RazWall Community
Development => Dev Stuff => Topic started by: razwall on August 29, 2025, 02:40:32 PM
-
# =========================
# 1 Flush existing tables
# =========================
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# =========================
# 2 Enable IP forwarding
# =========================
echo 1 > /proc/sys/net/ipv4/ip_forward
# =========================
# 3 Default Policies
# =========================
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# =========================
# 4 Allow loopback interface
# =========================
iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -i lo -j LOG --log-prefix "ALLOW LOOPBACK IN " --log-level 4
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -A OUTPUT -o lo -j LOG --log-prefix "ALLOW LOOPBACK OUT " --log-level 4
# =========================
# 5 Allow established/related
# =========================
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j LOG --log-prefix "ALLOW EST/REL IN " --log-level 4
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG --log-prefix "ALLOW EST/REL FWD " --log-level 4
# =========================
# 6 Allow LAN traffic
# =========================
iptables -A INPUT -i br0 -j ACCEPT
#iptables -A INPUT -i br0 -j LOG --log-prefix "ALLOW LAN1 INPUT " --log-level 4
iptables -A FORWARD -i br0 -o eth1 -j ACCEPT
#iptables -A FORWARD -i br0 -o eth1 -j LOG --log-prefix "ALLOW LAN1->WAN1 " --log-level 4
# 6.5 - OPTIONAL: Allow LAN -> Additional WANs
iptables -A FORWARD -i br0 -o eth2 -j ACCEPT
#iptables -A FORWARD -i br0 -o eth2 -j LOG --log-prefix "ALLOW LAN1->WAN2 " --log-level 4
# =========================
# 7 SYSTEM ACCESS RULES
# =========================
# (Firewall-hosted services: SSH/HTTP/HTTPS/DHCP/DNS/OpenVPN)
# By default: only Primary LAN (br0) has access.
# Management Access
iptables -A INPUT -i br0 -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 22 -j LOG --log-prefix "ALLOW SSH br0 " --log-level 4
iptables -A INPUT -i br0 -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 443 -j LOG --log-prefix "ALLOW HTTPS br0 " --log-level 4
iptables -A INPUT -i br0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 80 -j LOG --log-prefix "ALLOW HTTP br0 " --log-level 4
# Infrastructure Services
iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j LOG --log-prefix "ALLOW DHCP br0 " --log-level 4
iptables -A INPUT -i br1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT # OPTIONAL
#iptables -A INPUT -i br1 -p udp --dport 67:68 --sport 67:68 -j LOG --log-prefix "ALLOW DHCP br1 " --log-level 4
iptables -A INPUT -i br0 -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -i br0 -p udp --dport 53 -j LOG --log-prefix "ALLOW DNS-UDP br0 " --log-level 4
iptables -A INPUT -i br0 -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 53 -j LOG --log-prefix "ALLOW DNS-TCP br0 " --log-level 4
# VPN Access
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --dport 1194 -j LOG --log-prefix "ALLOW OpenVPN WAN " --log-level 4
# =========================
# 8 DNAT RULES (Port Forwards)
# =========================
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.19.87:80
iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 80 -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 80 -j LOG --log-prefix "DNAT HTTP->WebSrv " --log-level 4
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-destination 192.168.19.87:443
iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 443 -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 443 -j LOG --log-prefix "DNAT HTTPS->WebSrv " --log-level 4
# =========================
# 9 ZONE FIREWALL (LAN ↔ LAN)
# =========================
iptables -A FORWARD -i br0 -o br1 -p tcp --dport 3389 -j ACCEPT
#iptables -A FORWARD -i br0 -o br1 -p tcp --dport 3389 -j LOG --log-prefix "ALLOW RDP br0->br1 " --log-level 4
