aboutsummaryrefslogtreecommitdiff
path: root/etc/local.d/01-iptables.start
diff options
context:
space:
mode:
Diffstat (limited to 'etc/local.d/01-iptables.start')
-rwxr-xr-xetc/local.d/01-iptables.start59
1 files changed, 59 insertions, 0 deletions
diff --git a/etc/local.d/01-iptables.start b/etc/local.d/01-iptables.start
new file mode 100755
index 0000000..0778a15
--- /dev/null
+++ b/etc/local.d/01-iptables.start
@@ -0,0 +1,59 @@
+#!/bin/sh
+. /etc/local.d/vars.sh
+wan_ip="$(ip -4 addr show dev eth0 | awk '/inet/{print $2}' | sed -e's@/.*$@@g')"
+ipt=iptables
+ipt6=ip6tables
+
+
+# Set policies
+for chain in INPUT OUTPUT FORWARD ; do
+ $ipt -F $chain
+ $ipt -P $chain ACCEPT
+ $ipt6 -F $chain
+ $ipt6 -P $chain ACCEPT
+done
+
+$ipt -A INPUT -i lo -j ACCEPT
+$ipt -A INPUT -m conntrack --ctstate related,established -j ACCEPT
+$ipt -A INPUT -p tcp --dport 22 -d $lan_ip -j ACCEPT # SSH internally
+$ipt -A INPUT -p tcp --dport 9100 -j ACCEPT # prometheus node exporter
+$ipt -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPs
+$ipt -A INPUT -i $lan -j ACCEPT
+$ipt -A INPUT -i $lan -p icmp -j ACCEPT
+$ipt -A INPUT -j DROP
+
+$ipt6 -A INPUT -i lo -j ACCEPT
+$ipt6 -A INPUT -m state --state related,established -j ACCEPT
+$ipt6 -A INPUT -p udp --dport 546 -d fe80::/10 -j ACCEPT # Router advertisements
+$ipt6 -A INPUT -p icmpv6 -j ACCEPT
+$ipt6 -A INPUT -j REJECT
+
+$ipt6 -A FORWARD -m state --state related,established -j ACCEPT
+$ipt6 -A FORWARD -i $lan -j ACCEPT
+$ipt6 -A FORWARD -p icmpv6 -j ACCEPT
+$ipt6 -A FORWARD -j REJECT
+
+
+# Policies for NAT
+for chain in INPUT OUTPUT PREROUTING POSTROUTING ; do
+ $ipt -t nat -F $chain
+ $ipt -t nat -P $chain ACCEPT
+done
+
+# Multiple port forwards for 10.0.0.241 with NAT relfection as an example:
+internal_server=10.0.0.241
+for port in 443 9100 9090 ; do
+ $ipt -t nat -A PREROUTING -p tcp --dport $port -d $wan_ip \
+ -j DNAT --to $internal_server
+ # and nat reflection for said server:
+ $ipt -t nat -I PREROUTING -p tcp --dport $port -d $lan_ip -i eth0 \
+ -j DNAT --to $internal_server
+ $ipt -t nat -I POSTROUTING -p tcp --dport $port -d $internal_server \
+ -j SNAT --to $lan_ip
+done
+
+# Where the "magic" happens for IPv4, translate local IPs to that of
+# the $wan interface.
+$ipt -t nat -A POSTROUTING -o $wan -j MASQUERADE
+
+. /etc/local.d/vars_end.sh
You can read more about the author.