iptables-firewall

This is an example of a simple Linux IP Tables based router script that logs traffic

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

INTIF0=eth1

INTIF1=eth1:0

INTIF2=eth1:1

EXTIF=eth0

#

# delete all existing rules.

#

iptables -F

iptables -t nat -F

iptables -t mangle -F

iptables -X

# Always accept loopback traffic

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -j LOG --log-level 4 --log-prefix 'IPTAllowIN '

iptables -A OUTPUT -j LOG --log-level 4 --log-prefix 'IPTAllowOUT '

iptables -A FORWARD -j LOG --log-level 4 --log-prefix 'IPTAllowFWD '

# Allow established connections, and those not coming from the outside

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state NEW ! -i $EXTIF -j ACCEPT

iptables -A FORWARD -i $EXTIF -o $INTIF0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.

iptables -A FORWARD -i $INTIF0 -o $EXTIF -j ACCEPT

iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT

iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

# Masquerade.

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Don't forward from the outside to the inside.

iptables -A FORWARD -i $EXTIF -o $EXTIF -j REJECT

# Enable routing.

echo 1 > /proc/sys/net/ipv4/ip_forward

This is an example of a script that uses wondershaper to limit bandwidth consumption

#!/bin/bash

/usr/sbin/wondershaper clean eth1;/usr/sbin/wondershaper eth1 20000 50000

/usr/sbin/wondershaper clean eth0;/usr/sbin/wondershaper eth0 20000 50000

#See also https://www.iplocation.net/traffic-control

# See: http://lartc.org/howto/ for lots of detail

This is an example of a simple router that forces DNS to use the desired system

#!/bin/bash

echo 0 > /proc/sys/net/ipv4/ip_forward

        #Start out with no forwarding, lest a hacker notice the moment I've got no firewall.

eWAN=eth0

eLAN=eth1

iT=/sbin/iptables

debug="set"

debug=""

if [ -n "$debug" ];then echo "clean up existing rules to ensure a clean slate.";fi

if [ -n "$debug" ];then echo "flush existing rules";fi

${iT} -t filter -F

${iT} -t nat -F

${iT} -t mangle -F

if [ -n "$debug" ];then echo "delete custom chains.";fi

${iT} -X

if [ -n "$debug" ];then echo "set default policies.";fi

${iT} -P INPUT ACCEPT

${iT} -P FORWARD ACCEPT

${iT} -P OUTPUT ACCEPT

if [ -n "$debug" ];then echo "allow related and established to continue";fi

${iT} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

if [ -n "$debug" ];then echo "enable ip masquerade for Internet interface.";fi

${iT} -t nat -A POSTROUTING -o $eWAN -j MASQUERADE

#For OPENDNS forced

${iT} -t nat -I PREROUTING -i ${eLAN} -p udp --dport 53 -j DNAT --to 172.16.1.1

${iT} -t nat -I PREROUTING -i ${eLAN} -p tcp --dport 53 -j DNAT --to 172.16.1.1

echo "nameserver 208.67.222.222" > /etc/resolv.conf

echo "nameserver 208.67.220.220" >> /etc/resolv.conf

echo 1 > /proc/sys/net/ipv4/ip_forward