Code: Select all
#!/bin/bash
# D:\\inetpub\wwwroot
ACTION=$1
echo $ACTION
case "$ACTION" in
start)
echo FW start
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -t nat -F
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.40.10/32 -d 192.168.45.10/32 --dport 80 -j ACCEPT
# ifconfig eth0 192.168.40.1 up
# ifconfig eth0:0 192.168.45.1 up
# echo 1> /proc/sys/net/ipv4/ip_forward
;;
stop)
echo FW stop
# ifconfig eth0:0 down
# ifconfig eth0 down
# echo 0 > /proc/sys/net/ipv4/ip-forward
iptables -F
iptables -X
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
*)
echo wrong entry!
;;
esac
of course the IP adresses need to be changed to the actual ones. with the script you can pipe the traffic of 2 boxes (windows or linux) through the screening router and so decide which traffic is ok and which not. this example is designed for accessing a web server, all other traffic will be blocked, and through the statful inspection rules a connection which is established will automaticly get access to other services (if needed).
when you enter stop <scriptname> all firewall rules will be deleted again, so it´s very nice for experiments and get a little deeper into iptables.
enjoy...