Skip to content

Instantly share code, notes, and snippets.

@Dzhan85

Dzhan85/linux-router-iptables.md

Forked from nsoui/linux-router-iptables.md
Created August 13, 2020 07:19
Show Gist options
  • Save Dzhan85/51194995339cf5b868c7e6667c6d5f1f to your computer and use it in GitHub Desktop.
Save Dzhan85/51194995339cf5b868c7e6667c6d5f1f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
linux-router-iptables.md

IPTables setup for a Linux-based Router

The following script will set the router's firewall to reject every thing coming from the WAN, while forwarding all the traffic from LAN to WAN.

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

WAN=enp2s0
LAN=enp3s0
IPTABLES=sudo iptables

#
# delete all existing rules.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
$IPTABLES -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Masquerade.
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $WAN -o $LAN -j REJECT

$IPTABLES -A INPUT -i $WAN -j REJECT

More Logging

Optionally, if we wish to see what is being dropped, we can replace the REJECT in our rules as follows:

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "Iptables-Dropped: " --log-level 4
$IPTABLES -A LOGDROP -j DROP

Final Script

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

WAN=enp2s0
LAN=enp3s0
IPTABLES="sudo iptables"
SYSCTL="sudo sysctl"

#
# delete all existing rules.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "Iptables-Dropped: " --log-level 4
$IPTABLES -A LOGDROP -j DROP

$IPTABLES -N LOGREJECT
$IPTABLES -A LOGREJECT -m limit --limit 2/min -j LOG --log-prefix "Iptables-Rejected: " --log-level 4
$IPTABLES -A LOGREJECT -j REJECT

# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
$IPTABLES -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Masquerade.
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $WAN -o $LAN -j LOGREJECT

$IPTABLES -A INPUT -i $WAN -j LOGREJECT

$SYSCTL net.ipv4.ip_forward=1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment