| 1 | # Gateway firewall configuration |
| 2 | *filter |
| 3 | :INPUT DROP [0:0] |
| 4 | :FORWARD DROP [0:0] |
| 5 | :OUTPUT ACCEPT [0:0] |
| 6 | |
| 7 | # Trust local loopback |
| 8 | -A INPUT -i lo -j ACCEPT |
| 9 | |
| 10 | # Drop invalid packets |
| 11 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
| 12 | |
| 13 | # Accept everything on ICMP |
| 14 | -4 -A INPUT -p icmp -j ACCEPT |
| 15 | -6 -A INPUT -p ipv6-icmp -j ACCEPT |
| 16 | |
| 17 | # Drop DHCP requests but accept answers |
| 18 | -4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP |
| 19 | -4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT |
| 20 | |
| 21 | -A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
| 22 | -A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT |
| 23 | |
| 24 | # Accept SSH, SMTP |
| 25 | -A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT |
| 26 | |
| 27 | # Accept DNS, NTP |
| 28 | -A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT |
| 29 | |
| 30 | # Log and drop |
| 31 | -A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] " |
| 32 | |
| 33 | # Forwarding rules between private network (eth1) and public one (eth0) |
| 34 | # Forward pings |
| 35 | -4 -A FORWARD -p icmp -j ACCEPT |
| 36 | -6 -A FORWARD -p ipv6-icmp -j ACCEPT |
| 37 | |
| 38 | # Forward HTTP, HTTPS |
| 39 | -4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT |
| 40 | -4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT |
| 41 | |
| 42 | # Log dropped packets |
| 43 | -A FORWARD -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[FWD DROP] " |
| 44 | COMMIT |
| 45 | |
| 46 | *nat |
| 47 | :PREROUTING ACCEPT [0:0] |
| 48 | :INPUT ACCEPT [0:0] |
| 49 | :OUTPUT ACCEPT [0:0] |
| 50 | :POSTROUTING ACCEPT [0:0] |
| 51 | # NAT the external interface when forwarding from the private network |
| 52 | -A POSTROUTING -o eth0 -j MASQUERADE |
| 53 | COMMIT |