Tuesday, July 24, 2007

Iptables script to open all connection (Useful when debugging gateway firewall)

#!/bin/bash
# simple script to flush and open all chains for debugging.
# Remove any existing rules from all chains

# Enable IP forwarding for NAT
echo 1 > /proc/sys/net/ipv4/ip_forward

# Load Modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe iptable_filter

EXT_IPADDR="x.x.x.x" # static allocated IP for the computer.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to open
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

# Set forwarding and nat for internal networks
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source $EXT_IPADDR
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source $EXT_IPADDR
iptables -A FORWARD -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.

0 Comments: