Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This is a Bash script (wrapper around iptables) that creates a simple firewall from one interface to another. It is designed for portable servers that might be getting Internet internet from 3G/wireless/wired connection and, therefore, uplink interface changes, but local does not, so local interface name is hard-coded. It is invoked like "firewa…
#!/bin/bash
#NAT script from !!!!!!!!!!!!!!!, modified by CRImier
# Exit status 0 if operation is correct
# Exit status 1 if trying to use last interface used when running for the first time
# Exit status 2 if interface doesn't exist
EIF=''
IIF='eth0'
PATH=/usr/sbin:/sbin:/bin:/usr/bin
LOGFILE=/etc/nat-if.conf
touch $LOGFILE
#Checking command-line arguments and setting $EIF variable according to them
if [[ $1 == "" ]] #If there's no arguments, just use previous settings.
then
EIF=`cat $LOGFILE`
if [[ $EIF == "" || $EIF == "" ]] #Just check for an empty file!
then
echo "Please, specify interface name for first usage using 'firewall interface', e.g. 'firewall eth0'"
exit 1
fi
elif [ $1 == "help" ] #Output help message
then
echo "NAT script"
echo "(c) debian-administration.org, modified by CRImier"
echo "Usage: 'firewall interface', 'firewall info' or simply 'firewall' to use last interface firewall was set on."
echo "Argument is external interface name, internal interface name is hard-coded in the script"
exit 0
elif [ $1 == "info" ] #Output interface firewall is set on
then
cat $LOGFILE
exit 0
else
ifconfig $1 &>/dev/null
if [ $? == 0 ]
then
EIF=$1
echo $EIF > $LOGFILE
else
echo "Incorrect interface name"
exit 2
fi
fi
# # delete all existing rules. #
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EIF -o $IIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $IIF -o $EIF -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o $EIF -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i $EIF -o $IIF -j REJECT
iptables -N UPNP
iptables -A FORWARD -j UPNP
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Firewall started."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment