firewall


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

#!/bin/sh
iptables -t filter --flush
iptables -t nat --flush
iptables -t filter --delete-chain
iptables -t nat --delete-chain

iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i natbr0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
iptables -t filter -A INPUT -d 172.16.0.0/16 -i natbr0 -j ACCEPT
iptables -t filter -A INPUT -s 172.16.0.0/16 -i natbr0 -j ACCEPT
iptables -t filter -A FORWARD -i natbr0 -j ACCEPT
iptables -t filter -A FORWARD -o natbr0 -j ACCEPT

iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -j DROP

# NAT table
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j MASQUERADE

sysctl net.ipv4.ip_forward=1