root@debian:~# /etc/init.d/zablah
iptables v1.4.14: unknown option "INPUT"
Try `iptables -h' or 'iptables --help' for more information.
Code:
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: This file should be used to start iptables
# placed in /etc/init.d.
### END INIT INFO
#!/bin/sh
# squid server IP
SQUID_SERVER="172.192.111.100"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.192.111.100:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
#iptables -A INPUT -i $LAN_IN -p tcp --destination-port 80 -j DROP
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP