iptables_for_router.sh

#! /bin/sh


WAN=enp2s0
LAN=enp3s0
WANIP=`ip a | grep enp2s0 -A1 | grep inet | cut -f 6 -d ' ' | cut -f 1 -d '/'`
LANIP=192.168.11.1
LANSUBNET=192.168.11.0/24

##############
#ip_forward
##############
echo 1 > /proc/sys/net/ipv4/ip_forward

##############
#Flush & Reset
##############
iptables -F
iptables -t nat -F
iptables -X

##############
#Deafult Rule
##############

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i $LAN -j ACCEPT

##############
# Filter out packets with private IP addresses from the Internet
##############

iptables -A INPUT -i $WAN -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $WAN -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $WAN -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i $WAN -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i $WAN -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i $WAN -s 10.0.0.0/8 -j DROP


##############
#Connection Tracking Rules
##############

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

##############
# FORWARD
##############
iptables -A FORWARD -i $LAN -j ACCEPT

##############
#nat
##############

iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

##############
#loopback
##############
iptables -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT

##############
#ACCEPT
##############

iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p tcp --dport 20022 -j ACCEPT


#########
#logging
#########
iptables -N LOGGING
iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
iptables -A LOGGING -j DROP
iptables -A INPUT -j LOGGING
iptables -A FORWARD -j LOGGING