特殊:Badtitle/NS100:Router/Firewall:修订间差异
小 创建新页面为 '{{From|https://help.ubuntu.com/community/Router/Firewall}} {{Languages|UbuntuHelp:Router/Firewall}} == Basic == Install the Uncomplicated Firewall, package name is '''ufw'''. Th...' |
小无编辑摘要 |
||
| (未显示同一用户的1个中间版本) | |||
| 第2行: | 第2行: | ||
{{Languages|UbuntuHelp:Router/Firewall}} | {{Languages|UbuntuHelp:Router/Firewall}} | ||
== Basic == | == Basic == | ||
Install the Uncomplicated Firewall, package name is '''ufw'''. | Install the Uncomplicated Firewall, package name is '''ufw'''. Uncomplicated firewall just sets up | ||
iptables using a simple syntax, or an extended syntax based on OpenBSD's PF. To use ```ufw``` for | |||
routing, you must know iptables and should edit the files in /etc/ufw/*.rules. | |||
== Advanced == | == Advanced == | ||
The following is a specific example of a firewall script using only iptables. | |||
The following is a specific example of a firewall script. | |||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
# External (Internet-facing) interface | # External (Internet-facing) interface | ||
| 第19行: | 第14行: | ||
# External IP address (automatically detected) | # External IP address (automatically detected) | ||
EXTIP=" | EXTIP=$(/sbin/ip addr show dev "$EXTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}'); | ||
# Internal interface | # Internal interface | ||
| 第44行: | 第39行: | ||
/sbin/iptables-restore <<-EOF; | |||
*filter | |||
:INPUT DROP [0:0] | |||
:FORWARD DROP [0:0] | |||
:OUTPUT DROP [0:0] | |||
# INPUT: Incoming traffic from various interfaces # | # INPUT: Incoming traffic from various interfaces # | ||
# Loopback interface is valid | # Loopback interface is valid | ||
-A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | |||
# Local interface, local machines, going anywhere is valid | # Local interface, local machines, going anywhere is valid | ||
-A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT | |||
# Remote interface, claiming to be local machines, IP spoofing, get lost | # Remote interface, claiming to be local machines, IP spoofing, get lost | ||
-A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT | |||
# External interface, from any source, for ICMP traffic is valid | # External interface, from any source, for ICMP traffic is valid | ||
-A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT | |||
# Allow any related traffic coming back to the MASQ server in. | # Allow any related traffic coming back to the MASQ server in. | ||
-A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |||
# Internal interface, DHCP traffic accepted | # Internal interface, DHCP traffic accepted | ||
-A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT | |||
-A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT | |||
# External interface, HTTP/HTTPS traffic allowed | # External interface, HTTP/HTTPS traffic allowed | ||
-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT | |||
-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT | |||
# External interface, SSH traffic allowed | # External interface, SSH traffic allowed | ||
-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT | |||
# Accept port 1234 to be forwarded (this rule needs to correspond with PREROUTING rules in NAT table) | |||
#-A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT | |||
# Catch-all rule, reject anything else | # Catch-all rule, reject anything else | ||
-A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | |||
| 第101行: | 第90行: | ||
# Workaround bug in netfilter | # Workaround bug in netfilter | ||
-A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP | |||
# Loopback interface is valid. | # Loopback interface is valid. | ||
-A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | |||
# Local interfaces, any source going to local net is valid | # Local interfaces, any source going to local net is valid | ||
-A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT | |||
# local interface, MASQ server source going to the local net is valid | # local interface, MASQ server source going to the local net is valid | ||
-A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT | |||
# outgoing to local net on remote interface, stuffed routing, deny | # outgoing to local net on remote interface, stuffed routing, deny | ||
-A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT | |||
# anything else outgoing on remote interface is valid | # anything else outgoing on remote interface is valid | ||
-A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT | |||
# Internal interface, DHCP traffic accepted | # Internal interface, DHCP traffic accepted | ||
-A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | |||
-A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | |||
# Catch all rule, all other outgoing is denied and logged. | # Catch all rule, all other outgoing is denied and logged. | ||
-A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | |||
# Accept solicited tcp packets | |||
-A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |||
# | # Allow packets across the internal interface | ||
-A FORWARD -i $INTIF -o $INTIF -j ACCEPT | |||
# - | # Forward packets from the internal network to the Internet | ||
-A FORWARD -i $INTIF -o $EXTIF -j ACCEPT | |||
