MANY THANKS TO DEREK! who can do these off the top of his head.
Here is a script that Derek presented to a SLUG meeting.
The way to get this to run each time the system is booted is slightly
different for each distribution. To start with you can manually run
the script after you su to root.
Good Luck! Larry :-)
# rc.firewall iptables to protect internal network
# by Derek Glidden at www.nks.net - July 2001
# by Larry Sanders, Feb 2002 - installed on gate.sanders
# revised for Paul Aitken - April 2003
# note eth1 => internal and eth0 => external to cable
# turn forwarding off while vulnerable
echo "0" > /proc/sys/net/ipv4/ip_forward
#
/sbin/iptables -F # flush all rules
# rule to nat if from inside going out
/sbin/iptables -t nat -A POSTROUTING -o eth0 \
-s 192.168.1.0/24 -j MASQUERADE
# rule to allow session-related packets through
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# rule to accept if from inside with good ip - all addresses
# /sbin/iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -o eth0 -j ACCEPT
# rule to accept if from inside with good ip - one address
/sbin/iptables -A FORWARD -i eth1 -s 192.168.1.2 -o eth0 -j ACCEPT
# rule to log any not accepted
/sbin/iptables -A FORWARD -j LOG --log-prefix="FORWRD DROP:"
# rule to drop any not accepted
/sbin/iptables -A FORWARD -j DROP
#
# rule to allow session-related packets through
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# rule to allow local echo
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# rule to accept input to firewall from internal lan
/sbin/iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
# rule to explicitly log and drop all others
/sbin/iptables -A INPUT -j LOG --log-prefix="INPUT DROP:"
/sbin/iptables -A INPUT -j DROP
#
# turn on forwarding with wall constucted
echo "1" > /proc/sys/net/ipv4/ip_forward
echo iptables set for firewall in file rc.firewall
# end of firewall
On Friday 18 April 2003 02:04 pm, you wrote:
> On Fri, 2003-04-18 at 12:31, Paul Aitken wrote:
> > Hey,
> >
> > I was a little tired when I typed that. Let me rephrase it a little.
> > This is what I want to happen:
> > I want my computer (192.168.1.2) to have internet using the router. I
> > don't want any other computers on the internal network to have internet,
> > except for the linux router.
> >
> > I am wanting to block all connections, outgoing and incoming.
>
> This is off the top of my head, but I think this will work:
>
>
> # flush any existing rules
> iptables -F
> iptables -t nat -F
>
> # masquerade anything outbound
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> # allow only traffic for 192.168.1.2 in and out, log and drop all else
> iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
> iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
> iptables -A FORWARD -j LOG --log-prefix "DROP FORWARD: "
> iptables -A FORWARD -j DROP
>
> # enable routing
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> of course, the firewall itself will be able to get out unless you put an
> appropriate DROP rule in the OUTPUT table.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:13:34 EDT