diff options
Diffstat (limited to 'doc/examples/firewall')
-rwxr-xr-x | doc/examples/firewall | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/doc/examples/firewall b/doc/examples/firewall new file mode 100755 index 0000000..fce735a --- /dev/null +++ b/doc/examples/firewall @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Firewall script for GGSN +# +# Uses $IFGN (eth0) as the Gn interface (Gn) and +# $IFGI (eth1) as the Gi interface. +# +# SUMMARY +# * All connections originating from GGSN are allowed. +# * Incoming ssh, GTPv0 and GTPv1 is allowed on the Gn interface. +# * Incoming ssh is allowed on the Gi interface. +# * Forwarding is allowed to and from the Gi interface, but disallowed +# to and from the Gn interface. +# * Masquerede on Gi interface. + +IPTABLES="/sbin/iptables" +IFGN="eth0" +IFGI="eth1" + +$IPTABLES -P INPUT DROP +$IPTABLES -P FORWARD ACCEPT +$IPTABLES -P OUTPUT ACCEPT + +#Allow related and established on all interfaces (input) +$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +#Allow releated, established, GTP and ssh on $IFGN. Reject everything else. +$IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -j REJECT + +#Allow related, established and ssh. Drop everything else. +$IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT +$IPTABLES -A INPUT -i $IFGI -j DROP + +# Masquerade everything going out on $IFGI +$IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE + +#Allow everything on loopback interface. +$IPTABLES -A INPUT -i lo -j ACCEPT + +# Drop everything to and from $IFGN (forward) +$IPTABLES -A FORWARD -i $IFGN -j DROP +$IPTABLES -A FORWARD -o $IFGN -j DROP + + |