I have run into a wall with my iptables firewall scripting.
I am blocking all of the private side IP addresses on the
WAN interface on systems running NAT. However, if the
system is not running NAT and needs to allow access to
the local LAN on the WAN interface, I need to block all
but one of the private side addresses. These private
side addresses are listed in the variable $RULES.
What I'd like to be able to do is put in a conditional
statement so that if NAT is not running, it will strip
that address range from the $RULES variable so that
the LAN will have access to the system. Something
like this:
LAN=192.168.0.0/16
if [ $NAT=OFF ]; then
(strip range $LAN from the $RULES variable here)
fi
Here is the process that denies the private side addresses:
RULES="127.0.0.0/8 169.254.0.0/16 192.0.2.0/24 248.0.0.0/5 \
10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5"
for LIST in $RULES; do
$IPT -A INPUT -i eth0 -s $LIST -j DROP
done
I've looked through a number of Bash scripting websites
and haven't found a way to do this yet. I think I must
be looking in the wrong sections or something. Any ideas?
Thanks.