| #!/bin/sh # ********************************** # * Koji Karasawa Aug 05 2006 * # * Koji Karasawa Jan 18 2008 * # ********************************** # Interface to Internet #EXTIF=eth0 EXTIF=ppp0 ANY=0.0.0.0/0 #Set Policy /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP # clear chain rules /sbin/iptables -F FORWARD /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT #Make my rules /sbin/iptables -N myrule /sbin/iptables -F myrule # Bypass to myrule /sbin/iptables -A INPUT -j myrule /sbin/iptables -A FORWARD -j myrule #Allow packets in local /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -i '!' lo -j DROP # Allow packets in in local #/sbin/iptables -A myrule -i eth1 -s 192.168.1.0/24 -j ACCEPT # Established pachkets /sbin/iptables -A myrule -p tcp -m state --stat ESTABLISHED -j ACCEPT # Fragments /sbin/iptables -A myrule -f -j ACCEPT # Essential UDP /sbin/iptables -A myrule -p udp --dport 53 -j ACCEPT /sbin/iptables -A myrule -p udp --sport 53 -j ACCEPT /sbin/iptables -A myrule -p udp --dport 123 -j ACCEPT /sbin/iptables -A myrule -p udp --sport 123 -j ACCEPT #Pass SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 SMTP_PORT587 # Gaibu ni Teikyou suru service to port /sbin/iptables -A myrule -p tcp -m multiport --dport 22,25,80,110,143,443 -j ACCEPT # Allow ICMP /sbin/iptables -A myrule -p icmp -j ACCEPT # Log the rest /sbin/iptables -A myrule -j LOG # Do masqueradina #/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # modified 2006.07.27 #/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j MASQUERADE #modified 2006.08.03 /sbin/iptables -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1413: -j TCPMSS --set-mss 1412 # Ensure IP forwading here sysctl -w net.ipv4.ip_forward=1 |
| # chmod 700
/etc/init.d/iptables.sh # update-rc.d /etc/init.d/iptables.sh defaults |