All scripts in the directory /etc/network/if-up.d are run whenever an interface comes up. Create a new script in this directory to configure the firewall for the WAN interface.

root@voyage:/etc/network/if-up.d# ls

000resolvconf ifenslave mountnfs openssh-server
firewall ip ntpdate wpasupplicant

Create a script to configure the iptables firewall when the WAN interface on eth0 comes up

root@voyage:/etc/network/if-up.d# cat firewall

# Delete all existing rules (start afresh)
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Block all other connections from the outside
iptables -A FORWARD -i eth0 -j REJECT
iptables -A INPUT -i eth0 -j REJECT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s