tskrynnyk/simple-fw

## simple-fw
#!/bin/sh
#

DEV_WAN=ppp0
DEV_LAN=eth0
NET_WAN=
NET_LAN=192.168.1.0/24
IP_WAN=111.222.333.444
IP_LAN=

IPTABLES=/sbin/iptables

# Cleaning rules for standard chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Deleting all nonstandard chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow everything on loopback interface
$IPTABLES -A INPUT --in-interface lo --jump ACCEPT
$IPTABLES -A OUTPUT --out-interface lo --jump ACCEPT

# Allow ESTABLISHED/RELATED connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED --jump ACCEPT

# Allow everything from LAN
$IPTABLES -A INPUT --in-interface $DEV_LAN --source $NET_LAN --jump ACCEPT
$IPTABLES -A FORWARD --in-interface $DEV_LAN --source $NET_LAN --jump ACCEPT

# Allow SSH
$IPTABLES -A INPUT --protocol tcp --destination-port 22 --jump ACCEPT

# Logs
$IPTABLES -A INPUT --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (INPUT): "
$IPTABLES -A OUTPUT --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (OUTPUT): "
$IPTABLES -A FORWARD --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (FORWARD): "

# NAT
#$IPTABLES -t nat -A POSTROUTING --out-interface $DEV_WAN --to $IP_WAN --jump SNAT
$IPTABLES -t nat -A POSTROUTING --out-interface $DEV_WAN --source $NET_LAN --jump MASQUERADE

# Enable IP forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
	#!/bin/sh
	#

	DEV_WAN=ppp0
	DEV_LAN=eth0
	NET_WAN=
	NET_LAN=192.168.1.0/24
	IP_WAN=111.222.333.444
	IP_LAN=

	IPTABLES=/sbin/iptables

	# Cleaning rules for standard chains
	$IPTABLES -F
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F

	# Deleting all nonstandard chains
	$IPTABLES -X
	$IPTABLES -t nat -X
	$IPTABLES -t mangle -X

	# Default policy
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP

	# Allow everything on loopback interface
	$IPTABLES -A INPUT --in-interface lo --jump ACCEPT
	$IPTABLES -A OUTPUT --out-interface lo --jump ACCEPT

	# Allow ESTABLISHED/RELATED connections
	$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT
	$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT
	$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED --jump ACCEPT

	# Allow everything from LAN
	$IPTABLES -A INPUT --in-interface $DEV_LAN --source $NET_LAN --jump ACCEPT
	$IPTABLES -A FORWARD --in-interface $DEV_LAN --source $NET_LAN --jump ACCEPT

	# Allow SSH
	$IPTABLES -A INPUT --protocol tcp --destination-port 22 --jump ACCEPT

	# Logs
	$IPTABLES -A INPUT --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (INPUT): "
	$IPTABLES -A OUTPUT --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (OUTPUT): "
	$IPTABLES -A FORWARD --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (FORWARD): "

	# NAT
	#$IPTABLES -t nat -A POSTROUTING --out-interface $DEV_WAN --to $IP_WAN --jump SNAT
	$IPTABLES -t nat -A POSTROUTING --out-interface $DEV_WAN --source $NET_LAN --jump MASQUERADE

	# Enable IP forwarding
	echo 1 >/proc/sys/net/ipv4/ip_forward