#!/bin/sh # Complaints/corrections/death threats to ben@spod.cx # This script originally provided from http://spod.cx/proxyarp.shtml IPTABLES="/sbin/iptables" # Internal network interface INTERNALIF="eth0" ## Internal network range # You should change this to whatever your private internal network range is INTERNALNET="192.168.0.0/24" ## External network interface EXTERNALIF="ppp0" ## External network range # You should change this to whatever your assigned ADSL IP range is. EXTERNALNET="1.2.3.16/29" ## Router IP address ROUTER="1.2.3.17" ## Flush everything $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -t nat -F PREROUTING $IPTABLES -t nat -F POSTROUTING echo 1 >/proc/sys/net/ipv4/ip_forward echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range # Turn on ARP proxying echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp /bin/ip addr add $ROUTER dev $INTERNALIF ## Optimise packet throughput $IPTABLES -A PREROUTING -t mangle -p udp --dport 53 -j TOS --set-tos Minimize-Delay $IPTABLES -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -A PREROUTING -t mangle -p tcp --sport http -j TOS --set-tos Maximize-Throughput ## Kill manky packets $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP ## Allow all connections on the internal interface $IPTABLES -A INPUT -i lo -j ACCEPT ## Kill connections to the local interface from the outside world. $IPTABLES -A INPUT -i $EXTERNALIF -d 127.0.0.0/8 -j REJECT ## Allow unlimited traffic from internal network using legit addresses $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT ## Kill anything from outside claiming to be from internal network $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT ## Ping flood protection $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP ## Allow all other icmp $IPTABLES -A INPUT -p icmp -j ACCEPT ## Allow established connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Don't forward SMB related traffic $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT ## Allow ALL other forwarding going out $IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT ## Allow replies coming in $IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT ## http/ssh services on router $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT ## Allow connections to "public" machines # This is where you should allow incoming ports to internal machines # on real IP addresses. $IPTABLES -A FORWARD -p tcp --dport 22 -d 1.2.3.20 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -d 1.2.3.20 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -d 1.2.3.19 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 22 -d 1.2.3.19 -j ACCEPT ## Reject crap $IPTABLES -A INPUT -p all -j DROP $IPTABLES -A FORWARD -p all -j REJECT ## Accept all output $IPTABLES -A OUTPUT -j ACCEPT ## Masq outgoing connections from internal network (real IPs just get forwarded) $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -s $INTERNALNET -j MASQUERADE