#!/bin/sh # # rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x # # Author: David Whitmarsh # (c) 2001, 2002 Sparkle Computer Co ltd. # based on rc.firewall by Oskar Andreasson # parts (c) of BoingWorld.com, use at your own risk, # do whatever you please with # it as long as you don't distribute this without due credits to # BoingWorld.com and Sparkle Computer Co Ltd #
########### # Configuration options, these will speed you up getting this script to # work with your own setup.
# # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # # BR_IP is used to access the firewall accross the network # For maxium security don't set one up - but then you must do # everything directly on the firewall.
$IPTABLES -F $IPTABLES -X # # Set default policies for the INPUT, FORWARD and OUTPUT chains #
$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP
# Our interfaces don't have IP addresses so we have to start with the mangle # PREROUTING table
$IPTABLES -t mangle -P PREROUTING DROP
# Now we are pretty secure, let's start the bridge # This will create a new interface
brctl addbr $BR_IFACE
# and add the interfaces to it brctl addif $BR_IFACE $INET_IFACE brctl addif $BR_IFACE $LAN_IFACE
# make us visible to the network again (optional) if [ "$BR_IP" != "" ] ; then ifconfig $BR_IFACE $BR_IP else # otherwise we must at least bring the interface up for the bridge to work. ifconfig $BR_IFACE up fi
# Block obvious spoofs
$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP $IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP $IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
# Accept internal packets on the internal i/f $IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s $INTERNAL_ADDRESS_RANGE -j ACCEPT