jjako | 2185ba2 | 2004-01-15 17:39:10 +0000 | [diff] [blame] | 1 | #!/bin/sh |
| 2 | # |
| 3 | # Firewall script for GGSN |
| 4 | # |
| 5 | # Uses $IFGN (eth0) as the Gn interface (Gn) and |
| 6 | # $IFGI (eth1) as the Gi interface. |
| 7 | # |
| 8 | # SUMMARY |
| 9 | # * All connections originating from GGSN are allowed. |
| 10 | # * Incoming ssh, GTPv0 and GTPv1 is allowed on the Gn interface. |
| 11 | # * Incoming ssh is allowed on the Gi interface. |
| 12 | # * Forwarding is allowed to and from the Gi interface, but disallowed |
| 13 | # to and from the Gn interface. |
| 14 | # * Masquerede on Gi interface. |
| 15 | |
| 16 | IPTABLES="/sbin/iptables" |
| 17 | IFGN="eth0" |
| 18 | IFGI="eth1" |
| 19 | |
| 20 | $IPTABLES -P INPUT DROP |
| 21 | $IPTABLES -P FORWARD ACCEPT |
| 22 | $IPTABLES -P OUTPUT ACCEPT |
| 23 | |
| 24 | #Allow related and established on all interfaces (input) |
| 25 | $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 26 | |
| 27 | #Allow releated, established, GTP and ssh on $IFGN. Reject everything else. |
| 28 | $IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT |
| 29 | $IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT |
| 30 | $IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT |
| 31 | $IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT |
| 32 | $IPTABLES -A INPUT -i $IFGN -j REJECT |
| 33 | |
| 34 | #Allow related, established and ssh. Drop everything else. |
| 35 | $IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT |
| 36 | $IPTABLES -A INPUT -i $IFGI -j DROP |
| 37 | |
| 38 | # Masquerade everything going out on $IFGI |
| 39 | $IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE |
| 40 | |
| 41 | #Allow everything on loopback interface. |
| 42 | $IPTABLES -A INPUT -i lo -j ACCEPT |
| 43 | |
| 44 | # Drop everything to and from $IFGN (forward) |
| 45 | $IPTABLES -A FORWARD -i $IFGN -j DROP |
| 46 | $IPTABLES -A FORWARD -o $IFGN -j DROP |
| 47 | |
| 48 | |