Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > simple dual-homed iptables script

Reply
Thread Tools Display Modes

simple dual-homed iptables script

 
 
bad_knee
Guest
Posts: n/a

 
      02-27-2004, 03:51 PM
a simple iptables script for a dual-homed box doing
NAT and acting as gateway for internal lan.

*Watch for line breaks from posting*

- eth0 is the external (0utside) nic
- eth1 is the internal (1nside) nic

enjoy.
bl8n8r

--------------------------8<-----------------------------------
#!/bin/sh


IPTABLES="/usr/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

# masq for hub if your hooking up to it
setup_ip_nat()
{
$IPTABLES -t nat -F

# rebuild module dependancies of not already done
# /sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_conntrack_irc
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp

# forwarding enabled
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state\
--state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
}

echo "flush"
# flush rules, set defaults
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT

echo "output"
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT

echo "forward"
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD


echo "nat"
#
# call ip_masq setup if specified with "nat" argument on command line
#
setup_ip_nat


# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering
# for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
# /bin/echo "1" > eth0
# done

# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
 
Reply With Quote
 
 
 
Reply

« Using Diald in a server? | Building a custom non-ip packet with libnet »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
simple routing on dual homed Fedora 6 tilopa Linux Networking 6 11-15-2006 03:28 PM
Cool 'n Simple IPTables Firewall Script - see the FIXME Coenraad Loubser Linux Networking 1 04-21-2005 07:36 AM
Dual homed DC´s Lem Windows Networking 2 08-25-2004 02:15 AM
ssh into dual homed machine bad_knee Linux Networking 3 06-12-2004 03:14 PM
(IPTables) old dog needs some help with a dual-homed debian (woody) system U. Sarma Seetamraju Linux Networking 0 10-16-2003 09:44 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11