4815l2

Listing 2. rc.iptables.dynamic

#!/bin/sh
PATH=/sbin
export PATH
IPT=`which` iptables

# define interfaces
# internal interface
IINT=eth0
# external interface (can be ppp+, eth#, ippp+, etc.)
IEXT=eth1
# internal network
INTNET=192.168.0.0/24

# first, turn off forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# flush all chains and delete user chains
for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done

# if your ISP blocks "fragmentation needed" ICMP packets, i.e.,:
# web browsers connect, then hand with no data received
# small e-mail works OK, but large e-mails hang
# ssh works OK, but scp hangs after initial handshake
# uncomment the following:
# $IPT -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# create new user chain
$IPT -t filter -N tcprules

$IPT -A tcprules  -i $IEXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A tcprules -i ! $IEXT -m state --state NEW -j ACCEPT
$IPT -A tcprules -i $IEXT -m state --state NEW,INVALID -j LOG --log-prefix "IPT DROP "
$IPT -A tcprules -i $IEXT -m state --state NEW,INVALID -j DROP

$IPT -A INPUT -j tcprules
$IPT -A FORWARD -j tcprules

# now for masquerading
$IPT -t nat -A POSTROUTING -o $IEXT -s $INTNET -j MASQUERADE

# a few mangle rules you might or might not want to try out
# note that ssh does its own TOS, so is not required below
$IPT -t mangle -A PREROUTING -m multiport -p tcp --dport 80,21,22 -j TOS --set-tos 16
$IPT -t mangle -A PREROUTING -m multiport -p tcp --sport 80,21,22 -j TOS --set-tos 16
$IPT -t mangle -A PREROUTING -p tcp --dport ftp-data -j TOS --set-tos 8
$IPT -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos 8
$IPT -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 4
$IPT -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos 2

# if you have a line in your /etc/sysctl.conf like this:
# net.ipv4.ip_forward = 1
# uncomment the following and comment out the echo line below it
#/sbin/sysctl -p > /dev/null
echo 1 > /proc/sys/net/ipv4/ip_forward