# Firewall configuration for a router with a dynamic IP. # # Based on example by Max Kellermann # # Interface towards the Internet. @def $DEV_WORLD = eth0; # Interfaces towards LAN. @def $DEV_PRIVATE = (eth1 eth2 eth3); # Address range for LAN. @def $NET_PRIVATE = 10.0.0.0/16; table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local connections interface lo ACCEPT; # respond to ping proto icmp icmp-type echo-request ACCEPT; # allow SSH connections from the private network and all # Internet hosts. We do not want to restrict ssh to only a # small number of "well known" hosts, since there's often a # need to connect from net cafes and customer sites. proto tcp dport ssh ACCEPT; } # outgoing connections are not limited chain OUTPUT policy ACCEPT; chain FORWARD { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # connections from the internal net to the internet or to other # internal nets are allowed interface $DEV_PRIVATE ACCEPT; } } table nat { chain POSTROUTING { # masquerade private IP addresses # saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE; MASQUERADE; } }