http://www.hammx.com/wordpress/?p=137
#!/bin/sh iptables="/sbin/iptables" modprobe="/sbin/modprobe" depmod="/sbin/depmod" EXTIF="eth1" INTIF="eth2" load () { $depmod -a $modprobe ip_tables $modprobe ip_conntrack $modprobe ip_conntrack_ftp $modprobe ip_conntrack_irc $modprobe iptable_nat $modprobe ip_nat_ftp $modprobe ip_conntrack_pptp $modprobe ip_nat_pptp echo "enable forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "enable dynamic addr" echo "1" > /proc/sys/net/ipv4/ip_dynaddr # start firewall #default policies $iptables -P INPUT DROP $iptables -F INPUT $iptables -P OUTPUT DROP $iptables -F OUTPUT $iptables -P FORWARD DROP $iptables -F FORWARD $iptables -t nat -F echo " opening loopback interface for socket based services." $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT echo " allow all connections OUT and ONLY existing related ones IN" $iptables -A INPUT -i $INTIF -j ACCEPT $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A OUTPUT -o $EXTIF -j ACCEPT $iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: " $iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: " $iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: " echo " enabling SNAT (MASQUERADE) functionality on $EXTIF" $iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE $iptables -A INPUT -i $INTIF -j ACCEPT $iptables -A OUTPUT -o $INTIF -j ACCEPT echo " Allowing packets with ICMP data (pings)" $iptables -A INPUT -p icmp -j ACCEPT $iptables -A OUTPUT -p icmp -j ACCEPT $iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT echo " port 137 for netBios" $iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT $iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT echo " opening port 53 for DNS queries" $iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT #echo " opening port 22 for internal ssh" $iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT $iptables -A INPUT -p gre -j ACCEPT $iptables -A FORWARD -p gre -j ACCEPT echo " opening port 1723 for VPN Server" $iptables -A INPUT -p tcp -i $EXTIF --dport 1723 -m state --state NEW -j ACCEPT echo " opening port 80 for webserver" $iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT echo " opening port 21 for FTP Server" $iptables -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT echo " opening ssh for web on port 2609 for firewig" $iptables -A INPUT -p tcp --dport 2609 -j ACCEPT $iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT echo " opening ssh for web on port 22 for betty" $iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.10.96:2302 $iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT #echo " opening Apache webserver for HoH" $iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80 $iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT } flush() { echo "flushing rules...." $iptables -P FORWARD ACCEPT $iptables -F INPUT $iptables -P INPUT ACCEPT } case "$1" in start|restart) flush load ;; stop) flush ;; *) echo "usage: start|stop|restart." ;; esac exit 0 }