iptables -A FORWARD -i br0 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j ACCEPT
#iptables -A FORWARD -i br0 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j LOG --log-prefix "ALLOW RDP br0->host " --log-level 4
iptables -A FORWARD -i br0 -s 192.168.10.100 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j ACCEPT
#iptables -A FORWARD -i br0 -s 192.168.10.100 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j LOG --log-prefix "ALLOW RDP host->host " --log-level 4
# =========================
# 10 VPN FIREWALL (TUN/TAP)
# =========================
iptables -A FORWARD -i tun0 -o br0 -p tcp --dport 3389 -j ACCEPT
#iptables -A FORWARD -i tun0 -o br0 -p tcp --dport 3389 -j LOG --log-prefix "ALLOW VPN->LAN1 RDP " --log-level 4
iptables -A FORWARD -i tun0 -o br1 -p tcp --dport 445 -j ACCEPT
#iptables -A FORWARD -i tun0 -o br1 -p tcp --dport 445 -j LOG --log-prefix "ALLOW VPN->LAN2 SMB " --log-level 4
iptables -A FORWARD -i tun0 -s 10.8.0.25 -o br0 -p tcp -d 192.168.10.50 --dport 3389 -j ACCEPT
#iptables -A FORWARD -i tun0 -s 10.8.0.25 -o br0 -p tcp -d 192.168.10.50 --dport 3389 -j LOG --log-prefix "ALLOW VPNclient->LANhost RDP " --log-level 4
iptables -A FORWARD -i tun0 -o br0 -j DROP
#iptables -A FORWARD -i tun0 -o br0 -j LOG --log-prefix "DROP VPN->LAN1 " --log-level 4
iptables -A FORWARD -i tun0 -o br1 -j DROP
#iptables -A FORWARD -i tun0 -o br1 -j LOG --log-prefix "DROP VPN->LAN2 " --log-level 4
# =========================
# 11 OUTBOUND FIREWALL (Optional)
# =========================
iptables -A FORWARD -i br0 -o eth1 -p tcp -m multiport --dports 80,443 -j ACCEPT
#iptables -A FORWARD -i br0 -o eth1 -p tcp -m multiport --dports 80,443 -j LOG --log-prefix "ALLOW LAN1->WAN1 WEB " --log-level 4
iptables -A FORWARD -i br0 -o eth1 -j DROP
#iptables -A FORWARD -i br0 -o eth1 -j LOG --log-prefix "DROP LAN1->WAN1 " --log-level 4
# =========================
# 12 SNAT RULES (Outbound NAT)
# =========================
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth1 -j LOG --log-prefix "SNAT LAN1->WAN1 " --log-level 4
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth2 -j LOG --log-prefix "SNAT LAN1->WAN2 " --log-level 4
# =========================
# 13 Hygiene: Drop invalid packets
# =========================
iptables -A INPUT -m state --state INVALID -j DROP
#iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID IN " --log-level 4
iptables -A FORWARD -m state --state INVALID -j DROP
#iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID FWD " --log-level 4
# =========================
# 14 Catch-All Logging (Optional)
# =========================
#iptables -A INPUT -j LOG --log-prefix "DROP INPUT CATCH-ALL " --log-level 4
#iptables -A FORWARD -j LOG --log-prefix "DROP FORWARD CATCH-ALL " --log-level 4
# =========================
# 15 Routing (Default/Failover/Load-Balance)
# =========================
# Single WAN default
ip route replace default via <GW1 IP> dev eth1
# OR load balance across 2 WANs
ip route replace default nexthop via <GW1 IP> dev eth1 weight 2 \
nexthop via <GW2 IP> dev eth2 weight 1
# OR failover setup
ip route replace default via <GW1 IP> dev eth1 metric 100
ip route replace default via <GW2 IP> dev eth2 metric 200
# =========================
# 16 Custom Routes (Per-IP / Multi-WAN)
# =========================
# Example: Force traffic to 203.0.113.50 to exit via WAN1 with specific IP
iptables -t nat -A POSTROUTING -o eth1 -d X.X.X.X -j SNAT --to-source <WAN_IP_2>
ip route add 203.0.113.50 via <GW1 IP> dev eth1
# Example: Route traffic to a specific subnet via WAN2
ip route add 198.51.100.0/24 via <GW2 IP> dev eth2
# Example: Map internal host to use a dedicated WAN IP
iptables -t nat -A POSTROUTING -s 192.168.19.100 -o eth1 -j SNAT --to-source <WAN_IP_3>