Last active
July 10, 2019 18:19
-
-
Save schuyler/6469fb2d4da7695a3bebada31ca13c8f to your computer and use it in GitHub Desktop.
basic Linux firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# based on https://debian-administration.org/article/23/Setting_up_a_simple_Debian_gateway | |
LAN=wlp2s0 | |
ISP=enp0s21f0u1 | |
# Exit if any command fails. | |
set -e | |
PATH=/usr/sbin:/sbin:/bin:/usr/bin | |
# delete all existing rules. | |
iptables -F | |
iptables -t nat -F | |
iptables -t mangle -F | |
iptables -X | |
# Always accept loopback traffic | |
iptables -A INPUT -i lo -j ACCEPT | |
# Allow established connections, and those not coming from the outside | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -m state --state NEW ! -i $ISP -j ACCEPT | |
iptables -A FORWARD -i $ISP -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow outgoing connections from the LAN side. | |
iptables -A FORWARD -i $LAN -o $ISP -j ACCEPT | |
# Masquerade. | |
iptables -t nat -A POSTROUTING -o $ISP -j MASQUERADE | |
# Don't forward from the outside to the inside. | |
iptables -A FORWARD -i $ISP -o $LAN -j REJECT | |
# Enable routing. | |
echo 1 > /proc/sys/net/ipv4/ip_forward |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment