1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
#!/bin/sh
#
# Firewall script for GGSN
#
# Uses $IFGN (eth0) as the Gn interface (Gn) and
# $IFGI (eth1) as the Gi interface.
#
# SUMMARY
# * All connections originating from GGSN are allowed.
# * Incoming ssh, GTPv0 and GTPv1 is allowed on the Gn interface.
# * Incoming ssh is allowed on the Gi interface.
# * Forwarding is allowed to and from the Gi interface, but disallowed
# to and from the Gn interface.
# * Masquerede on Gi interface.
NFT="nft"
IFGN="eth0"
IFGI="eth1"
$NFT add chain ip filter input '{ policy drop; }'
$NFT add chain ip filter forward '{ policy accept; }'
$NFT add chain ip filter output '{ policy accept; }'
#Allow related and established on all interfaces (input)
$NFT add rule ip filter input ct state related,established counter accept
#Allow releated, established, GTP and ssh on $IFGN. Reject everything else.
$NFT add rule ip filter input iifname $IFGN tcp dport 22 tcp flags syn / fin,syn,rst,ack counter accept
$NFT add rule ip filter input iifname $IFGN udp dport 2123 counter accept
$NFT add rule ip filter input iifname $IFGN udp dport 2152 counter accept
$NFT add rule ip filter input iifname $IFGN udp dport 3386 counter accept
$NFT add rule ip filter input iifname $IFGN counter reject
#Allow related, established and ssh. Drop everything else.
$NFT add rule ip filter input iifname $IFGI tcp dport 22 tcp flags syn / fin,syn,rst,ack counter accept
$NFT add rule ip filter input iifname $IFGI counter drop
# Masquerade everything going out on $IFGI
$NFT add rule ip nat POSTROUTING oifname $IFGI counter masquerade
#Allow everything on loopback interface.
$NFT add rule ip filter input iifname "lo" counter accept
# Drop everything to and from $IFGN (forward)
$NFT add rule ip filter forward iifname $IFGN counter drop
$NFT add rule ip filter forward oifname $IFGN counter drop
|
