Oh Hai, I Rebuilt Your Server
October 02, 2008

Over the weekend I rebuilt my home server system with a fair bit of excitement. I'm incredibly thankful that I've finally got Linux running at home again and have nice quality hardware to route my delicious packets with. I'm aware that I've been lacking in postings lately, so thought that I would post up my firewall script for sharing. Enjoy. :) 

#!/bin/bash

INTERNAL=eth0
EXTERNAL=eth1

PORTS="22 80 443"

# Clear out existing stuff...
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Restricting all incoming traffic...
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allowing specified ports...
for i in $PORTS; do (
	iptables -A INPUT -j ACCEPT -i $EXTERNAL -p tcp --destination-port $i
	iptables -A INPUT -j ACCEPT -i $INTERNAL -p tcp --destination-port $i
	echo "Allowed incoming connections on port $i."
); done


# Allow all local connections...
iptables -A INPUT -j ACCEPT -i $INTERNAL

# Allowing all local interfaces...
iptables -A INPUT -j ACCEPT -i lo

# Allowing ping...
iptables -A INPUT  -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type 0 -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Related traffic should be OK...
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forwarding to squid...
iptables -t nat -A PREROUTING -i $INTERNAL -p tcp --dport 80 -j REDIRECT --to-port 3128

# Restricting hosts...  
for i in $RESTRICTED_HOSTS; do (
    iptables -A INPUT  -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP

    iptables -A INPUT  -i $EXTERNAL -s $i -j DROP
    iptables -A OUTPUT -o $EXTERNAL -s $i -j DROP
    iptables -A INPUT  -i $EXTERNAL -p udp -s $i -j DROP
    iptables -A INPUT  -i $EXTERNAL -p icmp -s $i -j DROP
); done


# NAT forwarding...
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -A FORWARD -i $INTERNAL -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward


echo "SUCCESS"


Andy 2008/10/02

There's something wrong with your post. It just comes a bunch of nonsense and incomprehensible letters after the first few sentences.

david 2008/10/04

weird lookin recipe :P

Required
For gravatar support
Required

Permalink | Add to Delicious Add to delicious | 2 Comments | Tagged: Linux, Computing