NATting SOHO firewall

NATting SOHO firewall is a firewall script for iptables.
NATting SOHO firewall is a firewall script for iptables.

# Model NATting SOHO firewall for SP article
# by Jay Beale (
# Warning: you're going to have to hack this for your own purposes.

# Assumptions:
# your internal network is on eth1
# your internet IP is on eth0
# your internal network IP on eth1 is
# Additonally:
# you have another internal network, a DMZ: on eth2



$DMZ =

# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Set default policies for packets going through this firewall box

iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP

# Set default policies for packet entering this box

iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f

# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s -j DROP
iptables -A FORWARD -i eth0 -s -j DROP
iptables -A FORWARD -i eth0 -s -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

# Transparently proxy all web-surfing through Squid box

iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL

# Transparently forward all outgoing mail to a relay host

iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP

# Transparently redirect web connections from outside to the DMZ web
# server

iptables -t nat -A PREROUTING -i eth0 -d -dport 80 -j DNAT --to $DMZ_WEB

# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET

# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward

last updated on:
February 13th, 2007, 18:38 GMT
license type:
GPL (GNU General Public License) 
developed by:
Jay Beale
ROOT \ System \ Networking
NATting SOHO firewall
Download Button

In a hurry? Add it to your Download Basket!

user rating



Rate it!

Add your review!