NATting SOHO firewall

NATting SOHO firewall is a firewall script for iptables.
NATting SOHO firewall is a firewall script for iptables.

# Model NATting SOHO firewall for SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: you're going to have to hack this for your own purposes.
#

# Assumptions:
# your internal network is 192.168.1.0/24 on eth1
# your internet IP is 10.0.0.1 on eth0
# your internal network IP on eth1 is 192.168.1.1
#
# Additonally:
# you have another internal network, a DMZ: 192.168.2.0/24 on eth2

$INTERNAL_IP = 192.168.1.1
$INTERNAL_NET = 192.168.1.0/24

$INTERNET = 10.0.0.1

$DMZ = 192.168.2.0/24

# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Set default policies for packets going through this firewall box

iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP

# Set default policies for packet entering this box

iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

###
# Transparently proxy all web-surfing through Squid box

$SQUID = 192.168.1.2:8080
$SQUIDSSL = 192.168.1.2:443
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL

# Transparently forward all outgoing mail to a relay host

$SMTP = 192.168.1.3
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP

# Transparently redirect web connections from outside to the DMZ web
# server

$DMZ_WEB = 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT --to $DMZ_WEB

# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET


# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward

last updated on:
February 13th, 2007, 18:38 GMT
price:
FREE!
homepage:
www.linuxguruz.com
license type:
GPL (GNU General Public License) 
developed by:
Jay Beale
category:
ROOT \ System \ Networking
NATting SOHO firewall
Download Button

In a hurry? Add it to your Download Basket!

user rating

UNRATED
0.0/5
 

0/5

Rate it!

Add your review!

SUBMIT