Create the file /etc/gateway.rules with the following initial ruleset,
/sbin/ipchains -M -S 7200 10 160 /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i ppp0 -s 192.168.1.0/24 -j MASQ |
/sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F #ignore if you get an error here /sbin/iptables -X #deletes every non-builtin chain in the table /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # only if both of the above rules succeed, use /sbin/iptables -P INPUT DROP /sbin/iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE /sbin/iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT |
I am assuming that eth0 refers to the external interface and eth1 refers to the internal interface.
For users connecting to external network on ethernet & using ipchains:
/sbin/ipchains -M -S 7200 10 160 /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward /sbin/ipchains -P forward REJECT # use this line if you have a dynamic IP address (on DHCP or BOOTP) # configured from your ISP /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -j MASQ |
For users connecting to external network on ethernet & using iptables:
/sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F #ignore if you get an error here /sbin/iptables -X #deletes every non-builtin chain in the table /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT # only if both of the above rules succeed, use /sbin/iptables -P INPUT DROP /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # use this line if you have a static IP address from your ISP # replace your static IP with x.x.x.x /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.x # use this line only if you have dynamic IP address from your ISP /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT |