Hi Guys;
I have started a small project where I am building a linux firewall/router from the ground up.
PLEASE NOTE I am not interested in the pre build distros pfsense, clearos etc. I am doing this from scratch as I want to learn how the system works and what it does so I am in control.
OK anyway, the distro I am using is Debian, I have pppoeconfig working with my bridged modem. I have dnsmasq working where it gives out IP Address and DNS.
Now I am working on the iptables for the firewall and port forwarding. I have found a few basic scripts which I have put together to get some function and will be using these as a base.
Can I please get some advice if this looks OK or if I need to change it.
I have added a port forward as well to test and see if I have it working (and understand)
Advice is appreciated
Thanks.
Code:
#!/bin/bash
#
#EXTIF – WAN Interface
#INTIF – LAN Interface
#
#
#
#Need to add net.ipv4.ip_forward=1 to /etc/sysctl.conf
#to allow iptables to work
#
#Define network interfaces
#
EXTIF="eth0"
INTIF="eth1"
#
#
#Flushing out existing iptables entries
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
#
#Allow all outbound traffic and only allow established and related connections back in
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -j LOG
#
#Masquerade NAT functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Allows ssh inbound connections
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#
#Ping on EXTIF
iptables -A INPUT -p icmp -j ACCEPT
#
#Allows lo interface to work
iptables -A INPUT -i lo -j ACCEPT
#
#Default DROP
iptables -A INPUT -i $EXTIF -j DROP
#
#PORT FORWARDS
#
#RDP
iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3389 -j DNAT --to 192.168.2.110:3389
iptables -A FORWARD -p tcp -d 192.168.2.110 --dport 3389 -j ACCEPT