Created
March 23, 2014 01:36
-
-
Save CRImier/9717268 to your computer and use it in GitHub Desktop.
This is a Bash script (wrapper around iptables) that creates a simple firewall from one interface to another. It is designed for portable servers that might be getting Internet internet from 3G/wireless/wired connection and, therefore, uplink interface changes, but local does not, so local interface name is hard-coded. It is invoked like "firewa…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #NAT script from !!!!!!!!!!!!!!!, modified by CRImier | |
| # Exit status 0 if operation is correct | |
| # Exit status 1 if trying to use last interface used when running for the first time | |
| # Exit status 2 if interface doesn't exist | |
| EIF='' | |
| IIF='eth0' | |
| PATH=/usr/sbin:/sbin:/bin:/usr/bin | |
| LOGFILE=/etc/nat-if.conf | |
| touch $LOGFILE | |
| #Checking command-line arguments and setting $EIF variable according to them | |
| if [[ $1 == "" ]] #If there's no arguments, just use previous settings. | |
| then | |
| EIF=`cat $LOGFILE` | |
| if [[ $EIF == "" || $EIF == "" ]] #Just check for an empty file! | |
| then | |
| echo "Please, specify interface name for first usage using 'firewall interface', e.g. 'firewall eth0'" | |
| exit 1 | |
| fi | |
| elif [ $1 == "help" ] #Output help message | |
| then | |
| echo "NAT script" | |
| echo "(c) debian-administration.org, modified by CRImier" | |
| echo "Usage: 'firewall interface', 'firewall info' or simply 'firewall' to use last interface firewall was set on." | |
| echo "Argument is external interface name, internal interface name is hard-coded in the script" | |
| exit 0 | |
| elif [ $1 == "info" ] #Output interface firewall is set on | |
| then | |
| cat $LOGFILE | |
| exit 0 | |
| else | |
| ifconfig $1 &>/dev/null | |
| if [ $? == 0 ] | |
| then | |
| EIF=$1 | |
| echo $EIF > $LOGFILE | |
| else | |
| echo "Incorrect interface name" | |
| exit 2 | |
| fi | |
| fi | |
| # # delete all existing rules. # | |
| iptables -F | |
| iptables -t nat -F | |
| iptables -t mangle -F | |
| iptables -X | |
| # Always accept loopback traffic | |
| iptables -A INPUT -i lo -j ACCEPT | |
| # Allow established connections, and those not coming from the outside | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A FORWARD -i $EIF -o $IIF -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow outgoing connections from the LAN side. | |
| iptables -A FORWARD -i $IIF -o $EIF -j ACCEPT | |
| # Masquerade. | |
| iptables -t nat -A POSTROUTING -o $EIF -j MASQUERADE | |
| # Don't forward from the outside to the inside. | |
| iptables -A FORWARD -i $EIF -o $IIF -j REJECT | |
| iptables -N UPNP | |
| iptables -A FORWARD -j UPNP | |
| # Enable routing. | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| echo "Firewall started." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment