Cool 'n Simple IPTables Firewall Script - see the FIXME

#!/bin/bash

#this is your wan interface
inet=ppp0

echo Flushing tables...
iptables -t nat -F
iptables -F

echo Activating Firewall...
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! $inet -j ACCEPT
/sbin/iptables -A block -j LOG
/sbin/iptables -A block -j DROP
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block

echo Enabling IP Forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

#friendlynet=xx.xx.xx.xx/32
#echo Allowing $allowin full incoming access...
#/sbin/iptables -A block -s $friendlynet -j ACCEPT

allowport=80
#echo Allowing incoming connections on port $allowin...
#/sbin/iptables *** -FIXME ***

echo Activating Masquerading...
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

echo Activating Transparent Proxying...
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
#iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest



#ports=666:668
#dest=192.168.0.95
#
#echo Forwarding ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest
#iptables -A FORWARD -p udp -i $inet --dport $ports -d $dest -j ACCEPT
#
#ports=27001
#dest=192.168.0.95
#
#echo Forwarding ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest
#iptables -A FORWARD -p udp -i $inet --dport $ports -d $dest -j ACCEPT

ports=27001
dest=192.168.0.4

echo Forwarding udp ports $ports to $dest...
iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest
#iptables -A FORWARD -p udp -i $inet --dport $ports -d $dest -j ACCEPT


Coenraad Loubser

Hey, it may not be the most elegant solution, but it works!

This is for a server connected via adsl, acting as a gateway, webserver,
mailserver, proxy, nat firewall.

#!/bin/bash
inet=ppp0

echo Flushing tables...
iptables -t nat -F
iptables -F

echo Activating Firewall...
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $inet -j ACCEPT

allowin=80
echo Allowing port $allowin tcp incoming access...
iptables -A block -p tcp -i $inet --dport $allowin -j ACCEPT
#iptables -A block -p udp -i $inet --dport $allowin -j ACCEPT

allowin=443
echo Allowing port $allowin tcp incoming access...
iptables -A block -p tcp -i $inet --dport $allowin -j ACCEPT
#iptables -A block -p udp -i $inet --dport $allowin -j ACCEPT

allowin=22
echo Allowing port $allowin tcp incoming access...
iptables -A block -p tcp -i $inet --dport $allowin -j ACCEPT
#iptables -A block -p udp -i $inet --dport $allowin -j ACCEPT

#friendlynet=xx.xx.xx.xx/32
#echo Allowing $allowin full incoming access... [untested]
#/sbin/iptables -A block -s $friendlynet -j ACCEPT

#iptables -A block -j LOG

iptables -A block -i $inet -j DROP

iptables -A INPUT -j block
iptables -A FORWARD -j block

# Allow self access by loopback interface
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

echo Enabling IP Forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

echo Activating Masquerading...
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo Activating Transparent Proxying...
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

#iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest
#iptables -A FORWARD -p udp -i $inet --dport $ports -d $dest -j ACCEPT

#ports=666:668
#dest=192.168.0.95
#
#echo Forwarding ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest
#iptables -A FORWARD -p udp -i $inet --dport $ports -d $dest -j ACCEPT
#
#ports=27001
#dest=192.168.0.95
#
#echo Forwarding ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $inet -p udp --dport $ports -j DNAT
--to-dest $dest
#iptables -A FORWARD -p udp -i $inet --dport $ports -d $dest -j ACCEPT