cnl-lab1

firewall.sh

#!/bin/sh

# INIT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# NAT
iptables -t nat -A POSTROUTING -s192.168.100.0/24 -o eth0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

# Default
iptables -P FORWARD DROP

# 53 = DNS
iptables -i eth0 -o eth1 -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -i eth0 -o eth1 -A FORWARD -p tcp --sport 53 -j ACCEPT
iptables -i eth1 -o eth0 -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -i eth1 -o eth0 -A FORWARD -p tcp --dport 53 -j ACCEPT

# ICMP
iptables -i eth1 -o eth0 -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
iptables -i eth0 -o eth1 -A FORWARD -p icmp --icmp-type 0 -j ACCEPT

# HTTP, HTTPS
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --sports 80,443 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT

# FTP
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --sports 20,21 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 20,21 -j ACCEPT

# Telnet
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 23 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 23 -j ACCEPT

# skype, it can still connect without the below rule.
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 54972 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 54972 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp --sport 54972 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 54972 -j ACCEPT