-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathiptables_template
More file actions
118 lines (86 loc) · 2.72 KB
/
iptables_template
File metadata and controls
118 lines (86 loc) · 2.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# IP Tables for basic routing and port forwarding
# Generated by iptables.py
#######################################
# Configuration Info
#######################################
# WAN Interface: {{network.wan}}
# LAN Interface: {{network.lan}}
{% if port_forwards[0] %}
# Forwarding these ports:
{% for r in port_forwards %}
# :{{r.src_port}} -> {{r.dst_ip}}:{{r.dst_port}}
{% endfor %}
{% endif %}
{% if open_ports[0] %}
# Open ports on router:
{% for r in open_ports %}
# :{{r.port}}
{% endfor %}
{% endif %}
#######################################
# NAT Rules
#######################################
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Masquerade on {{network.wan}}
#######################################
-A POSTROUTING -o {{network.wan}} -j MASQUERADE
{% if port_forwards[0] %}
# Port Forwarding NAT Rules
#######################################
{% for r in port_forwards %}
# {{ r.comment }}
-A PREROUTING -p tcp -i {{network.wan}} --dport {{r.src_port}} -j DNAT --to-destination {{r.dst_ip}}:{{r.dst_port}}
-A PREROUTING -p udp -i {{network.wan}} --dport {{r.src_port}} -j DNAT --to-destination {{r.dst_ip}}:{{r.dst_port}}
{% endfor %}
{% endif %}
COMMIT
#######################################
# Filter Rules
#######################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Basic Accept Rules
#######################################
# Accept Loopback Interface
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# Accept ICMP Packets
-A INPUT -p icmp -j ACCEPT
# Accept Established Connections
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Accept All Connections On LAN
-A INPUT -i {{network.lan}} -j ACCEPT
# Traceroute Rejections
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# Open WAN Ports
#######################################
{% if open_ports[0] %}
# Accept Traffic on WAN from these ports
{% for r in open_ports %}
# {{ r.comment }}
-A INPUT -p tcp --dport {{r.port}} -j ACCEPT
{% endfor %}
{% endif %}
# Drop all other non-specificed traffic
-A INPUT -j DROP
# Basic Forwarding Rules
###############################
# Forward traffic along related,established connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Forward from LAN ({{network.lan}}) to WAN ({{network.wan}})
-A FORWARD -i {{network.lan}} -o {{network.wan}} -j ACCEPT
# Port Forwarding Forward Rules
###############################
{% for r in port_forwards %}
# {{ r.comment }}
-A FORWARD -p tcp -d {{r.dst_ip}} --dport {{r.dst_port}} -j ACCEPT
-A FORWARD -p udp -d {{r.dst_ip}} --dport {{r.dst_port}} -j ACCEPT
{% endfor %}
# drop all other forwarded traffic
-A FORWARD -j DROP
COMMIT