This is what I use on a rh8, rh9, and a rh7.2
Its a firewall and router...all has comments in it.
Of course you have to configue the PPOE for yourself and then this should work..more secure than windows too. Or go get yourself a LinkSys router for $50 that supports PPOE.
I have static and no changes are made.
Cut below to the end....
---------------------------------------
#!/bin/sh
#nitial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this with due credits to
# BoingWorld.com
#
# Modified by Haim Dimermanas (dudle at linuxroot dot org)
#
# To install under Redhat : ckconfig --add iptables
# To install under Debian : update-rc.d iptables defaults 21
# chkconfig specific parameters follow
# iptables:
# chkconfig: 2345 82 80
# description: starts or stops netfilter rules
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
# NOTE : even though I am lucky enough to have a static IP address on my
# interface connected to the Internet, this IP address is never
# mentionned anywhere. This way, if you connect to the Internet
# and receive a dynamic IP, you won't have to change to much stuff.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
LAN_IP_RANGE="192.168.1.0/24"
LAN_IP="192.168.1.111/32"
LAN_BCAST_ADRESS="192.168.1.255/32"
LOCALHOST_IP="127.0.0.1/32"
INET_IFACE="eth0"
LAN_IFACE="eth1"
IPTABLES="/sbin/iptables"
ANYWHERE="0/0"
BROADCAST="255.255.255.0/32"
case "$1" in
start)
#
# CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo -n "Enabling IP Forwarding ... "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "done."
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
#
#echo -n "Enabling dynamic IP addressing ... "
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "done."
#
# The allowed chain for TCP connections (tcp_allowed)
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.
echo -n "Creating tcp_allowed chain ... "
$IPTABLES -N tcp_allowed
$IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -j DROP
echo "done."
#
# Destination Network Address Translation.
# If you don't know what it is, just comment the lines.
#
# 1 - We want all traffic coming to port 4200 to be redirected to an ssh server
# inside our network.
# 2 - We allow this very traffic to pass the FORWARD chain.
#
# Then we use the same techique to redirect
80) requests to our internal
# web server on port 80.
#
# NOTE : Do not forget to enable the port you want your clients to come into on the firewall
# In this case, it's port number 4200 and 80. Enabling this port is done at the INPUT
# chain level.
# Of course, you can replace 4200 with anything you want. I suggest you use a non
# assigned port though
#
echo -n "Setting up DNAT ... "
# MEDIA_SERVER="192.168.1.222"
# MEDIA_PORT="8080"
# $IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE --dport 63637 -j DNAT --to $MEDIA_SERVER:$MEDIA_PORT
# $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $MEDIA_SERVER -p tcp --dport $MEDIA_PORT -j tcp_allowed
#SSH_SERVER="192.168.1.111"
# SSH_PORT="22"
# $IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE --dport 4200 -j DNAT --to $SSH_SERVER:$SSH_PORT
# $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $SSH_SERVER -p tcp --dport $SSH_PORT -j tcp_allowed
#
#
#$IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE --dport 80 -j DNAT --to $
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $
-p tcp --dport $
-j tcp_allowed
echo "done."
# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on $LAN_IFACE, and the Internet is on $INET_IFACE.
#
# 1 - We masquerade at the 'nat' table, POSTROUTING chain if and only if:
# * It comes from our LAN
# * It goes out through our Internet interface.
# 2 - We ACCEPT to FORWARD if :
# * It goes through our LAN interface ... or ...
# * The connection is in a state ESTABLISHED or RELATED
# 3 - We LOG the rest.
echo -n "Setting up FORWARD chain and MASQUERADE ... "
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix "FORWARD : "
echo "done."
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
# Guess what? We DROP everything by default!
echo -n "Setting up default policies ... "
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo "done."
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
echo -n "Creating ICMP, TCP and UDP accepting chains ... "
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
echo "done."
#
# ICMP rules
#
echo -n "Setting up icmp_packets chain ... "
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 11 -j ACCEPT
echo "done."
#
# TCP rules
#
# Allow ssh and smtp.
# Allow 4200 for forwarding.
#
# We also allow port 113 (auth a.k.a. ident). Even if you don't have
# a ident server, I suggest you leave that port open. It will speed
# things up. For more info, visit
#
echo -n "Setting up tcp_packets chain ... "
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 22 -j tcp_allowed
#$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 25 -j tcp_allowed
#$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 113 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 63637 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $LAN_IFACE --dport 5955 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $LAN_IFACE --dport 7100 -j tcp_allowed
echo "done."
#
# UDP ports
#
# Allow DHCP
#
# Uncomment the following 2 lines if you are running a DNS server on your firewall
# $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 53 -j ACCEPT
# $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --destination-port 53 -j ACCEPT
echo -n "Setting up udp_packets... "
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 67 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 68 -j ACCEPT
echo "done."
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's coming to our Internet
# interface
#
echo -n "Blocking private networks ... "
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
echo "done."
#
# INPUT chain
#
# 1 - We associate each protocol to its own chain in the
# following order:
# * ICMP -> icmp_packets
# * TCP -> tcp_packets
# * UDP -> udp_packets
# 2 - We ACCEPT a packet in the following conditions:
# * It's part of a RELATED or ESTABLISHED connection
# * It comes from our LAN interface and goes to our LAN broadcast
# address
# * It comes from our LAN interface and goes to the 255.255.255.255
# broadcast address (usefull if you have a DHCP server on your fw)
# * It's destination is our localhost (127.0.0.1)
# * It's destination is our LAN ip address.
echo -n "Associating packet types with their chains ... "
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
echo "done."
echo -n "Setting up the INPUT chain ... "
$IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $BROADCAST -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix "INPUT : "
echo "done."
#
# OUTPUT chain
#
# The idea is to accept everything, even though the default
# policy of the OUTPUT chain is DROP. Basically, if a packet
# doesn't pass the OUTPUT chain, there is something *serious*
# going on.
#
# 1 - ACCEPT all packets coming from localhost
# 2 - ACCEPT all packets coming from our LAN ip address
# 3 - ACCEPT all packets going to localhost
# 4 - ACCEPT all packets going to our LAN ip address
# 5 - ACCEPT all packets going through our Internet interface
echo -n "Setting up OUTPUT chain ... "
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix "OUTPUT : "
echo "done."
;;
stop)
# Flush all rules
echo -n "Flushing all rules ... "
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X
echo "done."
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -nL
;;
*)
echo "usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
