home
> notes
>> iptables

How to set up a simple iptables based firewall. (Disclaimer: this script has not been tested at all and currently is not in use at any installation)

# IP/Network Configuration
INT_INTF="eth0"
INT_IP="192.168.47.0/24"

EXT_INTF="eth1"
EXT_INTF_IP="10.0.0.1"


# set up default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Block NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

iptables -A INPUT -i "$INT_INTF" -s \! "$INT_IP" -j DROP

iptables -A INPUT -i "$EXT_INTF" -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i "$EXT_INTF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EXT_INTF" -s 10.0.0.0/8 -j DROP


# Allow new/established outgoing packets and
# established incoming packets on external network
iptables -A OUTPUT -o "$EXT_INTF" -s "$EXT_INTF_IP" \
    -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i "$EXT_INTF" -d "$EXT_INTF_IP" \
    -m state --state ESTABLISHED -j ACCEPT

# Allow established packets on internal network
iptables -A OUTPUT -o "$INT_INTF" \
    -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i "$INT_INTF" \
    -m state --state ESTABLISHED -j ACCEPT

# Allow related ICMP packets from external network
iptables -A INPUT -i "$EXT_INTF" \
    -p icmp -m state --state RELATED -j ACCEPT

# Allow related ICMP packets to internal network
iptables -A OUTPUT -o "$INT_INTF" -d "$INT_IP" \
    -p icmp -m state --state RELATED -j ACCEPT


# Allow access to our proxy services: DNS, Socks, HTTP
iptables -A INPUT -i "$INT_INTF" -p tcp --dport 53 \
    -m state --state NEW -j ACCEPT
iptables -A INPUT -i "$INT_INTF" -p udp --dport 53 \
    -m state --state NEW -j ACCEPT
iptables -A INPUT -i "$INT_INTF" -p tcp --dport 1080 \
    -m state --state NEW -j ACCEPT
iptables -A INPUT -i "$INT_INTF" -p tcp --dport 3128 \
    -m state --state NEW -j ACCEPT