NAT iptables Firewall Script

NAT iptables firewall script is basically a way to control your network traffic using iptables. This script is designed to run once every time your system boots up. If you try to run it again, it might add the same rules twice. If you want to add a new rule while it's running, just change the -A option to -I. This way, it will put the new rule at the top of the list instead of adding it at the end.

Setting Up Interfaces

Here are some definitions for your network interfaces:

• BAD_IFACE: eth0


• DMZ_IFACE: eth1


• GOOD_IFACE: eth2


• DMZ_ADDR: x.x.x.96/28


• GOOD_ADDR: 192.168.1.0/24


• MASQ_SERVER: x.x.x.98


• FTP_SERVER: x.x.x.100


• MAIL_SERVER: x.x.x.99 (Internal: 192.168.1.3)

Add Routes and Proxy ARP Settings

You can also delete and add routes for your interfaces like this:

    

      # Deleting routes

      ip route del x.x.x.96/28 dev $BAD_IFACE

      ip route del x.x.x.96/28 dev $DMZ_IFACE

      # Adding routes

      ip route add x.x.x.97 dev $BAD_IFACE

      ip route add x.x.x.96/28 dev $DMZ_IFACE

      # Enable proxy arp for DMZ network

      echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

      echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

      # Enable IP forwarding

      echo 1 > /proc/sys/net/ipv4/ip_forward

      # Turn on anti-spoofing protection for all interfaces

      for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

    

  

Cleansing Existing Rules and Setting Defaults

The next step is to clear out any existing rules so you can start fresh.

    

      # Flush all rules in filter table

      iptables -F INPUT

      iptables -F OUTPUT

      iptables -F FORWARD

      # Deny everything initially

      iptables -A INPUT -j DROP

      iptables -A FORWARD -j DROP

      iptables -A OUTPUT -j DROP