#!/bin/sh # Begin $rc_base/init.d/firewall # Insert iptables modules (not needed if built into the kernel). #modprobe ip_tables #modprobe iptable_filter #modprobe ip_conntrack #modprobe ip_conntrack_ftp #modprobe ip_conntrack_irc #modprobe ipt_state #modprobe iptable_nat #modprobe ip_nat_ftp #modprobe ipt_MASQUERADE #modprobe ipt_LOG #modprobe ipt_REJECT # Set Variables EXTIF=ppp+ INTIF=eth0 ADMIF=eth0 EXTIP=0/0 INTIP=192.168.1.0/24 ADMIP=192.168.1.0/24 WSIP=192.168.1.70 LO=127.0.0.1/32 #Flush All Rules iptables --flush iptables --flush -t nat #Set Policy to DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # allow local-only connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow LAN connections iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones (eg active-ftp) iptables -A OUTPUT -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT # do masquerading (not needed if intranet is not using private ip-addresses) iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # Log everything for debugging (last of all rules, but before DROP/REJECT) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn # activate TCPsyncookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies # activate Route-Verification = IP-Spoofing_protection for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # activate IP-Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward