1 # Gateway firwall configuration
8 -A INPUT -i lo -j ACCEPT
10 # Drop invalid packets
11 -A INPUT -m conntrack --ctstate INVALID -j DROP
13 # Accept everything on ICMP
14 -4 -A INPUT -p icmp -j ACCEPT
15 -6 -A INPUT -p ipv6-icmp -j ACCEPT
17 # Drop DHCP requests but accept answers
18 -4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
19 -4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
21 -A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
22 -A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
25 -A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT
28 -A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT
31 -A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "
33 # Forwarding rules between private network (eth1) and public one (eth0)
35 -4 -A FORWARD -p icmp -j ACCEPT
36 -6 -A FORWARD -p ipv6-icmp -j ACCEPT
39 -4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
40 -4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT
44 :PREROUTING ACCEPT [0:0]
47 :POSTROUTING ACCEPT [0:0]
48 # NAT the external interface when forwarding from the private network
49 -A POSTROUTING -o eth0 -j MASQUERADE