Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-ggsn / 05f3ef3eb85a36133f1b3db981bf5a4c862953d9 / . / examples / firewall
blob: fce735a81c5076dae9339bffceeacac0515ddbc6 [file] [log] [blame]
jjako2185ba22004-01-15 17:39:10 +0000[diff] [blame]1#!/bin/sh
2#
3# Firewall script for GGSN
4#
5# Uses $IFGN (eth0) as the Gn interface (Gn) and
6# $IFGI (eth1) as the Gi interface.
7#
8# SUMMARY
9# * All connections originating from GGSN are allowed.
10# * Incoming ssh, GTPv0 and GTPv1 is allowed on the Gn interface.
11# * Incoming ssh is allowed on the Gi interface.
12# * Forwarding is allowed to and from the Gi interface, but disallowed
13# to and from the Gn interface.
14# * Masquerede on Gi interface.
15
16IPTABLES="/sbin/iptables"
17IFGN="eth0"
18IFGI="eth1"
19
20$IPTABLES -P INPUT DROP
21$IPTABLES -P FORWARD ACCEPT
22$IPTABLES -P OUTPUT ACCEPT
23
24#Allow related and established on all interfaces (input)
25$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
26
27#Allow releated, established, GTP and ssh on $IFGN. Reject everything else.
28$IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT
29$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT
30$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT
31$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT
32$IPTABLES -A INPUT -i $IFGN -j REJECT
33
34#Allow related, established and ssh. Drop everything else.
35$IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT
36$IPTABLES -A INPUT -i $IFGI -j DROP
37
38# Masquerade everything going out on $IFGI
39$IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE
40
41#Allow everything on loopback interface.
42$IPTABLES -A INPUT -i lo -j ACCEPT
43
44# Drop everything to and from $IFGN (forward)
45$IPTABLES -A FORWARD -i $IFGN -j DROP
46$IPTABLES -A FORWARD -o $IFGN -j DROP
47
48