Creating an iptables Firewall/NAT/Router Boot Script for Slackware Linux v10.0

Category: Software and Systems Engineering
Author: Sean O'Donnell
Fri, Sep. 23rd, 2005 @ 3:37:35 (MDT)

This example will demonstrate a simple Firewall/NAT/Router Configuration using iptables, and 4 Ethernet/NIC Cards.

The example below was tested on the Slackware Linux v10.0 Operating System, with kernal 2.4.26, was used in conjunction with my previous example regarding Configuring a DHCP Server w/ Multiple Subnets on Linux.

/etc/rc.d/rc.iptables

#!/bin/sh
########################################
#
# file: /etc/rc.d/rc.iptables
#
# desc: This firewall configuration is intended to create a 
# (semi-stealth) NAT/Router/Firewall for a system w/ Multiple NIC's
#
# Example by: Sean O'Donnell http://code.seanodonnell.com
#
########################################
# define the path to the iptables executable
IPTABLES=/usr/sbin/iptables

# FLUSH TABLE RULES
$IPTABLES -F

# FLUSH NAT-CHAIN TABLE RULES
$IPTABLES -t nat -F

# DELETE TABLE RULES
#$IPTABLES -D

# DELETE NAT-CHAIN TABLE RULES
#$IPTABLES -t nat -D

# ENABLE IP FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward

# SET FORWARD POLICY TO 'ACCEPT'
$IPTABLES -P FORWARD ACCEPT

# CONFIGURE IP MASQUERADING USING NAT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# APPEND NIC(S) TO FORWARD ACCEPTANCE POLICY
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -j ACCEPT
$IPTABLES -A FORWARD -i eth3 -j ACCEPT

# prevent local-loop forwarding
$IPTABLES -A FORWARD -i eth0 -o eth0 -j DROP

# SET OUTPUT POLICY TO 'ACCEPT'
$IPTABLES -P OUTPUT ACCEPT

# SET INPUT POLICY TO 'ACCEPT'
$IPTABLES -P INPUT ACCEPT

##### DROP ALL UNWANTED INCOMING TCP PACKETS FOR DESIRED PORT RANGES

# open port 21 and 22 for FTP and SSH servers
$IPTABLES -A INPUT -p tcp --destination-port 1:20 -i eth0 -j DROP

# open port 25 for SMTP server
$IPTABLES -A INPUT -p tcp --destination-port 23:24 -i eth0 -j DROP

# open port 80 for HTTP server
$IPTABLES -A INPUT -p tcp --destination-port 26:79 -i eth0 -j DROP

# open port 110 for POP3 server
$IPTABLES -A INPUT -p tcp --destination-port 81:109 -i eth0 -j DROP

# open port 3306 for MySQL server
$IPTABLES -A INPUT -p tcp --destination-port 111:3305 -i eth0 -j DROP

# close all other TCP ports
$IPTABLES -A INPUT -p tcp --destination-port 3307:65535 -i eth0 -j DROP

##### DROP ALL UNWANTED INCOMING UDP PACKETS FOR DESIRED PORT RANGES

# close Netbios/SMB UDP ports
$IPTABLES -A INPUT -p udp --destination-port 130:145 -i eth0 -j DROP

#
### you will probably want to add your own rules, so use this as a template! =)
#

# list the rules
$IPTABLES -L

# list the NAT rules
$IPTABLES -t nat -L

The configuration above is just an example, and is intended to give full 'output' access to computers on the LAN, typically for a home (or semi-laxxed) networking environment.

This will also close all non-server related tcp ports, as well as netbios/smb udp ports, from the WAN (eth0).

You should edit the script according to your own desired firewall rules.

Next, you'll want to make your script executable...

$ chmod +x /etc/rc.d/rc.iptables

Now you can execute the script to create your Firewall/NAT/Router.

To turn the script above into a boot script, you'll need to add the following to your '/etc/rc.d/rc.M' file (if you're using Slackware Linux, if not, add it to your distro's boot script).

#
# file: /etc/rc.d/rc.M
# os: slackware linux v10.0
#
# execute the rc.iptables script, 
# from within the os bootscript
#
if [ -x /etc/rc.d/rc.iptables ]; then
   /etc/rc.d/rc.iptables
fi

Your system should now execute the rc.iptables script during the boot process.

Copyleft (<) 1998-2019 www.seanodonnell.com