All scripts in the directory /etc/network/if-up.d are run whenever
an interface comes up. Create a new script in this directory to configure the firewall for the WAN interface.
root@voyage:/etc/network/if-up.d#
ls
000resolvconf ifenslave mountnfs openssh-server
000resolvconf ifenslave mountnfs openssh-server
firewall
ip ntpdate
wpasupplicant
This script configures the iptables
firewall for the WAN interface on eth0
root@voyage:/etc/network/if-up.d#
cat firewall
# Delete all existing rules (start afresh)
iptables
-F
iptables
-t nat -F
iptables
-t mangle -F
iptables
-X
# Always accept loopback traffic
iptables
-A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Block all other connections from the outside
iptables -A FORWARD -i eth0 -j REJECT
iptables -A INPUT -i eth0 -j REJECT
# NAT
iptables -A FORWARD -i eth0 -j REJECT
iptables -A INPUT -i eth0 -j REJECT
# NAT
iptables
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Enable routing
echo
1 > /proc/sys/net/ipv4/ip_forward
No comments:
Post a Comment