blob: 27287e02012773c0db71c19e27fdb2378db0018d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
#!/usr/bin/env bash
set -e
do_start() {
lan_interfaces=$(echo "$1" | sed "s/,/ /g")
echo "Configuring firewall rules..."
# Flush all the tables first
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
# Drop all incoming packets by default
iptables -t filter -P INPUT DROP
# Accept all on local loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
# Allow packets in for existing socket connections
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept all from LAN interfaces (always accept on eth0)
iptables -t filter -A INPUT -i eth0 -j ACCEPT
for i in $lan_interfaces; do
if [ "$i" != "eth0" ]; then
iptables -t filter -A INPUT -i $i -j ACCEPT
fi
done
# Accept ssh from the LAN (Wired)
#iptables -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Accept http from the LAN (Wired)
#iptables -t filter -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# Accept tftp from the LAN (Wired)
#iptables -t filter -A INPUT -i eth0 -p udp --dport 69 -j ACCEPT
# Accept ssh from the WAN (Wireless)
#iptables -t filter -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
# Accept http from the WAN (Wireless)
#iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
# Allow packet fowarding from LAN interfaces to ppp0 (cell router)
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
for i in $lan_interfaces; do
iptables -t filter -A FORWARD -i $i -o ppp0 -j ACCEPT
done
# Allow all output packets
iptables -t filter -P OUTPUT ACCEPT
# enable NAT for cell router
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo "Enabling packet forwarding..."
# turn on packet forwarding last
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Done"
}
do_stop() {
echo "Clearing firewall rules..."
# clear all tables
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
# reset policies to ACCEPT
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
# turn off packet forwarding
echo "Disabling packet forwarding..."
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Done"
}
if [[ $# < 1 || $# > 2 ]]; then
echo "Usage: $(basename $0) start|stop [lan-interfaces]"
echo " lan-interfaces: comma-separated list of LAN interfaces to forward to cellular"
echo " defaults to \"eth0\""
exit 1
fi
case $1 in
start)
do_start "${2:-eth0}"
;;
stop)
do_stop
;;
esac
exit 0
|