1 | #!/bin/sh
|
2 | #
|
3 | # rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
|
4 | #
|
5 | # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
|
6 | #
|
7 | # This program is free software; you can redistribute it and/or modify
|
8 | # it under the terms of the GNU General Public License as published by
|
9 | # the Free Software Foundation; version 2 of the License.
|
10 | #
|
11 | # This program is distributed in the hope that it will be useful,
|
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
|
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
14 | # GNU General Public License for more details.
|
15 | #
|
16 | # You should have received a copy of the GNU General Public License
|
17 | # along with this program or from the site that you downloaded it
|
18 | # from; if not, write to the Free Software Foundation, Inc., 59 Temple
|
19 | # Place, Suite 330, Boston, MA 02111-1307 USA
|
20 | #
|
21 |
|
22 | ###########################################################################
|
23 | #
|
24 | # 1. Configuration options.
|
25 | #
|
26 |
|
27 | #
|
28 | # 1.1 Internet Configuration.
|
29 | #
|
30 |
|
31 | INET_IP="194.236.50.155"
|
32 | INET_IFACE="eth0"
|
33 | INET_BROADCAST="194.236.50.255"
|
34 |
|
35 | #
|
36 | # 1.1.1 DHCP
|
37 | #
|
38 |
|
39 | #
|
40 | # 1.1.2 PPPoE
|
41 | #
|
42 |
|
43 | #
|
44 | # 1.2 Local Area Network configuration.
|
45 | #
|
46 | # your LAN's IP range and localhost IP. /24 means to only use the first 24
|
47 | # bits of the 32 bit IP address. the same as netmask 255.255.255.0
|
48 | #
|
49 |
|
50 | LAN_IP="192.168.0.2"
|
51 | LAN_IP_RANGE="192.168.0.0/16"
|
52 | LAN_IFACE="eth1"
|
53 |
|
54 | #
|
55 | # 1.3 DMZ Configuration.
|
56 | #
|
57 |
|
58 | #
|
59 | # 1.4 Localhost Configuration.
|
60 | #
|
61 |
|
62 | LO_IFACE="lo"
|
63 | LO_IP="127.0.0.1"
|
64 |
|
65 | #
|
66 | # 1.5 IPTables Configuration.
|
67 | #
|
68 |
|
69 | IPTABLES="/usr/sbin/iptables"
|
70 |
|
71 | #
|
72 | # 1.6 Other Configuration.
|
73 | #
|
74 |
|
75 | ###########################################################################
|
76 | #
|
77 | # 2. Module loading.
|
78 | #
|
79 |
|
80 | #
|
81 | # Needed to initially load modules
|
82 | #
|
83 |
|
84 | /sbin/depmod -a
|
85 |
|
86 | #
|
87 | # 2.1 Required modules
|
88 | #
|
89 |
|
90 | /sbin/modprobe ip_tables
|
91 | /sbin/modprobe ip_conntrack
|
92 | /sbin/modprobe iptable_filter
|
93 | /sbin/modprobe iptable_mangle
|
94 | /sbin/modprobe iptable_nat
|
95 | /sbin/modprobe ipt_LOG
|
96 | /sbin/modprobe ipt_limit
|
97 | /sbin/modprobe ipt_state
|
98 |
|
99 | #
|
100 | # 2.2 Non-Required modules
|
101 | #
|
102 |
|
103 | #/sbin/modprobe ipt_owner
|
104 | #/sbin/modprobe ipt_REJECT
|
105 | #/sbin/modprobe ipt_MASQUERADE
|
106 | #/sbin/modprobe ip_conntrack_ftp
|
107 | #/sbin/modprobe ip_conntrack_irc
|
108 | #/sbin/modprobe ip_nat_ftp
|
109 | #/sbin/modprobe ip_nat_irc
|
110 |
|
111 | ###########################################################################
|
112 | #
|
113 | # 3. /proc set up.
|
114 | #
|
115 |
|
116 | #
|
117 | # 3.1 Required proc configuration
|
118 | #
|
119 |
|
120 | echo "1" > /proc/sys/net/ipv4/ip_forward
|
121 |
|
122 | #
|
123 | # 3.2 Non-Required proc configuration
|
124 | #
|
125 |
|
126 | #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
|
127 | #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
|
128 | #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
129 |
|
130 | ###########################################################################
|
131 | #
|
132 | # 4. rules set up.
|
133 | #
|
134 |
|
135 | ######
|
136 | # 4.1 Filter table
|
137 | #
|
138 |
|
139 | #
|
140 | # 4.1.1 Set policies
|
141 | #
|
142 |
|
143 | $IPTABLES -P INPUT DROP
|
144 | $IPTABLES -P OUTPUT DROP
|
145 | $IPTABLES -P FORWARD DROP
|
146 |
|
147 | #
|
148 | # 4.1.2 Create userspecified chains
|
149 | #
|
150 |
|
151 | #
|
152 | # Create chain for bad tcp packets
|
153 | #
|
154 |
|
155 | $IPTABLES -N bad_tcp_packets
|
156 |
|
157 | #
|
158 | # Create separate chains for ICMP, TCP and UDP to traverse
|
159 | #
|
160 |
|
161 | $IPTABLES -N allowed
|
162 | $IPTABLES -N tcp_packets
|
163 | $IPTABLES -N udp_packets
|
164 | $IPTABLES -N icmp_packets
|
165 |
|
166 | #
|
167 | # 4.1.3 Create content in userspecified chains
|
168 | #
|
169 |
|
170 | #
|
171 | # bad_tcp_packets chain
|
172 | #
|
173 |
|
174 | $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
|
175 | -m state --state NEW -j REJECT --reject-with tcp-reset
|
176 | $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
|
177 | --log-prefix "New not syn:"
|
178 | $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
|
179 |
|
180 | #
|
181 | # allowed chain
|
182 | #
|
183 |
|
184 | $IPTABLES -A allowed -p TCP --syn -j ACCEPT
|
185 | $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
|
186 | $IPTABLES -A allowed -p TCP -j DROP
|
187 |
|
188 | #
|
189 | # TCP rules
|
190 | #
|
191 |
|
192 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
|
193 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
|
194 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
|
195 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
|
196 |
|
197 | #
|
198 | # UDP ports
|
199 | #
|
200 |
|
201 | #$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
|
202 | #$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
|
203 | $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
|
204 | $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
|
205 |
|
206 | #
|
207 | # In Microsoft Networks you will be swamped by broadcasts. These lines
|
208 | # will prevent them from showing up in the logs.
