Dev/Host/Firewall
Jump to navigation
Jump to search
Principe
Entête du script
### BEGIN INIT INFO # Provides: firewall # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Personnal iptables setup ### END INIT INFO
Structure
#! /bin/sh
### Add init info here ###
PATH=/sbin:/bin
### Add "includes" (sourced scripts) ###
do_start () {
### Add "start" content here ###
echo "Firewall configured."
exit
}
case "$1" in
start|""|restart|reload|force-reload)
do_start
;;
stop)
# No-op
;;
*)
echo "Usage: $0 [start|stop]" >&2
exit 3
;;
esac
IPv4 : bases
# IPv4 security iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
IPv6 : bases
# IPv6 security ip6tables -F ip6tables -X ip6tables -P INPUT DROP ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
More configuration
Allow everything on localhost
iptables -I INPUT -i lo -j ACCEPT iptables -I OUTPUT -o lo -j ACCEPT
Allow Ping
iptables -A INPUT -p icmp -j ACCEPT
Need SSH access ?
iptables -A INPUT -p tcp --dport 22 -d 192.168.1.2/32 -j ACCEPT
(Change port and IP address according to your needs)
IPv4 NAT
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
And add NAT redirections
# Web : to local web server iptables -t nat -A PREROUTING -i eth1 -p tcp --dport http -j DNAT --to 192.168.2.6:80