FIREWALL: iptables: Create NAT (en)
Jump to navigation
Jump to search
Make sure the 3G connection is well established first. One of the easiest is Using Vodafone Mobile Connect Card Driver For Linux.
Afterwards, we can run this Internet Connection Sharing script. See below for script details. To run the script:
# ./script.sh start
To turn it off:
# ./script.sh stop
To have script.sh automatically on when the computer boots, you can write the script in the folder (for example) /root. Add to the file /etc/rc.local the command:
/root/script.sh start
The content of script.sh is as shown below. There are several parameters to pay attention to:
- UPLINK
- NAT
- INTERFACES
Make sure you correctly fill in all three.
Internet Connection Sharing Script
#!/bin/bash # From: AHK <akuhon@kompas.com> # To: linux-admin@linux.or.id # Save this file and activate through # file_name start # and de-activate through # file_name stop
# This firewall script can be used for a workstation, laptop, router, # or server that are not running network service (such as web server, ftp # server, etc.)
# Change the parameter UPLINK with Interface device to the Internet. # In our case, a WLAN router with NIC wlan0 connected to the Internet # and LAN connection with eth0. # If you use a dial-up modem, you might use ppp0 as your UPLINK.
UPLINK="ppp0"
# If you run the gateway as a router and forward IP packets between eth devices, # please fill 'yes', if not, please fill 'no'.
ROUTER="yes" # Please change 192.168.1.100 to your static IP address of the UPLINK device. # For those who use dial-up or dynamic IP, please enter 'dynamic'.
# NAT="192.168.1.100"
NAT="dynamic"
# Please list all network interfaces including eth devices # as well as dial-up interface such as ppp0.
INTERFACES="lo eth0 eth1 eth2 ppp0"
if [ "$1" = "start" ]
then
echo "Activate Firewall ..... "
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
/sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
# Turn off packet spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
# Activate IP forwarding at router
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
# Dynamic IP address, activate Masquerading
echo "Activate Masquerading (Dynamic IP) ...."
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
then
# Static IP address, use source NAT
echo "Activate SNAT (Static IP) ...."
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
fi
fi
elif [ "$1" = "stop" ]
then
echo "Deactivate Firewall ..."
/sbin/iptables -F INPUT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P OUTPUT ACCEPT
# Turn off NAT or MASQUERADING
/sbin/iptables -t nat -F POSTROUTING
fi