bin bash IPTABLES usr sbin iptables IPTABLESSAVE usr sbin iptables-sav

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash
IPTABLES=/usr/sbin/iptables
IPTABLESSAVE=/usr/sbin/iptables-save
INETIP=192.168.1.1
LOCALNET=192.168.7.0
$IPTABLES --flush
$IPTABLES -t nat --flush
# policies defaults
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#---
# allow adress translation to inet
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INETIP
#---
# allow input connection from lan (for manage)
$IPTABLES -A INPUT -i eth1 --source $LOCALNET/24 --match state --state NEW,ESTABLISHED -j ACCEPT
# allow output (reply) from eth1 (lan) to lan
$IPTABLES -A OUTPUT -o eth1 --destination $LOCALNET/24 --match state --state NEW,ESTABLISHED -j ACCEPT
# allow forward packet from lan to wan
$IPTABLES -A FORWARD -i eth1 --source 192.168.1.2 --destination 0.0.0.0/0 --match state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 --source 192.168.1.3 --destination 0.0.0.0/0 --match state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 --source 192.168.1.4 --destination 0.0.0.0/0 --match state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 --source 192.168.1.13 --destination 0.0.0.0/0 --match state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 --source 192.168.1.17 --destination 0.0.0.0/0 --match state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 --source 192.168.1.15 --destination 0.0.0.0/0 --match state --state NEW,ESTABLISHED -j ACCEPT
# allow forward from wan (eth0) to lan
$IPTABLES -A FORWARD -i eth0 --destination $LOCALNET/24 --match state --state ESTABLISHED -j ACCEPT
# reject input to port 3306
$IPTABLES -A INPUT -i eth1 -p tcp --dport 3306 -j REJECT