rc.firewall.txt

rc.firewall.txt - v i а SеrgеniuS, 05/01/2011 06:17 am

Download (7.6 KB)

 
1
#!/bin/sh
2
#
3
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
4
#
5
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
6
#
7
# This program is free software; you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
9
# the Free Software Foundation; version 2 of the License.
10
#
11
# This program is distributed in the hope that it will be useful,
12
# but WITHOUT ANY WARRANTY; without even the implied warranty of
13
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14
# GNU General Public License for more details.
15
#
16
# You should have received a copy of the GNU General Public License
17
# along with this program or from the site that you downloaded it
18
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
19
# Place, Suite 330, Boston, MA  02111-1307   USA
20
#
21
22
###########################################################################
23
#
24
# 1. Configuration options.
25
#
26
27
#
28
# 1.1 Internet Configuration.
29
#
30
31
INET_IP="194.236.50.155"
32
INET_IFACE="eth0"
33
INET_BROADCAST="194.236.50.255"
34
35
#
36
# 1.1.1 DHCP
37
#
38
39
#
40
# 1.1.2 PPPoE
41
#
42
43
#
44
# 1.2 Local Area Network configuration.
45
#
46
# your LAN's IP range and localhost IP. /24 means to only use the first 24
47
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
48
#
49
50
LAN_IP="192.168.0.2"
51
LAN_IP_RANGE="192.168.0.0/16"
52
LAN_IFACE="eth1"
53
54
#
55
# 1.3 DMZ Configuration.
56
#
57
58
#
59
# 1.4 Localhost Configuration.
60
#
61
62
LO_IFACE="lo"
63
LO_IP="127.0.0.1"
64
65
#
66
# 1.5 IPTables Configuration.
67
#
68
69
IPTABLES="/usr/sbin/iptables"
70
71
#
72
# 1.6 Other Configuration.
73
#
74
75
###########################################################################
76
#
77
# 2. Module loading.
78
#
79
80
#
81
# Needed to initially load modules
82
#
83
84
/sbin/depmod -a
85
86
#
87
# 2.1 Required modules
88
#
89
90
/sbin/modprobe ip_tables
91
/sbin/modprobe ip_conntrack
92
/sbin/modprobe iptable_filter
93
/sbin/modprobe iptable_mangle
94
/sbin/modprobe iptable_nat
95
/sbin/modprobe ipt_LOG
96
/sbin/modprobe ipt_limit
97
/sbin/modprobe ipt_state
98
99
#
100
# 2.2 Non-Required modules
101
#
102
103
#/sbin/modprobe ipt_owner
104
#/sbin/modprobe ipt_REJECT
105
#/sbin/modprobe ipt_MASQUERADE
106
#/sbin/modprobe ip_conntrack_ftp
107
#/sbin/modprobe ip_conntrack_irc
108
#/sbin/modprobe ip_nat_ftp
109
#/sbin/modprobe ip_nat_irc
110
111
###########################################################################
112
#
113
# 3. /proc set up.
114
#
115
116
#
117
# 3.1 Required proc configuration
118
#
119
120
echo "1" > /proc/sys/net/ipv4/ip_forward
121
122
#
123
# 3.2 Non-Required proc configuration
124
#
125
126
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
127
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
128
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
129
130
###########################################################################
131
#
132
# 4. rules set up.
133
#
134
135
######
136
# 4.1 Filter table
137
#
138
139
#
140
# 4.1.1 Set policies
141
#
142
143
$IPTABLES -P INPUT DROP
144
$IPTABLES -P OUTPUT DROP
145
$IPTABLES -P FORWARD DROP
146
147
#
148
# 4.1.2 Create userspecified chains
149
#
150
151
#
152
# Create chain for bad tcp packets
153
#
154
155
$IPTABLES -N bad_tcp_packets
156
157
#
158
# Create separate chains for ICMP, TCP and UDP to traverse
159
#
160
161
$IPTABLES -N allowed
162
$IPTABLES -N tcp_packets
163
$IPTABLES -N udp_packets
164
$IPTABLES -N icmp_packets
165
166
#
167
# 4.1.3 Create content in userspecified chains
168
#
169
170
#
171
# bad_tcp_packets chain
172
#
173
174
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
175
-m state --state NEW -j REJECT --reject-with tcp-reset 
176
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
177
--log-prefix "New not syn:"
178
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
179
180
#
181
# allowed chain
182
#
183
184
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
185
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
186
$IPTABLES -A allowed -p TCP -j DROP
187
188
#
189
# TCP rules
190
#
191
192
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
193
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
194
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
195
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
