#!/usr/bin/env bash set -e do_start() { lan_interfaces=$(echo "$1" | sed "s/,/ /g") echo "Configuring firewall rules..." # Flush all the tables first iptables -t filter -F iptables -t nat -F iptables -t mangle -F # Drop all incoming packets by default iptables -t filter -P INPUT DROP # Accept all on local loopback iptables -t filter -A INPUT -i lo -j ACCEPT # Allow packets in for existing socket connections iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept all from LAN interfaces (always accept on eth0) iptables -t filter -A INPUT -i eth0 -j ACCEPT for i in $lan_interfaces; do if [ "$i" != "eth0" ]; then iptables -t filter -A INPUT -i $i -j ACCEPT fi done # Accept ssh from the LAN (Wired) #iptables -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # Accept http from the LAN (Wired) #iptables -t filter -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT # Accept tftp from the LAN (Wired) #iptables -t filter -A INPUT -i eth0 -p udp --dport 69 -j ACCEPT # Accept ssh from the WAN (Wireless) #iptables -t filter -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT # Accept http from the WAN (Wireless) #iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT # Allow packet fowarding from LAN interfaces to ppp0 (cell router) iptables -t filter -P FORWARD DROP iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT for i in $lan_interfaces; do iptables -t filter -A FORWARD -i $i -o ppp0 -j ACCEPT done # Allow all output packets iptables -t filter -P OUTPUT ACCEPT # enable NAT for cell router iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo "Enabling packet forwarding..." # turn on packet forwarding last echo 1 > /proc/sys/net/ipv4/ip_forward echo "Done" } do_stop() { echo "Clearing firewall rules..." # clear all tables iptables -t filter -F iptables -t nat -F iptables -t mangle -F # reset policies to ACCEPT iptables -t filter -P INPUT ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD ACCEPT # turn off packet forwarding echo "Disabling packet forwarding..." echo 0 > /proc/sys/net/ipv4/ip_forward echo "Done" } if [[ $# < 1 || $# > 2 ]]; then echo "Usage: $(basename $0) start|stop [lan-interfaces]" echo " lan-interfaces: comma-separated list of LAN interfaces to forward to cellular" echo " defaults to \"eth0\"" exit 1 fi case $1 in start) do_start "${2:-eth0}" ;; stop) do_stop ;; esac exit 0