iptables-firewall

Articles‎ > ‎Linux‎ > ‎

This is an example of a simple Linux IP Tables based router script that logs traffic

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

INTIF0=eth1
INTIF1=eth1:0
INTIF2=eth1:1
EXTIF=eth0
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -j LOG --log-level 4 --log-prefix 'IPTAllowIN '
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix 'IPTAllowOUT '
iptables -A FORWARD -j LOG --log-level 4 --log-prefix 'IPTAllowFWD '

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $INTIF0 -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i $EXTIF -o $EXTIF -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

This is an example of a script that uses wondershaper to limit bandwidth consumption

#!/bin/bash
/usr/sbin/wondershaper clean eth1;/usr/sbin/wondershaper eth1 20000 50000
/usr/sbin/wondershaper clean eth0;/usr/sbin/wondershaper eth0 20000 50000

#See also https://www.iplocation.net/traffic-control
# See: http://lartc.org/howto/ for lots of detail

This is an example of a simple router that forces DNS to use the desired system

#!/bin/bash
echo 0 > /proc/sys/net/ipv4/ip_forward
#Start out with no forwarding, lest a hacker notice the moment I've got no firewall.
eWAN=eth0
eLAN=eth1
iT=/sbin/iptables
debug="set"
debug=""

if [ -n "$debug" ];then echo "clean up existing rules to ensure a clean slate.";fi
if [ -n "$debug" ];then echo "flush existing rules";fi
${iT} -t filter -F
${iT} -t nat -F
${iT} -t mangle -F

if [ -n "$debug" ];then echo "delete custom chains.";fi
${iT} -X

if [ -n "$debug" ];then echo "set default policies.";fi
${iT} -P INPUT ACCEPT
${iT} -P FORWARD ACCEPT
${iT} -P OUTPUT ACCEPT

if [ -n "$debug" ];then echo "allow related and established to continue";fi
${iT} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

if [ -n "$debug" ];then echo "enable ip masquerade for Internet interface.";fi
${iT} -t nat -A POSTROUTING -o $eWAN -j MASQUERADE

#For OPENDNS forced
${iT} -t nat -I PREROUTING -i ${eLAN} -p udp --dport 53 -j DNAT --to 172.16.1.1
${iT} -t nat -I PREROUTING -i ${eLAN} -p tcp --dport 53 -j DNAT --to 172.16.1.1
echo "nameserver 208.67.222.222" > /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf

echo 1 > /proc/sys/net/ipv4/ip_forward

Comments

PhantomCode	Search this site