL_IFACE="eth0" ## Disable routing while we update tables echo 0 > /proc/sys/net/ipv4/ip_forward ## Insert connection-tracking modules (not needed if built into kernel). modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp ## Flush all existing rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X ## Set up IP Masquerading for internal network iptables -t nat -A POSTROUTING -o $EXTERNAL_IFACE -s $INTERNAL_NET -j MASQUERADE ## Set up FORWARD rules for internal network ## Allow related connections, new connections from the inside network, ## drop everything else iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $INTERNAL_IFACE -m state --state NEW -j LOG --log-level info --log-prefix "NEW FORWARD: " iptables -A FORWARD -i $INTERNAL_IFACE -s $INTERNAL_NET -j ACCEPT iptables -A FORWARD -j LOG --log-level info --log-prefix "DROP FORWARD: " iptables -A FORWARD -j DROP ## Set up INPUT rules to allow traffic directly to the box ## Only allow SSH from the outside world ## Allow anything from the internal network iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTERNAL_IFACE -p tcp --dport 22 -m state --state NEW -j LOG --log-level info --log-prefix "NEW SSH INPUT: " iptables -A INPUT -i $EXTERNAL_IFACE -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $INTERNAL_IFACE -s $INTERNAL_NET -j LOG --log-level info --log-prefix "NEW INPUT: " iptables -A INPUT -i $INTERNAL_IFACE -s $INTERNAL_NET -j ACCEPT iptables -A INPUT -j LOG --log-level info --log-prefix "DROP INPUT: " iptables -A INPUT -j DROP ## Log new "OUPUT" connections to keep an eye on what our firewall is up to iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW -j LOG --log-level info --log-prefix "NEW OUTPUT: " iptables -A OUTPUT -m state --state NEW -j ACCEPT ## Reenable routing now we're done changing things echo 1 > /proc/sys/net/ipv4/ip_forward