# Need Help Improving IPTables Script

## wswartzendruber

So here's my script:

```
#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values

EXTIF='venet0'

INTIF='tun0'

# enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

# enable masquerading to allow LAN internet access

/sbin/iptables -A FORWARD -i venet0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to X.X.X.X

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow external access to certain ports.

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT

# block out all other Internet access on $EXTIF

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP

$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
```

And it sucks.  It sucks because I don't know anything about IPTables and I hacked it together to get the job done.  I need:

1. Nothing entering venet0 except on ports TCP 22 and TCP 443.

2. No restrictions on tun0.

3. NAT.

How could this script be improved?

----------

## erik258

I've created an updated version that I think will work here.  

The script can be  copied and pasted into a shell script file, or even straight into a shell.

----------

## coolsnowmen

do you know about fwbuilder?

EDIT: I believe you need one of the newest ones to use any forwarding, but it workes well, then you to an iptables-save and use the iptables service to load the saved version at startup

----------

## wswartzendruber

 *erik258 wrote:*   

> I've created an updated version that I think will work here.  
> 
> The script can be  copied and pasted into a shell script file, or even straight into a shell.

 

That one complains about one of the rules.

```
iptables -t nat -I POSTROUTING -o $EXTIF  -j MASQUERADE
```

I don't think I have the MASQUERADE rule on mine.

----------

## erik258

In that case, you may need to add some support in to your kernel.  

Here's what /proc/config.gz on my router had to say:

```
#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=y

# CONFIG_IP_NF_CT_ACCT is not set

CONFIG_IP_NF_CONNTRACK_MARK=y

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

CONFIG_IP_NF_FTP=y

CONFIG_IP_NF_IRC=y

# CONFIG_IP_NF_NETBIOS_NS is not set

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

# CONFIG_IP_NF_PPTP is not set

CONFIG_IP_NF_H323=y

CONFIG_IP_NF_SIP=y

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_AH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

# CONFIG_IP_NF_MATCH_ADDRTYPE is not set

# CONFIG_IP_NF_MATCH_HASHLIMIT is not set

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_TARGET_TCPMSS is not set

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y    <-- This one is what you need

CONFIG_IP_NF_TARGET_REDIRECT=y

# CONFIG_IP_NF_TARGET_NETMAP is not set

# CONFIG_IP_NF_TARGET_SAME is not set

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_IRC=y

CONFIG_IP_NF_NAT_FTP=y

CONFIG_IP_NF_NAT_H323=y

CONFIG_IP_NF_NAT_SIP=y

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

```

You may need various other options as well.

----------

