Simple ruleset for a home router: Difference between revisions
Jump to navigation
Jump to search
(example) |
(update) |
||
| Line 1: | Line 1: | ||
This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet. | |||
<source lang="bash"> | <source lang="bash"> | ||
flush ruleset | flush ruleset | ||
| Line 13: | Line 15: | ||
# This sample accepts them within a certain rate limit: | # This sample accepts them within a certain rate limit: | ||
# | # | ||
# icmp type echo-request limit rate 5/second | # icmp type echo-request limit rate 5/second accept | ||
# allow IPSec | # allow IPSec | ||
| Line 19: | Line 21: | ||
ip protocol { esp, ah } accept | ip protocol { esp, ah } accept | ||
# allow SSH connections | # allow SSH connections from some well-known internet host | ||
ip saddr 81.209.165.42 tcp dport ssh accept | ip saddr 81.209.165.42 tcp dport ssh accept | ||
} | } | ||
chain inbound_private { | chain inbound_private { | ||
# accepting ping (icmp-echo-request) for diagnostic purposes. | |||
icmp type echo-request limit rate 5/second accept | |||
# allow SSH and DNS from the private network | # allow SSH and DNS from the private network | ||
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept } | ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept } | ||
} | } | ||
chain | chain inbound { | ||
type filter hook input priority 0; policy drop; | type filter hook input priority 0; policy drop; | ||
Revision as of 07:25, 11 August 2021
This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.
flush ruleset
define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16
table ip filter {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
# allow IPSec
udp dport 500 accept
ip protocol { esp, ah } accept
# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}
chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept
# allow SSH and DNS from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept }
}
chain inbound {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }
# the rest is dropped by the above policy
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept
# the rest is dropped by the above policy
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}