196
197
#
198
# UDP ports
199
#
200
201
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
202
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
203
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
204
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
205
206
#
207
# In Microsoft Networks you will be swamped by broadcasts. These lines 
208
# will prevent them from showing up in the logs.
209
#
210
211
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
212
#--destination-port 135:139 -j DROP
213
214
#
215
# If we get DHCP requests from the Outside of our network, our logs will 
216
# be swamped as well. This rule will block them from getting logged.
217
#
218
219
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
220
#--destination-port 67:68 -j DROP
221
222
#
223
# ICMP rules
224
#
225
226
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
227
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
228
229
#
230
# 4.1.4 INPUT chain
231
#
232
233
#
234
# Bad TCP packets we don't want.
235
#
236
237
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
238
239
#
240
# Rules for special networks not part of the Internet
241
#
242
243
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
244
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
245
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
246
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
247
248
#
249
# Special rule for DHCP requests from LAN, which are not caught properly
250
# otherwise.
251
#
252
253
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
254
255
#
256
# Rules for incoming packets from the internet.
257
#
258
259
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
260
-j ACCEPT
261
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
262
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
263
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
264
265
#
266
# If you have a Microsoft Network on the outside of your firewall, you may 
267
# also get flooded by Multicasts. We drop them so we do not get flooded by 
268
# logs
269
#
270
271
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
272
273
#
274
# Log weird packets that don't match the above.
275
#
276
277
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
278
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
279
280
#
281
# 4.1.5 FORWARD chain
282
#
283
284
#
285
# Bad TCP packets we don't want
286
#
287
288
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
289
290
#
291
# Accept the packets we actually want to forward
292
#
293
294
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
295
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
296
297
#
298
# Log weird packets that don't match the above.
299
#
300
301
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
302
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
303
304
#
305
# 4.1.6 OUTPUT chain
306
#
307
308
#
309
# Bad TCP packets we don't want.
310
#
311
312
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
313
314
#
315
# Special OUTPUT rules to decide which IP's to allow.
316
#
317
318
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
319
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
320
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
321
322
#
323
# Log weird packets that don't match the above.
324
#
325
326
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
327
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
328
329
######
330
# 4.2 nat table
331
#
332
333
#
334
# 4.2.1 Set policies
335
#
336
337
#
338
# 4.2.2 Create user specified chains
339
#
340
341
#
342
# 4.2.3 Create content in user specified chains
343
#
344
345
#
346
# 4.2.4 PREROUTING chain
347
#
348
349
#
350
# 4.2.5 POSTROUTING chain
351
#
352
353
#
354
# Enable simple IP Forwarding and Network Address Translation
355
#
356
357
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
358
359
#
360
# 4.2.6 OUTPUT chain
361
#
362
363
######
364
# 4.3 mangle table
365
#
366
367
#
368
# 4.3.1 Set policies
369
#
370
371
#
372
# 4.3.2 Create user specified chains
373
#
374
375
#
376
# 4.3.3 Create content in user specified chains
377
#
378
379
#
380
# 4.3.4 PREROUTING chain
381
#
382
383
#
384
# 4.3.5 INPUT chain
385
#
386
387
#
388
# 4.3.6 FORWARD chain
389
#
390
391
#
392
# 4.3.7 OUTPUT chain
393
#
394
395
#
396
# 4.3.8 POSTROUTING chain
397
#
Thank you!