# | # Catch-all REJECT rule | ||
-A FORWARD -j REJECT | |||
COMMIT | |||
# | # Address translations (only; there is no actual forwarding done here) | ||
*nat | |||
:PREROUTING ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
# | # ----- Begin OPTIONAL FORWARD Section ----- | ||
# | #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 | ||
#-A PREROUTING -p tcp -d $EXTIP --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 | |||
# | # ----- End OPTIONAL FORWARD Section ----- | ||
# IP-Masquerade | # IP-Masquerade | ||
-A POSTROUTING -o $EXTIF -j MASQUERADE | |||
COMMIT | |||
EOF | |||
echo " done." | echo " done." | ||
</nowiki></pre> | </nowiki></pre> | ||
Or use '''[http://firehol.sourceforge.net/ fireHOL]''' | |||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2010年5月20日 (四) 00:06的最新版本
 |
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/Router/Firewall }} |
|
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/af | • {{#if: UbuntuHelp:Router/Firewall|Afrikaans| [[::Router/Firewall/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ar | • {{#if: UbuntuHelp:Router/Firewall|العربية| [[::Router/Firewall/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/az | • {{#if: UbuntuHelp:Router/Firewall|azərbaycanca| [[::Router/Firewall/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/bcc | • {{#if: UbuntuHelp:Router/Firewall|جهلسری بلوچی| [[::Router/Firewall/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/bg | • {{#if: UbuntuHelp:Router/Firewall|български| [[::Router/Firewall/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/br | • {{#if: UbuntuHelp:Router/Firewall|brezhoneg| [[::Router/Firewall/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ca | • {{#if: UbuntuHelp:Router/Firewall|català| [[::Router/Firewall/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/cs | • {{#if: UbuntuHelp:Router/Firewall|čeština| [[::Router/Firewall/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/de | • {{#if: UbuntuHelp:Router/Firewall|Deutsch| [[::Router/Firewall/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/el | • {{#if: UbuntuHelp:Router/Firewall|Ελληνικά| [[::Router/Firewall/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/es | • {{#if: UbuntuHelp:Router/Firewall|español| [[::Router/Firewall/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/fa | • {{#if: UbuntuHelp:Router/Firewall|فارسی| [[::Router/Firewall/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/fi | • {{#if: UbuntuHelp:Router/Firewall|suomi| [[::Router/Firewall/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/fr | • {{#if: UbuntuHelp:Router/Firewall|français| [[::Router/Firewall/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/gu | • {{#if: UbuntuHelp:Router/Firewall|ગુજરાતી| [[::Router/Firewall/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/he | • {{#if: UbuntuHelp:Router/Firewall|עברית| [[::Router/Firewall/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/hu | • {{#if: UbuntuHelp:Router/Firewall|magyar| [[::Router/Firewall/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/id | • {{#if: UbuntuHelp:Router/Firewall|Bahasa Indonesia| [[::Router/Firewall/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/it | • {{#if: UbuntuHelp:Router/Firewall|italiano| [[::Router/Firewall/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ja | • {{#if: UbuntuHelp:Router/Firewall|日本語| [[::Router/Firewall/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ko | • {{#if: UbuntuHelp:Router/Firewall|한국어| [[::Router/Firewall/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ksh | • {{#if: UbuntuHelp:Router/Firewall|Ripoarisch| [[::Router/Firewall/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/mr | • {{#if: UbuntuHelp:Router/Firewall|मराठी| [[::Router/Firewall/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ms | • {{#if: UbuntuHelp:Router/Firewall|Bahasa Melayu| [[::Router/Firewall/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/nl | • {{#if: UbuntuHelp:Router/Firewall|Nederlands| [[::Router/Firewall/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/no | • {{#if: UbuntuHelp:Router/Firewall|norsk| [[::Router/Firewall/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/oc | • {{#if: UbuntuHelp:Router/Firewall|occitan| [[::Router/Firewall/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/pl | • {{#if: UbuntuHelp:Router/Firewall|polski| [[::Router/Firewall/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/pt | • {{#if: UbuntuHelp:Router/Firewall|português| [[::Router/Firewall/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ro | • {{#if: UbuntuHelp:Router/Firewall|română| [[::Router/Firewall/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/ru | • {{#if: UbuntuHelp:Router/Firewall|русский| [[::Router/Firewall/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/si | • {{#if: UbuntuHelp:Router/Firewall|සිංහල| [[::Router/Firewall/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/sq | • {{#if: UbuntuHelp:Router/Firewall|shqip| [[::Router/Firewall/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/sr | • {{#if: UbuntuHelp:Router/Firewall|српски / srpski| [[::Router/Firewall/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/sv | • {{#if: UbuntuHelp:Router/Firewall|svenska| [[::Router/Firewall/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/th | • {{#if: UbuntuHelp:Router/Firewall|ไทย| [[::Router/Firewall/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/tr | • {{#if: UbuntuHelp:Router/Firewall|Türkçe| [[::Router/Firewall/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/vi | • {{#if: UbuntuHelp:Router/Firewall|Tiếng Việt| [[::Router/Firewall/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/yue | • {{#if: UbuntuHelp:Router/Firewall|粵語| [[::Router/Firewall/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/zh | • {{#if: UbuntuHelp:Router/Firewall|中文| [[::Router/Firewall/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/zh-hans | • {{#if: UbuntuHelp:Router/Firewall|中文(简体)| [[::Router/Firewall/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Router/Firewall | UbuntuHelp:Router/Firewall | {{#if: | :}}Router/Firewall}}/zh-hant | • {{#if: UbuntuHelp:Router/Firewall|中文(繁體)| [[::Router/Firewall/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:Router/Firewall|:Router/Firewall|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :Router/Firewall/zh | | {{#ifexist: Router/Firewall/zh | | {{#ifeq: {{#titleparts:Router/Firewall|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:Router/Firewall|1|-1|}} | zh | | }}
Basic
Install the Uncomplicated Firewall, package name is ufw. Uncomplicated firewall just sets up iptables using a simple syntax, or an extended syntax based on OpenBSD's PF. To use ```ufw``` for routing, you must know iptables and should edit the files in /etc/ufw/*.rules.
Advanced
The following is a specific example of a firewall script using only iptables.
#!/bin/sh
# External (Internet-facing) interface
EXTIF="eth0"
# External IP address (automatically detected)
EXTIP=$(/sbin/ip addr show dev "$EXTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}');
# Internal interface
INTIF="br0"
# Internal IP address (in CIDR notation)
INTIP="192.168.0.1/32"
# Internal network address (in CIDR notation)
INTNET="192.168.0.0/24"
# The address of anything/everything (in CIDR notation)
UNIVERSE="0.0.0.0/0"
echo "External: [Interface=$EXTIF] [IP=$EXTIP]"
echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]"
echo
echo -n "Loading rules..."
# Enabling IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables-restore <<-EOF;
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# INPUT: Incoming traffic from various interfaces #
# Loopback interface is valid
-A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local interface, local machines, going anywhere is valid
-A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# Remote interface, claiming to be local machines, IP spoofing, get lost
-A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT
# External interface, from any source, for ICMP traffic is valid
-A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in.
-A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Internal interface, DHCP traffic accepted
-A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# External interface, HTTP/HTTPS traffic allowed
-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT
# External interface, SSH traffic allowed
-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# Accept port 1234 to be forwarded (this rule needs to correspond with PREROUTING rules in NAT table)
#-A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
# Catch-all rule, reject anything else
-A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
# OUTPUT: Outgoing traffic from various interfaces #
# Workaround bug in netfilter
-A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP
# Loopback interface is valid.
-A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local interfaces, any source going to local net is valid
-A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, MASQ server source going to the local net is valid
-A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
-A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT
# anything else outgoing on remote interface is valid
-A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Internal interface, DHCP traffic accepted
-A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
-A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
-A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
# Accept solicited tcp packets
-A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow packets across the internal interface
-A FORWARD -i $INTIF -o $INTIF -j ACCEPT
# Forward packets from the internal network to the Internet
-A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch-all REJECT rule
-A FORWARD -j REJECT
COMMIT
# Address translations (only; there is no actual forwarding done here)
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# ----- Begin OPTIONAL FORWARD Section -----
#Optionally forward incoming tcp connections on port 1234 to 192.168.0.100
#-A PREROUTING -p tcp -d $EXTIP --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234
# ----- End OPTIONAL FORWARD Section -----
# IP-Masquerade
-A POSTROUTING -o $EXTIF -j MASQUERADE
COMMIT
EOF
echo " done."
Or use fireHOL
