Example 1: Linux connected via PPP with Internet and via eth0 with private network
With iptables we can create a script that does that:
iptables --flush # Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain # Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT # Assuming one NIC to local LAN
echo 1 > /proc/sys/net/ipv4/ip_forward # Enables packet forwarding by kernel
Example 2: Linux connected via DSL, Cable, T1 with eth0 and via eth1 with private network
With iptables we can create a script that does that:
# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
iptables --flush # Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain # Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward # Enables packet forwarding by kernel
Configuring PCs on the office network:
- All PC’s on the private office network should set their "gateway" to be the local private network IP address of the Linux gateway computer.
- The DNS should be set to that of the ISP on the internet.
Example Firewall:
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT # Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Open ports (remove these 3 lines if you don't want them)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT # Open ftp port
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # Open secure shell port
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT # Open HTTP port
# Log - Reject
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
iptables -P INPUT DROP # Drop all other connection attempts. Only connections defined above are allowed.
Save/restore an tables configuration:
For permant forward packets change /etc/sysctl.conf :
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
To save iptables configuration execute:
/sbin/iptables-save > /etc/sysconfig/iptables.rules
To restore execute:
/sbin/iptables-restore < /etc/sysconfig/iptables.rules
Example iptables configuration (In Redhat /etc/sysconfig/iptables):
# FireWall / Masquerade / Routing Config 4 IPTables
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -i eth1 -j MASQUERADE
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:HA-INPUT – [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j HA-INPUT
-A FORWARD -j HA-INPUT
# Trusted
-A HA-INPUT -i lo -j ACCEPT
-A HA-INPUT -i eth1 -j ACCEPT
-A HA-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Invalid
-A HA-INPUT -m state –state INVALID -j DROP
# WEB Accept
-A HA-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
# SSH Accept
-A HA-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j LOG
-A HA-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
# NameServers
-A HA-INPUT -p udp -m udp –sport 53 -j ACCEPT
# Log
-A HA-INPUT -j LOG
# Reject
-A HA-INPUT -j DROP
COMMIT
Source: http://www.yolinux.com/