simple-fw

simple-fw

#!/bin/sh
#

DEV_WAN=ppp0
DEV_LAN=eth0
NET_WAN=
NET_LAN=192.168.1.0/24
IP_WAN=111.222.333.444
IP_LAN=

IPTABLES=/sbin/iptables

# Cleaning rules for standard chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Deleting all nonstandard chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP  
iptables -P FORWARD DROP

# Allow everything on loopback interface
$IPTABLES -A INPUT --in-interface lo --jump ACCEPT
$IPTABLES -A OUTPUT --out-interface lo --jump ACCEPT

# Allow ESTABLISHED/RELATED connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED --jump ACCEPT

# Allow everything from LAN
$IPTABLES -A INPUT --in-interface $DEV_LAN --source $NET_LAN --jump ACCEPT
$IPTABLES -A FORWARD --in-interface $DEV_LAN --source $NET_LAN --jump ACCEPT

# Allow SSH
$IPTABLES -A INPUT --protocol tcp --destination-port 22 --jump ACCEPT

# Logs
$IPTABLES -A INPUT --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (INPUT): "
$IPTABLES -A OUTPUT --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (OUTPUT): "
$IPTABLES -A FORWARD --match limit --limit 3/min --limit-burst 3 --jump LOG --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence --log-prefix "IPT (FORWARD): "

# NAT
#$IPTABLES -t nat -A POSTROUTING --out-interface $DEV_WAN --to $IP_WAN --jump SNAT
$IPTABLES -t nat -A POSTROUTING --out-interface $DEV_WAN --source $NET_LAN --jump MASQUERADE

# Enable IP forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward