#!/bin/bash
# /usr/local/sbin/setiptables.bash
# Some Definations
ANYWHERE="any/0" # Match any address
EX_ETH=eth0 # External Interface
IN_ETH=eth1 # Local Interface
LOCAL_IP=192.168.0.1 # Local Host IP
EXTERNAL_IP=202.54.230.14 # INETRNATE IP
LOCAL_NET=192.168.0.0/24 # Local Network
PROXY_IP=192.168.0.225 # Proxy Server IP (Transparent Proxy)
PROXY_PORT=8080 # Proxy Server Port No
LOOPBACK_INTERFACE=lo # The Loopback Interface
LOOPBACK_NETWORK=127.0.0.0/8 # Reserved Loopback Address Range
PRIVPORTS=0:1023 # Well Known Privileged port range
UNPRIVPORTS=1024:65535 # Unprivileged port range
WEBPORT=80 # WebServer Port
# Clear all iptables
/etc/init.d/iptables stop
# Flush the rule Chains
iptables -F
iptables -t nat -F
# Delete custom chains
iptables -X
# Zero counts
iptables -Z
# Set the Default Policys
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Masquerade
iptables -t nat -A POSTROUTING -o $EX_ETH -j MASQUERADE
iptables -A OUTPUT -s $LOCAL_NET -o $EX_ETH -j ACCEPT
# Any other packets must be dropped.
iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP
# FORWARD Chain
iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Loopback packets should not be handeld from ext NIC
iptables -A INPUT -i $EX_ETH -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -o $EX_ETH -s 127.0.0.0/8 -j DROP
# Refuse Bogus Broadcasts
iptables -A INPUT -i $EX_ETH -s 255.255.255.255 -j DROP
iptables -A INPUT -i $EX_ETH -d 0.0.0.0 -j DROP
# ICMP
iptables -A INPUT -i $EX_ETH -p icmp -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EX_ETH -p icmp -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
iptables -A INPUT -i $IN_ETH -p icmp -s $LOCAL_NET -d $LOCAL_IP -j ACCEPT
iptables -A OUTPUT -o $IN_ETH -p icmp -s $LOCAL_IP -d $LOCAL_NET -j ACCEPT
iptables -A INPUT -i $EX_ETH -p icmp -s $LOCAL_NET -d $ANYWHERE -j ACCEPT
iptables -A OUTPUT -o $EX_ETH -p icmp -s $ANYWHERE -d $LOCAL_NET -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
Do you Yahoo!?
Yahoo! Photos - Get your photo on the big screen in Times Square