The following are my firewall rules. eth1
is the WAN interface and all other are LAN interfaces. I want to filter INPUT and FORWARD chains only on eth1
(WAN interface). All other interfces need not be firewalled. My code sample below works fine. But I feel I need not have so many rules just to have filtering enabled on eth1
. So how can I have filtering enabled only on eth1
with just a few number of iptables rules?
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i eth5 -j ACCEPT
iptables -A INPUT -i eth5.20 -j ACCEPT
iptables -A INPUT -i eth5.21 -j ACCEPT
iptables -A INPUT -i eth5.22 -j ACCEPT
iptables -A INPUT -i eth5.23 -j ACCEPT
iptables -A INPUT -i eth5.24 -j ACCEPT
iptables -A INPUT -i eth5.25 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A IFORWARD -i tap0 -j ACCEPT
iptables -A FORWARD -i eth5 -j ACCEPT
iptables -A FORWARD -i eth5.20 -j ACCEPT
iptables -A FORWARD -i eth5.21 -j ACCEPT
iptables -A FORWARD -i eth5.22 -j ACCEPT
iptables -A FORWARD -i eth5.23 -j ACCEPT
iptables -A FORWARD -i eth5.24 -j ACCEPT
iptables -A FORWARD -i eth5.25 -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Webserver Ports
iptables -A INPUT -i eth1 -p tcp --match multiport --dports 80,443 -j ACCEPT
# NAT for my local network
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source my.pub.ip.add
# ICMP Protection
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth1 -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -j DROP
You could always do something like this in the top of each built-in chain:
Then whack whatever rules you want into
eth1chain
to allow traffic (you can skip putting the-i eth1
into those chains, too!), and leave the policy on the main chain as ACCEPT.However, I wouldn't recommend this. You really are better off using a default deny policy and specifying only the traffic you really want. Using a decent firewall management tool, rather than writing iptables commands directly, can help significantly with that work.