Commit | Line | Data |
---|---|---|
8de79ad0 NI |
1 | # Gateway firwall configuration |
2 | *filter | |
3 | :INPUT DROP [0:0] | |
4 | :FORWARD DROP [0:0] | |
5 | :OUTPUT ACCEPT [0:0] | |
6 | ||
7 | # Trust local loopback | |
8 | -A INPUT -i lo -j ACCEPT | |
9 | ||
10 | # Drop invalid packets | |
11 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
12 | ||
13 | # Accept everything on ICMP | |
14 | -4 -A INPUT -p icmp -j ACCEPT | |
15 | -6 -A INPUT -p ipv6-icmp -j ACCEPT | |
16 | ||
17 | # Drop DHCP requests but accept answers | |
18 | -4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP | |
19 | -4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
20 | ||
21 | -A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
22 | -A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
23 | ||
24 | # Accept SSH, SMTP | |
25 | -A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT | |
26 | ||
27 | # Accept DNS, NTP | |
28 | -A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT | |
29 | ||
30 | # Log and drop | |
31 | -A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] " | |
32 | ||
33 | # Forwarding rules between private network (eth1) and public one (eth0) | |
34 | # Forward pings | |
35 | -4 -A FORWARD -p icmp -j ACCEPT | |
36 | -6 -A FORWARD -p ipv6-icmp -j ACCEPT | |
37 | ||
38 | # Forward HTTP, HTTPS | |
39 | -4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT | |
40 | -4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT | |
41 | COMMIT | |
42 | ||
43 | *nat | |
44 | :PREROUTING ACCEPT [0:0] | |
45 | :INPUT ACCEPT [0:0] | |
46 | :OUTPUT ACCEPT [0:0] | |
47 | :POSTROUTING ACCEPT [0:0] | |
48 | # NAT the external interface when forwarding from the private network | |
49 | -A POSTROUTING -o eth0 -j MASQUERADE | |
50 | COMMIT |