#!/bin/bash # From: AHK # To: linux-admin@linux.or.id # Save this file and activate through # file_name start # and de-activate through # file_name stop # This firewall-script can be used for workstation, laptop, router # or server that are not running network service (such as web server, ftp # server etc) # change the parameter UPLINK with Interface device to the Internet. # In our case WLAN router with NIC eth0 connected to the Internet # and LAN connection with eth1. # if you use dial-up modem, you might use ppp0 as your UPLINK UPLINK="eth1" # if you run the gateway as router and forward IP packet between eth devices # please fill “yes”, if not, please fill “no” ROUTER="no" # Please change “192.168.120.114" to your static IP address of UPLINK device. # For those who use dial-up or dynamic IP, please enter “dynamic” # NAT="192.168.120.114" NAT="dynamic" # please list all network interfaces including eth devices # as well as dial-up interface such as ppp0 INTERFACES="lo eth0 eth1" if [ "$1" = "start" ] then echo "Activate Firewall ..... " /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable # turn off ECN function if [ -e /proc/sys/net/ipv4/tcp_ecn ] then echo 0 > /proc/sys/net/ipv4/tcp_en fi # turn off packet spoofing in all interfaces for x in ${INTERFACES} do echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter done if [ "$ROUTER" = "yes" ] then # Activate IP forwarding at router echo 1 > /proc/sys/net/ipv4/ip_forward if [ "$NAT" = "dynamic" ] then # Dynamic IP address, activate Masquerading echo "Activate Masquerading (Dynamic IP) ...." /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE elif [ "$NAT" != "" ] then # Static IP address use source NAT echo "Activate SNAT (static IP) ...." /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} fi fi elif [ "$1" = "stop" ] then echo "Deactivate Firewall ..." /sbin/iptables -F INPUT /sbin/iptables -P INPUT ACCEPT # Turn off NAT or MASQUERADING /sbin/iptables -t nat -F POSTROUTING fi