#!/bin/sh # #Sample NAT script #Public IP - 200.200.200.200 #Private IP range 192.168.17.0/24 # set a few variables echo "" echo " setting global variables" echo "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin iptables="/sbin/iptables" # adjust /proc echo " applying general security settings to /proc filesystem" echo "" if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi # load some modules if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi # flush any existing chains and set default policies $iptables -F INPUT $iptables -F OUTPUT $iptables -P INPUT DROP $iptables -P OUTPUT ACCEPT # setup NAT echo " applying NAT rules" echo "" $iptables -F FORWARD $iptables -F -t nat $iptables -P FORWARD DROP $iptables -A FORWARD -i eth1 -j ACCEPT $iptables -A INPUT -i eth1 -j ACCEPT $iptables -A OUTPUT -o eth1 -j ACCEPT $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -t nat -A POSTROUTING -s 192.168.17.0/24 -o eth0 -j SNAT --to-source 200.200.200.200 # allow all packets on the loopback interface $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT # allow established and related packets back in $iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # icmp echo " applying ICMP rules" echo "" $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT # apply icmp type match blocking echo " applying icmp type match blocking" echo "" $iptables -I INPUT -p icmp --icmp-type redirect -j DROP $iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP $iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP # open ports to the firewall echo " applying the open port(s) to the firewall rules" echo "Opening Port 22 & 3128" $iptables -A INPUT -p tcp --dport 22 -j ACCEPT $iptables -A INPUT -p tcp --dport 3128 -j ACCEPT # logging echo " applying logging rules" $iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: " $iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: " # drop all other packets echo " applying default drop policies" echo "" $iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP $iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP echo "### NAT Firewall is loaded ###" echo ""