orumin/iptables.sh

## iptables.sh
#!/bin/bash

# clear
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t mangle -F

# setting policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# setting for interface
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

# reject for source lo and destination localhost
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# allow all established inbound connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow ping
iptables -A INPUT -p icmp --icmp-type 8 ! -i ppp0 -j ACCEPT

# allow dhcp server and client from LAN
iptables -A INPUT -p udp --dport bootps ! -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport bootps ! -i eth2 -j ACCEPT
iptables -A INPUT -p udp --dport domain ! -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport domain ! -i eth1 -j ACCEPT

## allow minidlna
iptables -A INPUT -p udp --sport 1900 -i eth2
iptables -A INPUT -p tcp --sport 5000 -i eth2
iptables -A INPUT -p tcp --sport 8200 -i eth2

# setting for forward
iptables -A FORWARD -p tcp -o ppp0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i eth1 -d 192.168.11.0/24 -j DROP
iptables -I FORWARD -i eth2 -d 192.168.1.0/24 -j DROP
iptables -A FORWARD -i eth1 -s 192.168.11.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp --dport 1900 -s 192.168.1.0/24 -d 192.168.11.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 5000 -s 192.168.1.0/24 -d 192.168.11.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 8200 -s 192.168.1.0/24 -d 192.168.11.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
iptables -A FORWARD -i eth2 -o ppp0 -j ACCEPT

# setting for nat(ip masquarade)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# ip forwarding
iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 -j DNAT --to 192.168.1.xxx
iptables -A FORWARD -i ppp0 -o eth2 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -m limit --limit 1/s -j LOG --log-prefix "[iptables firewall] : " --log-level=info
	#!/bin/bash

	# clear
	iptables -F
	iptables -X
	iptables -Z
	iptables -t nat -F
	iptables -t mangle -F

	# setting policy
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP

	# setting for interface
	iptables -A INPUT -i eth1 -j ACCEPT
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -i eth2 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

	# reject for source lo and destination localhost
	iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

	# allow all established inbound connections
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

	# allow ping
	iptables -A INPUT -p icmp --icmp-type 8 ! -i ppp0 -j ACCEPT

	# allow dhcp server and client from LAN
	iptables -A INPUT -p udp --dport bootps ! -i eth1 -j ACCEPT
	iptables -A INPUT -p udp --dport bootps ! -i eth2 -j ACCEPT
	iptables -A INPUT -p udp --dport domain ! -i eth1 -j ACCEPT
	iptables -A INPUT -p udp --dport domain ! -i eth1 -j ACCEPT

	## allow minidlna
	iptables -A INPUT -p udp --sport 1900 -i eth2
	iptables -A INPUT -p tcp --sport 5000 -i eth2
	iptables -A INPUT -p tcp --sport 8200 -i eth2

	# setting for forward
	iptables -A FORWARD -p tcp -o ppp0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	iptables -I FORWARD -i eth1 -d 192.168.11.0/24 -j DROP
	iptables -I FORWARD -i eth2 -d 192.168.1.0/24 -j DROP
	iptables -A FORWARD -i eth1 -s 192.168.11.0/24 -d 192.168.1.0/24 -j ACCEPT
	iptables -A FORWARD -i eth2 -p udp --dport 1900 -s 192.168.1.0/24 -d 192.168.11.0/24 -j ACCEPT
	iptables -A FORWARD -i eth2 -p tcp --dport 5000 -s 192.168.1.0/24 -d 192.168.11.0/24 -j ACCEPT
	iptables -A FORWARD -i eth2 -p tcp --dport 8200 -s 192.168.1.0/24 -d 192.168.11.0/24 -j ACCEPT
	iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
	iptables -A FORWARD -i eth2 -o ppp0 -j ACCEPT

	# setting for nat(ip masquarade)
	iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

	# ip forwarding
	iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 -j DNAT --to 192.168.1.xxx
	iptables -A FORWARD -i ppp0 -o eth2 -p tcp --dport 22 -j ACCEPT

	iptables -A INPUT -m limit --limit 1/s -j LOG --log-prefix "[iptables firewall] : " --log-level=info