#!/bin/sh #---------#---------#---------#---------#---------#---------#---------#--------- # # title # simple firewall for xcl01 # author # idc@planetlarg.net 15/10/2007 # description # based on http://www.debian-administration.org/articles/23 # Allow the internal network and the external network to talk to each other. # This script sets up a few rules then starts transferring IP packets. # Put the script in /etc/network/if-up.d/00-firewall and make it executable. # These rules hide the source address of any packet sent to the # external network. # BACKGROUND # The external network is actually my home network. # All IPs here start with 192.168.*. It is the route to the Internet # The internal network is the route to the IDC. # This host lies to the IDC because it pretends to be the Internet. # It pretends to be the Internet by using public IP addresses. # Internal addresses start with 200.0.0.*. # RULES # * Allow loopback traffic # * Allow established connections to return # * Allow requests to the external network # * Stop requests from the external network # INTERFACES # * eth0 - $EXTERNAL - the external network # * eth1 - $INTERNAL - the internal network # # modifications # #---------#---------#---------#---------#---------#---------#---------#--------- # setup # PATH=/usr/sbin:/sbin:/bin:/usr/bin EXTERNAL=eth0 INTERNAL=eth1 # # delete all existing rules iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # # RULES # * Allow loopback traffic iptables -A INPUT -i lo -j ACCEPT # # * Allow established connections to return. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT # # The command "iptables -L FORWARD -v" now displays this table. #-- #Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) # pkts bytes target prot opt in out source destination # 0 0 ACCEPT 0 -- eth0 eth1 anywhere anywhere state RELATED,ESTABLISHED #-- # # # * Allow requests to the external network iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT # Hide the source address of any packet sent to the external network. iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE # # * Stop requests from the external network iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -j REJECT # # start transferring IP packets echo 1 > /proc/sys/net/ipv4/ip_forward # #---------#---------#---------#---------#---------#---------#---------#---------