The most important responsibility of the gateway is to firewall our three separate network segments. We will again use the Netfilter functionality that was introduced in Section 5.3.1. See that section for a basic introduction to the functioning of Netfilter.

The rc.firewall script for the gateway is significantly more complex that the one laid out for use on the clients. It has to protect not only the gateway itself, but also ensure separation between the networks while allowing vital services on the gateway to be accessed by local users. This script is also much more aggressive in preventing abusive behavior since it will be the frontline against often hazardous Internet traffic.

This script is quite long; we will examine it section by section. To build the completed script, concatenate each of the example sections that follow into /etc/init.d/rc.firewall.

First, we establish several variables that will be used throughout the rest of the script. By placing these values into variables, we can easily update the script if these values change in the future. Here we define the three network interfaces that will be used for the upstream, wired, and wireless connections, respectively. Change these to match the configuration of your machine.

#!/bin/sh
# rc.firewall for gateway

# --- SETUP ---

# Variables (for easier changes)
IPTABLES=/sbin/iptables

INT_GW="eth0"
INT_WIRED="eth1"
INT_WIRELESS="eth2"
INT_ALL="$INT_GW $INT_WIRED $INT_WIRELESS lo"

The IP_ variables ...