root/etc/firewall.sh

   1 #!/bin/sh
   2
   3 IPT=/usr/sbin/iptables
   4
   5 for T in filter nat mangle ; do
   6   $IPT -t $T -F
   7   $IPT -t $T -X
   8 done
   9
  10 $IPT -t filter -A INPUT -m state --state INVALID -j DROP
  11 $IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  12 $IPT -t filter -A INPUT -p icmp -j ACCEPT
  13 $IPT -t filter -A INPUT -i vlan1 -p tcp -j REJECT --reject-with tcp-reset
  14 $IPT -t filter -A INPUT -i vlan1 -j REJECT --reject-with icmp-port-unreachable
  15 $IPT -t filter -A FORWARD -m state --state INVALID -j DROP
  16 $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  17 $IPT -t filter -A FORWARD -i vlan1 -m state --state NEW,INVALID -j DROP
  18
  19 $IPT -t nat -A POSTROUTING -o vlan1 -j MASQUERADE
  20
  21 echo "1"   >/proc/sys/net/ipv4/ip_forward
  22 echo "1"   >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  23 echo "1"   >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  24 echo "30"  >/proc/sys/net/ipv4/tcp_fin_timeout
  25 echo "120" >/proc/sys/net/ipv4/tcp_keepalive_time
  26 echo "0"   >/proc/sys/net/ipv4/tcp_timestamps