Please check my work. I miss somthing (iptables)
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Setting interface variables WAN="eth0" LAN="eth1" # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Layer 4 state checking iptables -N state-checking iptables -A state-checking -m state --state INVALID -j DROP iptables -A state-checking -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP iptables -A state-checking -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -A state-checking -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A state-checking -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT # # Some ip range checking # iptables -N local-only iptables -A local-only -i lo -j ACCEPT iptables -A local-only -i $LAN -s 192.168.0.0/24 -j ACCEPT iptables -A local-only -i $LAN -d 192.168.0.0/24 -j ACCEPT iptables -A local-only -i $WAN -s 0.0.0.0/8 -j DROP iptables -A local-only -i $WAN -s 127.0.0.0/8 -j DROP iptables -A local-only -i $WAN -s 10.0.0.0/8 -j DROP iptables -A local-only -i $WAN -s 169.254.0.0/16 -j DROP iptables -A local-only -i $WAN -s 172.16.0.0/12 -j DROP iptables -A local-only -i $WAN -s 192.0.2.0/24 -j DROP iptables -A local-only -i $WAN -s 192.168.0.0/16 -j DROP iptables -A local-only -i $WAN -s 224.0.0.0/3 -j DROP [/COLOR] # # Network Address Translation # # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward # Allow outgoing connections from the LAN side. iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i $WAN -o $LAN -j DROP iptables -P INPUT DROP iptables -A INPUT -j state-checking iptables -A INPUT -j local-only iptables -P FORWARD DROP iptables -A FORWARD -j state-checking iptables -A FORWARD -j local-only iptables -A FORWARD -i $LAN -j ACCEPT # Bringing up interfaces dhclient $WAN ifconfig $LAN 192.168.0.254/24 # Setting up DNS echo "nameserver 208.67.222.222" > /etc/resolv.conf echo "nameserver 208.67.220.220" >> /etc/resolv.conf echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf |
Thinking
# Masquerade. iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE should become # Masquerade. iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE |
You're right about the MASQUERADE rule; it needs to match traffic exiting the WAN interface.
Please use [code][/code] tags around code, scripts, logs etc. as it greatly improves readability. Quote:
Quote:
Quote:
Also, the "-i lo -j ACCEPT" rule really, really, REALLY needs to be at the top of the INPUT chain, and not in a user-defined chain called further down the line. Quote:
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 01:52 PM. |