Hi,
I have an FC9 box with 2 NICs.
Running proxy server on FC9 (Dansguardian + Squid) for LAN users.
Running Apache server for outside users.
Requirement:
(1) Allow HTTP access from WAN & LAN to FC9.
(2) Block everything from WAN to FC9.
(3) Allow everything from LAN to FC9
This is my `first` and very simple firewall.
Please let me know if this is good enough or if I need to modify this.
Code:
#LAN: eth0 -- Range (192.168.1.1 - 192.168.1.254)
#WAN: eth1
# FLUSH ALL PREVIOUS RULES
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
# ALLOW ALL ON lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# ALLOW Out to In which went from inside -- stateful
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ALLOW HTTP FROM OUTSIDE
iptables -A INPUT -i eth1 -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
# MASQUERADE RULE FOR NATTING
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
# FOR SQUID / DG
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080
# BLOCK EVERYTHING ELSE
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -j REJECT
I look forward to feedback & suggestions from members.
Thx
Vai
