Quick and simple iptables gateway setup

This is just a simple open setup with a block drop on eth0, I am using this as a simple gateway for my vmware "Host-Only" network to get out to the real world, but not allowing traffic back in that wasnt requested for..

First off make sure you turn on forwarding in the /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Then execute a sysctl -p

sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

Then here is the ruleset that i am currently using:

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 1:65535 -j DROP
/sbin/iptables -A INPUT -i eth0 -p udp -s 0/0 -d 0/0 –dport 1:65535 -j DROP

This allows ssh back in on the outside interface but blocks everything else, and still allows internal traffic to freely flow out…

Save the iptables commands into a file and then execute the file and it will apply the rules. If on a redhat base, you can issue a iptables-save > /etc/sysconfig/iptables then you will be able to use the "service iptables start"/"service iptables stop" commands to start and stop the firewall for future use.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.