(view this code in a separate window)
#!/bin/sh
#
# egress_filtering_netfilter.sh
#
# Sample Ingress/Egress filters with iptables on a
# machine that also acts as a forwarding gateway.
#
# Change IP networks, salt to taste.
#
# Copyright 2002, Bri Hatch
#
# Released under the GPL. See COPYING file
# for more information.
# Internal network is assumed to be eth0
internal_net=192.168.5.0/24
# External network is assumed to be eth1
my_ip_addr=192.168.4.2/32
# Egress Filters: Allow only our internal IPs and
# external interface addrs out of eth1
/sbin/iptables -A OUTPUT -o eth1 -s $my_ip_addr -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -s $internal_net -j ACCEPT
# Ingress Filters: Allow only our internal IPs and
# external interface addrs in from eth1
/sbin/iptables -A INPUT -i eth1 -d $my_ip_addr -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -d $internal_net -j ACCEPT
# Egress/Ingress Filters on eth0:
# Allow only traffic to/from the internal net through eth0
/sbin/iptables -A OUTPUT -o eth0 -d $internal_net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s $internal_net -j ACCEPT
# Block clearly-spoofed packets
# Deny any restricted ip networks from traversing Carbon at all
for badnet in 127.0.0.1/32 10.0.0.0/8 172.16.0.0/12 \
192.168.0.0/16 224.0.0.0/4 240.0.0.0/5
do
/sbin/iptables -A INPUT -i eth0 -s $badnet -j DROP
/sbin/iptables -A OUTPUT -o eth0 -s $badnet -j DROP
/sbin/iptables -A INPUT -i eth1 -s $badnet -j DROP
/sbin/iptables -A OUTPUT -o eth1 -s $badnet -j DROP
done