Last active
November 27, 2018 08:59
-
-
Save sturadnidge/5680107 to your computer and use it in GitHub Desktop.
Script to setup a basic ruleset for iptables, used on my raspberrypi firewall.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # * eth0 = Internet interface (DHCP) | |
| # * eth1 = LAN interface (192.168.1.0/24) | |
| # * eth2 = DMZ interface (172.16.0.0/16) | |
| # * Traffic open from firewall to internet | |
| # * Traffic open and translated from LAN and DMZ to internet | |
| # * Traffic open from LAN to Firewall | |
| # * Traffic open from LAN to DMZ | |
| # * Traffic open from internet to a DMZ web server | |
| PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' | |
| EXT_IP=`ifconfig eth0 | grep 'inet addr:' | cut -d":" -f2 | awk '{ print $1}'` | |
| ### SYSCTL | |
| # Set required kernel params | |
| echo -n '1' > /proc/sys/net/ipv4/ip_forward | |
| echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route | |
| echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects | |
| echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses | |
| ### IPTABLES | |
| ## INIT | |
| # Flush previous rules, delete chains and reset counters | |
| iptables -F | |
| iptables -X | |
| iptables -Z | |
| iptables -t nat -F | |
| # Default policies | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| # Enable loopback traffic | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Enable stateful rules | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Drop invalid state packets | |
| iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
| iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP | |
| ## INPUT | |
| # Enable all incoming from LAN to firewall | |
| iptables -A INPUT -i eth1 -m conntrack --ctstate NEW -j ACCEPT | |
| ## OUTPUT | |
| # Enable all outgoing traffic to internet | |
| iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -j ACCEPT | |
| ## FORWARD | |
| # No routable networks behind eth0, need to masq | |
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| # LAN to DMZ | |
| iptables -A FORWARD -o eth2 -i eth1 -m conntrack --ctstate NEW -j ACCEPT | |
| # LAN to Internet | |
| iptables -A FORWARD -o eth0 -i eth1 -m conntrack --ctstate NEW -j ACCEPT | |
| # DMZ to Internet | |
| iptables -A FORWARD -o eth0 -i eth2 -m conntrack --ctstate NEW -j ACCEPT | |
| # Internet HTTP to DMZ server 172.16.0.1 | |
| iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ | |
| -j DNAT --to-destination 172.16.0.1 | |
| iptables -A FORWARD -i eth0 -p tcp \ | |
| --dport 80 \ | |
| -o eth2 -d 172.16.0.1 \ | |
| -m conntrack --ctstate NEW -j ACCEPT | |
| # NAT loopback - LAN HTTP to/from DMZ server 172.16.0.1 | |
| iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d $EXT_IP \ | |
| -p tcp --dport 80 \ | |
| -j DNAT --to-destination 172.16.0.1 | |
| iptables -t nat -A POSTROUTING -d 172.16.0.1 -s 192.168.1.0/24 \ | |
| -p tcp --dport 80 \ | |
| -j SNAT --to-source $EXT_IP | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment