#!/bin/sh # ################################################################################ # Pickup configuration information . ./config BOOTLOG=/var/log/filter rm -f $BOOTLOG touch $BOOTLOG ################################################################################ # Add the route for dhcp broadcasts to the internal net. route add -host dhcp dev eth0 ################################################################################ # Flush any existing rules in the tables. iptables -t nat -F PREROUTING >> $BOOTLOG iptables -t nat -F OUTPUT >> $BOOTLOG iptables -t nat -F POSTROUTING >> $BOOTLOG iptables -F INPUT >> $BOOTLOG iptables -F OUTPUT >> $BOOTLOG iptables -F FORWARD >> $BOOTLOG ################################################################################ # DROP any packets not explicitly allowed. iptables -t nat -P PREROUTING DROP >> $BOOTLOG ################################################################################ # ACCEPT already established connections. iptables -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT >> $BOOTLOG ################################################################################ # Setup DHCP Behaviour. # This happens to be rather tricky. These are the conditions we want: # When a DHCP Broadcast request comes in on 255.255.255.255, if the # card does not already have an IP address, it uses 0.0.0.0 which is # not in the set of $INTERNALIPS. However, if the card already has an # address in the $INTERNALIPS range, then PREROUTING will pick it up and # redirect it to the world, hardly an elegant or appropriate behaviour. # So the first line below handles ensuring that PREROUTING will accept # 0.0.0.0 as a source address destined for 255.255.255.255. iptables -t nat -A PREROUTING -i $INTERNALIF -d $DHCPBROADCAST -j ACCEPT >> $BOOTLOG ################################################################################ # Reverse path filtering: ensure packets coming from bad sources are dropped. # This happens after DHCP above to prevent filtering the 0.0.0.0 source # address. It also simplifies specifying some information to following # rules. # Prevent packets with my IP class from coming in from outside. # Prevent packets from inside that aren't internal IPs from leaving. iptables -t nat -A PREROUTING -i $EXTERNALIF -s $INTERNALIPS -j DROP >> $BOOTLOG iptables -t nat -A PREROUTING -i $INTERNALIF -s ! $INTERNALIPS -j DROP >> $BOOTLOG ################################################################################ # Allow DNS requests from outside... for ((A=0; ; A++)); do if [ -z "${SERVER_EXT[$A]}" ]; then break; fi; iptables -t nat -A PREROUTING -d ${SERVER_EXT[$A]} -p tcp --dport domain -m state --state NEW -j ACCEPT >> $BOOTLOG iptables -t nat -A PREROUTING -d ${SERVER_EXT[$A]} -p udp --dport domain -m state --state NEW -j ACCEPT >> $BOOTLOG done ################################################################################ # Map external ip ports to LAN server ports. for ((A=0; ; A++)); do if [ -z "${SERVER_INT[$A]}" ]; then break; fi; for ((B=0; ; B++)); do if [ -z "${SERVER_PORT[$B]}" ]; then break; fi; # echo Running: ./inNAT ${SERVER_EXT[$A]} ${SERVER_PORT[$B]} ${SERVER_PROTOCOL[$B]} ${SERVER_INT[$A]}; ./inNAT ${SERVER_EXT[$A]} ${SERVER_PORT[$B]} ${SERVER_PROTOCOL[$B]} ${SERVER_INT[$A]} >> $BOOTLOG; done; done ################################################################################ # Set up allowing connections from inside the LAN (which we presently assume # to be non-hostile). iptables -t nat -A PREROUTING -s $INTERNALIPS -m state --state NEW -j ACCEPT >> $BOOTLOG ################################################################################ # Do source NAT, from the internal network to the outside world. iptables -t nat -A POSTROUTING -s $INTERNALIPS -j SNAT --to $EXTERNALIP >> $BOOTLOG ################################################################################ # Set up ip forwarding (done after rules established to reduce hacks... echo "1" > /proc/sys/net/ipv4/ip_forward