#!/bin/sh /sbin/modprobe ip_conntrack_ftp CONNECTION_TRACKING="1" ACCEPT_AUTH="0" IPT="/sbin/iptables" # Location of iptables on your system EXT_INTERFACE="eth0" # external network interface (internet) INT_INTERFACE="eth1" # internal network inferface (servers) LOOPBACK_INTERFACE="lo" # however your system names it #EXT_IPADDR="1.2.3.2" # external ip address #GATEWAY_IPADDR="1.2.3.1" # gateway firewall - the router #EXT_ADDRESSES="1.2.3.0/24" # external ip address range #EXT_NETWORK="1.2.3.0" # external subnet base address #EXT_BROADCAST="1.2.3.255" # external broadcast address INT_IPADDR="192.168.0.1" # internal ip address INT_ADDRESSES="192.168.0.0/24" # internal ip address range INT_NETWORK="192.168.0.0" # internal subnet base address INT_BROADCAST="192.168.0.255" # internal broadcast address INT_NETMASK="255.255.255.0" # internal netmask LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" ############################################################################ # Remove any existing rules from all chains $IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X # Reset the default policy $IPT --policy INPUT ACCEPT $IPT --policy OUTPUT ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT # Unlimited traffic on the loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Set the default policy to drop $IPT --policy INPUT DROP $IPT --policy FORWARD DROP $IPT --policy OUTPUT ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################################ # NAT rules to mapping $IPT -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 1.2.3.10 --dport 22 -j DNAT --to-destination 192.168.0.20 $IPT -A FORWARD -i eth0 -o $INT_INTERFACE -p tcp --sport 1024:65535 -d 1.2.3.10 --dport 22 -m state --state NEW -j ACCEPT $IPT -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.20 -j SNAT --to 1.2.3.10 ############################################################################ # Allow ssh access to all servers from these networks $IPT -A FORWARD -s 4.3.2.1/255.255.255.0 -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT ############################################################################ # The single generic FORWARD rule pair for outgoing connections is repeated here: $IPT -A FORWARD -i $EXT_INTERFACE -o $INT_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -i $INT_INTERFACE -o $EXT_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################################ # Logging Dropped Packets $IPT -A INPUT -i $INT_INTERFACE -j LOG $IPT -A OUTPUT -o $INT_INTERFACE -j LOG $IPT -A FORWARD -i $INT_INTERFACE -o $EXT_INTERFACE -j LOG $IPT -A FORWARD -i $EXT_INTERFACE -o $INT_INTERFACE -j LOG exit 0