1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
|
# -*- shell-script -*-
#
# Ferm example script
#
# Firewall configuration for a router with a dynamic IP.
#
# Author: Max Kellermann <max@duempel.org>
#
@def $DEV_PRIVATE = (eth0 eth1);
@def $DEV_WORLD = ppp0;
@def $NET_PRIVATE = 192.168.0.0/16;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# for IPsec
interface $DEV_WORLD {
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;
}
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto tcp dport smtp ACCEPT;
}
# some IRC servers want that
interface $DEV_WORLD {
proto tcp dport auth ACCEPT;
proto tcp dport (8080 3128) REJECT;
}
# the rest is dropped by the above policy
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
# the rest is dropped by the above policy
}
}
table nat {
chain POSTROUTING {
# masquerade private IP addresses
saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
}
}
|