|
209 | #
|
210 |
|
211 | #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
|
212 | #--destination-port 135:139 -j DROP
|
213 |
|
214 | #
|
215 | # If we get DHCP requests from the Outside of our network, our logs will
|
216 | # be swamped as well. This rule will block them from getting logged.
|
217 | #
|
218 |
|
219 | #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
|
220 | #--destination-port 67:68 -j DROP
|
221 |
|
222 | #
|
223 | # ICMP rules
|
224 | #
|
225 |
|
226 | $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
|
227 | $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
|
228 |
|
229 | #
|
230 | # 4.1.4 INPUT chain
|
231 | #
|
232 |
|
233 | #
|
234 | # Bad TCP packets we don't want.
|
235 | #
|
236 |
|
237 | $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
|
238 |
|
239 | #
|
240 | # Rules for special networks not part of the Internet
|
241 | #
|
242 |
|
243 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
|
244 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
|
245 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
|
246 |
|
247 | #
|
248 | # Rules for incoming packets from anywhere.
|
249 | #
|
250 |
|
251 | $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
|
252 | -j ACCEPT
|
253 | $IPTABLES -A INPUT -p TCP -j tcp_packets
|
254 | $IPTABLES -A INPUT -p UDP -j udp_packets
|
255 | $IPTABLES -A INPUT -p ICMP -j icmp_packets
|
256 |
|
257 | #
|
258 | # If you have a Microsoft Network on the outside of your firewall, you may
|
259 | # also get flooded by Multicasts. We drop them so we do not get flooded by
|
260 | # logs
|
261 | #
|
262 |
|
263 | #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
|
264 |
|
265 | #
|
266 | # Log weird packets that don't match the above.
|
267 | #
|
268 |
|
269 | $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
270 | --log-level DEBUG --log-prefix "IPT INPUT packet died: "
|
271 |
|
272 | #
|
273 | # 4.1.5 FORWARD chain
|
274 | #
|
275 |
|
276 | #
|
277 | # Bad TCP packets we don't want
|
278 | #
|
279 |
|
280 | $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
|
281 |
|
282 | #
|
283 | # Accept the packets we actually want to forward
|
284 | #
|
285 |
|
286 | $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
|
287 | $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
|
288 | $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
|
289 | $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
290 |
|
291 | #
|
292 | # Log weird packets that don't match the above.
|
293 | #
|
294 |
|
295 | $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
296 | --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
|
297 |
|
298 | #
|
299 | # 4.1.6 OUTPUT chain
|
300 | #
|
301 |
|
302 | #
|
303 | # Bad TCP packets we don't want.
|
304 | #
|
305 |
|
306 | $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
|
307 |
|
308 | #
|
309 | # Special OUTPUT rules to decide which IP's to allow.
|
310 | #
|
311 |
|
312 | $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
|
313 | $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
|
314 | $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
|
315 |
|
316 | #
|
317 | # Log weird packets that don't match the above.
|
318 | #
|
319 |
|
320 | $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
321 | --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
|
322 |
|
323 | ######
|
324 | # 4.2 nat table
|
325 | #
|
326 |
|
327 | #
|
328 | # 4.2.1 Set policies
|
329 | #
|
330 |
|
331 | #
|
332 | # 4.2.2 Create user specified chains
|
333 | #
|
334 |
|
335 | #
|
336 | # 4.2.3 Create content in user specified chains
|
337 | #
|
338 |
|
339 | #
|
340 | # 4.2.4 PREROUTING chain
|
341 | #
|
342 |
|
343 | #
|
344 | # 4.2.5 POSTROUTING chain
|
345 | #
|
346 |
|
347 | #
|
348 | # Enable simple IP Forwarding and Network Address Translation
|
349 | #
|
350 |
|
351 | $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
|
352 |
|
353 | #
|
354 | # 4.2.6 OUTPUT chain
|
355 | #
|
356 |
|
357 | ######
|
358 | # 4.3 mangle table
|
359 | #
|
360 |
|
361 | #
|
362 | # 4.3.1 Set policies
|
363 | #
|
364 |
|
365 | #
|
366 | # 4.3.2 Create user specified chains
|
367 | #
|
368 |
|
369 | #
|
370 | # 4.3.3 Create content in user specified chains
|
371 | #
|
372 |
|
373 | #
|
374 | # 4.3.4 PREROUTING chain
|
375 | #
|
376 |
|
377 | #
|
378 | # 4.3.5 INPUT chain
|
379 | #
|
380 |
|
381 | #
|
382 | # 4.3.6 FORWARD chain
|
383 | #
|
384 |
|
385 | #
|
386 | # 4.3.7 OUTPUT chain
|
387 | #
|
388 |
|
389 | #
|
390 | # 4.3.8 POSTROUTING chain
|
391 | #
|