Hello,

Please be so kind dear reader check if my firewall script is correct, and make suggestions in case something is wrong.

eth0 and eth1 is internal network both should be able to communicate with each other without restrictions.
eth0 and eth1 should be able to communicate with ISP lan via eth3 unrestricted via the OUTPUT rules.

eth3 should only be able to access FTP server on this firewall, the ftp server itself is running on THIS firewall.

All users of my network should be able to access computers of this ISP network 10.0.0.0/255.255.255.0 accessible
via $EXTIF or $EXTIP .

If everything is okay than this is what the following script does. The routing information is exchanged between my Linux routers
via Quagga / RIP v2 . ip_forwarding is set to 1 .

Sincerely
Robert B

#!/bin/sh
################################################################################
##
# GLOBAL VARIABLES
################################################################################
##

IFCONFIG=/sbin/ifconfig
AWK=/bin/awk

INTIF="eth0"
INTIF2="eth1"
EXTIF="eth2"
echo " External Interface: $EXTIF"
echo " Internal Interface 1: $INTIF"
echo " Internal Interface 2: $INTIF2"
echo " ---"

EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo " External IP: $EXTIP"
echo " ---"


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

################################################################################
##
# FORWARD RULES
################################################################################
##

iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # eth0 -> eth2
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT # eth1 -> eth2
iptables -A FORWARD -i $INTIF -o $INTIF -j ACCEPT # eth0 -> eth0
iptables -A FORWARD -i $INTIF2 -o $INTIF2 -j ACCEPT # eth1 -> eth1
iptables -A FORWARD -i $INTIF -o $INTIF2 -j ACCEPT # eth0 -> eth1
iptables -A FORWARD -i $INTIF2 -o $INTIF -j ACCEPT # eth1 -> eth0
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # eth3 -> eth0
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT # eth3 -> eth1

################################################################################
##
# INPUT RULES
################################################################################
##

iptables -A INPUT -s 127.0.0.1 -j ACCEPT # lo
iptables -A INPUT -i $INTIF -j ACCEPT # eth0
iptables -A INPUT -i $INTIF2 -j ACCEPT # eth1
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # eth3 + any other interface not specified just in case

# ECHO ICMP PING ALLOW
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

################################################################################
##
# vsFTP Server on the Firewall
################################################################################
##

iptables -A INPUT -i $EXTIF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

# ACTIVE
iptables -A INPUT -i $EXTIF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

# PASSIVE
iptables -A INPUT -i $EXTIF -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


################################################################################
##
# OUTPUT RULES
################################################################################
##

iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT # lo
iptables -A OUTPUT -s 192.168.1.253 -j ACCEPT # eth0
iptables -A OUTPUT -s 192.168.6.250 -j ACCEPT # eth1
iptables -A OUTPUT -s $EXTIP -j ACCEPT # eth2

################################################################################
##
# POSTROUTING
################################################################################
##

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.4.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.6.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.11.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.56.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.57.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP