1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
# -*- shell-script -*-
#
# Ferm example script
#
# Firewall configuration for a router with a dynamic IP.
#
# Author: Max Kellermann <max@duempel.org>
#
@def $DEV_PRIVATE = (eth0 eth1);
@def $DEV_WORLD = ppp0;
@def $NET_PRIVATE = 192.168.0.0/16;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# for IPsec
interface $DEV_WORLD {
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;
}
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto tcp dport smtp ACCEPT;
}
# some IRC servers want that
interface $DEV_WORLD {
proto tcp dport auth ACCEPT;
proto tcp dport (8080 3128) REJECT;
}
# the rest is dropped by the above policy
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
# the rest is dropped by the above policy
}
}
table nat {
chain POSTROUTING {
# masquerade private IP addresses
saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
}
}
|
