simple dual-homed iptables script

From: bad_knee (bl8n8r_at_yahoo.com)
Date: 02/27/04 

Date: 27 Feb 2004 08:51:18 -0800

a simple iptables script for a dual-homed box doing
NAT and acting as gateway for internal lan.

*Watch for line breaks from posting*

- eth0 is the external (0utside) nic
- eth1 is the internal (1nside) nic

enjoy.
bl8n8r

--------------------------8<-----------------------------------
#!/bin/sh

IPTABLES="/usr/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

# masq for hub if your hooking up to it
setup_ip_nat()
{
   $IPTABLES -t nat -F

   # rebuild module dependancies of not already done
   # /sbin/depmod -a
   /sbin/insmod ip_tables
   /sbin/insmod ip_conntrack
   /sbin/insmod ip_conntrack_ftp
   /sbin/insmod ip_conntrack_irc
   /sbin/insmod iptable_nat
   /sbin/insmod ip_nat_ftp

   # forwarding enabled
   echo "1" > /proc/sys/net/ipv4/ip_forward

   $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state\
   --state ESTABLISHED,RELATED -j ACCEPT

   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
   $IPTABLES -A FORWARD -j LOG

   $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
}

echo "flush"
# flush rules, set defaults
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT

echo "output"
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT

echo "forward"
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

echo "nat"
#
# call ip_masq setup if specified with "nat" argument on command line
#
setup_ip_nat

# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering
# for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
# /bin/echo "1" > eth0
# done

# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

Relevant Pages

  • Re: setting up nat
    ... graphical firewall config tools on FC don't do NAT. ... You should realise that netfilter rules applied using the 'iptables' ...
    (Fedora)
  • Re: [9fans] Do we have a catalog of 9P servers?
    ... iptables on Linux needs to keep in order to provide NAT capabilities it ... You seem to be extremely out of the field with respect to what iptables does and how normal NAT is implemented on a *BSD system. ... do any of you 9fans have an internal network behind a gateway that runs Plan 9? ...
    (comp.os.plan9)
  • MDKSA-2002:030 - temporary fix for netfilter information leak
    ... (NAT) ... It was found that iptables can leak information ... You can view other update advisories for Mandrake Linux at: ... pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team ...
    (Bugtraq)
  • Re: internet connection sharing.
    ... Ummm IPTABLES??? ... script that sets up NAT and does just this. ... > What I would like to do is to change my computer back to RedHat, ...
    (RedHat)
  • Re: firewall using iptables DHCP IP may change?
    ... >iptables -P OUTPUT DROP ... You're clearing the NAT table also later in the script. ... what kind of network you have behind this machine (how much you can trust ... campus network or the Internet the worse threat to the firewall.. ...
    (comp.os.linux.networking)