| blob | 743acd05564829d4ee3dca8a6add8a1f573c7eae |
1 # -*- shell-script -*-
2 #
3 # Ferm example script
4 #
5 # Firewall configuration for a router with a dynamic IP.
6 #
7 # Author: Max Kellermann <max@duempel.org>
8 #
10 @def $DEV_PRIVATE = (eth0 eth1);
11 @def $DEV_WORLD = ppp0;
13 @def $NET_PRIVATE = 192.168.0.0/16;
15 table filter {
16 chain INPUT {
17 policy DROP;
19 # connection tracking
20 mod state state INVALID DROP;
21 mod state state (ESTABLISHED RELATED) ACCEPT;
23 # allow local connections
24 interface lo ACCEPT;
26 # respond to ping
27 proto icmp icmp-type echo-request ACCEPT;
29 # for IPsec
30 interface $DEV_WORLD {
31 proto udp dport 500 ACCEPT;
32 proto (esp ah) ACCEPT;
33 }
35 # allow SSH connections from the private network and from some
36 # well-known internet hosts
37 saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
39 # we provide DNS and SMTP services for the internal net
40 interface $DEV_PRIVATE saddr $NET_PRIVATE {
41 proto (udp tcp) dport domain ACCEPT;
42 proto tcp dport smtp ACCEPT;
43 }
45 # some IRC servers want that
46 interface $DEV_WORLD {
47 proto tcp dport auth ACCEPT;
48 proto tcp dport (8080 3128) REJECT;
49 }
51 # the rest is dropped by the above policy
52 }
54 # outgoing connections are not limited
55 chain OUTPUT policy ACCEPT;
57 chain FORWARD {
58 policy DROP;
60 # connection tracking
61 mod state state INVALID DROP;
62 mod state state (ESTABLISHED RELATED) ACCEPT;
64 # connections from the internal net to the internet or to other
65 # internal nets are allowed
66 interface $DEV_PRIVATE ACCEPT;
68 # the rest is dropped by the above policy
69 }
70 }
72 table nat {
73 chain POSTROUTING {
74 # masquerade private IP addresses
75 saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
76 }
77 }