Skip to content

Instantly share code, notes, and snippets.

@majioa
Created Jun 11, 2013
Embed
What would you like to do?
Firewall default script
#!/bin/sh
# (c) Malo Skrylevo
set -x
#service $IPTABLES restart
# interfaces IF0 - external LAN iface, IF1,IF2 - internal LAN ifaces
IF0=enp2s0
IF1=vboxnet0
IF2=vboxnet1
# uncomment if you have used IP fowarding(NAT)
echo 1 > /proc/sys/net/ipv4/ip_forward
# uncomment if you have used dynamic inet address got from inet provider
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr
IPTABLES=`which $IPTABLES` || /sbin/$IPTABLES
# disable all incoming packets
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
# flush all rules
$IPTABLES -F
$IPTABLES -t nat -F
# enable masquerade (dynamic NAT)
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -o $IF0
# uncomment if you want to enable NAT to fixed IP address external router
#$IPTABLES -t nat -A POSTROUTING -o $IF0 -s 192.168.57.0/24 -j SNAT --to-source 192.168.123.1
#$IPTABLES -t nat -A POSTROUTING -o $IF0 -s 192.168.125.0/24 -j SNAT --to-source 192.168.123.1
# uncomment if you want to forward TCP packets from external LAN to an internal
# server with specified port with using port remap
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3080 -j DNAT --to-destination 192.168.57.2:80
$IPTABLES -t nat -A OUTPUT -p tcp --dport 3080 -j DNAT --to-destination 192.168.57.2:80
# uncomment if you want to forward both TCP packets sent to the specified port
# from external LAN to an internal server to the same port
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 192.168.57.2
$IPTABLES -t nat -A OUTPUT -p tcp --dport 3000 -j DNAT --to-destination 192.168.57.2
# fix all policies to required behaviour
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i IF1 -j ACCEPT
$IPTABLES -A FORWARD -i IF2 -j ACCEPT
$IPTABLES -A INPUT -j ACCEPT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment