Sample iptables NAT script

- If you want to use your Linux server as your gateway for your LAN users to access the internet. Physical connection
- Setup is typically Linux server with 2 network interface; first interface (eth0) connects to the LAN switch and second interface (eth1) to ISP router. The file can be viewed/downloaded on this link.

#!/bin/sh
#
#Sample NAT script
#Public IP - 200.200.200.200
#Private IP range 192.168.17.0/24 

# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
 
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
 
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
 
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
 
# setup NAT
echo " applying NAT rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.17.0/24 -o eth0 -j SNAT --to-source 200.200.200.200
 
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
 
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# icmp
echo " applying ICMP rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
 
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
 
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo "Opening Port 22 & 3128"
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp --dport 3128 -j ACCEPT 


# logging
echo " applying logging rules"
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
 
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
 
echo "### NAT Firewall is loaded ###"
echo ""