#!/bin/bash # 20060623 iptables_acc_lo hse@ukr.net # Distributed under the terms of the GNU General Public License v2 # Exampel of iptables script for ppp_workstation with bytes accounting, # # instalations: # /etc/init.d/iptables stop # ./iptables_acc_lo # /etc/init.d/iptables save iptables="/sbin/ip6tables" # 0 ******************* VARIABLE setup ***************************** # befor runing this script setup configuration of youre network here: # begin #Interface setup LoopInterface="lo" #Ip Address setup LoopIP="::1/128" #Chack for some kernel modules #modprobe iptable_nat #modprobe ip_nat_ftp #modprobe ip_conntrack #modprobe ip_contrack_ft #modprobe ... # end # Required proc configuration # Enable forwarding #echo 1 > /proc/sys/net/ipv6/ip_forward # no IP spoofing #if [ -e /proc/sys/net/ipv6/conf/all/rp_filter ] # then # for i in /proc/sys/net/ipv6/conf/*/rp_filter # do # echo 1 > $i # done #fi # Disable Source Routed Packets #for i in /proc/sys/net/ipv6/conf/*/accept_source_route # do # echo 0 > $i # done #echo 0 > /proc/sys/net/ipv6/conf/all/proxy_arp #echo 0 > /proc/sys/net/ipv6/ip_dynaddr # fill free to chang next firewall ruls to youre sute # I ******************* FILTERING TABEL ruls **************************** # (0) Policies (default) $iptables -P INPUT DROP $iptables -P OUTPUT DROP $iptables -P FORWARD DROP # (1) User-defined chains for ACCEPTed TCP packets # from Internet # (2) INPUT chain rules # Rules for incoming packets from local computer and broadcast $iptables -A INPUT -p ALL -i ${LoopInterface} -s ${LoopIP} -j ACCEPT #TCP rules # UDP rules #ICMP rules #(3) FORWARD chain rules # ACCEPT packets we wont to forward # No one # (4) OUTPUT chain rules #Only output packets from local addresses no spoofing $iptables -A OUTPUT -p ALL -o ${LoopInterface} -s ${LoopIP} -j ACCEPT # II ***************** MANGLE TABEL ruls ***************************** # (0) Policies (default) #$iptables -t mangle -P PREROUTING DROP #$iptables -t mangle -P INPUT DROP #$iptables -t mangle -P FORWARD DROP #$iptables -t mangle -P OUTPUT DROP #$iptables -t mangle -P POSTROUTING DROP # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer #$iptables -t mangle -A PREROUTING -p ALL -i ${LoopInterface} -s ${LoopIP} -j ACCEPT # Rules for incoming packets from Internet # (3) Mangel INPUT chain rules #$iptables -t mangle -A INPUT -p ALL -i ${LoopInterface} -s ${LoopIP} -j ACCEPT # (4) Mangel FORWARD chain rules # (5) Mangel OUTPUT chain rules #$iptables -t mangle -A OUTPUT -p ALL -o ${LoopInterface} -s ${LoopIP} -j ACCEPT # (6) Mangel POSTROUTING chain rules #Only output packets from local addresses no spoofing #$iptables -t mangle -A POSTROUTING -p ALL -o ${LoopInterface} -s ${LoopIP} -j ACCEPT # III ***************** NAT TABEL ruls (NOT IMPLEMENTED YET) ******************************* # (0) Policies (default) #$iptables -t nat -P PREROUTING DROP #$iptables -t nat -P OUTPUT DROP #$iptables -t nat -P POSTROUTING DROP # (1) NAT USER define chain rules # (2) PREROUTING chain rles REDIRECTION and PORTMAPING #$iptables -t nat -A PREROUTING -p tcp -i ${LoopInterface} -s 0/0 -d ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED --dport 21 -j REDIRECT --to-ports 10021 #$iptables -t nat -A PREROUTING -p tcp -i ${LoopInterface} -s 0/0 -d ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j REDIRECT --to-ports 10022 #$iptables -t nat -A PREROUTING -p tcp -i ${LoopInterface} -s 0/0 -d ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED --dport 80 -j REDIRECT --to-ports 10080 #$iptables -t nat -A PREROUTING -p tcp -i ${LoopInterface} -s 0/0 -d ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED --dport 443 -j REDIRECT --to-ports 10443 #INPUT # Rules for incoming packets from local computer and broadcast #$iptables -t nat -A PREROUTING -p ALL -i ${LoopInterface} -s ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet # (3) OUTPUT chain rules #Only output packets from local addresses no spoofing #$iptables -t nat -A OUTPUT -p ALL -o ${LoopInterface} -s ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # (4) POSTROUTING chain rules NAT or MASQUERADE #$iptables -t nat -A POSTROUTING -p ALL -o ${LoopInterface} -s ${LoopIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT exit 0