rc.DHCP.firewall.txt

rc.DHCP.firewall.txt - v i а SеrgеniuS, 05/01/2011 06:17 am

Download (8.4 KB)

 
1
#!/bin/sh
2
#
3
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
4
#
5
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
6
#
7
# This program is free software; you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
9
# the Free Software Foundation; version 2 of the License.
10
#
11
# This program is distributed in the hope that it will be useful,
12
# but WITHOUT ANY WARRANTY; without even the implied warranty of
13
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14
# GNU General Public License for more details.
15
#
16
# You should have received a copy of the GNU General Public License
17
# along with this program or from the site that you downloaded it
18
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
19
# Place, Suite 330, Boston, MA  02111-1307   USA
20
#
21
22
###########################################################################
23
#
24
# 1. Configuration options.
25
#
26
27
#
28
# 1.1 Internet Configuration.
29
#
30
31
INET_IFACE="eth0"
32
33
#
34
# 1.1.1 DHCP
35
#
36
37
#
38
# Information pertaining to DHCP over the Internet, if needed.
39
#
40
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
41
# over the Internet set this variable to yes, and set up the proper IP
42
# address for the DHCP server in the DHCP_SERVER variable.
43
#
44
45
DHCP="no"
46
DHCP_SERVER="195.22.90.65"
47
48
#
49
# 1.1.2 PPPoE
50
#
51
52
# Configuration options pertaining to PPPoE.
53
#
54
# If you have problem with your PPPoE connection, such as large mails not
55
# getting through while small mail get through properly etc, you may set
56
# this option to "yes" which may fix the problem. This option will set a
57
# rule in the PREROUTING chain of the mangle table which will clamp
58
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
59
#
60
# Note that it is better to set this up in the PPPoE package itself, since
61
# the PPPoE configuration option will give less overhead.
62
#
63
64
PPPOE_PMTU="no"
65
66
#
67
# 1.2 Local Area Network configuration.
68
#
69
# your LAN's IP range and localhost IP. /24 means to only use the first 24
70
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
71
#
72
73
LAN_IP="192.168.0.2"
74
LAN_IP_RANGE="192.168.0.0/16"
75
LAN_IFACE="eth1"
76
77
#
78
# 1.3 DMZ Configuration.
79
#
80
81
#
82
# 1.4 Localhost Configuration.
83
#
84
85
LO_IFACE="lo"
86
LO_IP="127.0.0.1"
87
88
#
89
# 1.5 IPTables Configuration.
90
#
91
92
IPTABLES="/usr/sbin/iptables"
93
94
#
95
# 1.6 Other Configuration.
96
#
97
98
###########################################################################
99
#
100
# 2. Module loading.
101
#
102
103
#
104
# Needed to initially load modules
105
#
106
107
/sbin/depmod -a
108
109
#
110
# 2.1 Required modules
111
#
112
113
/sbin/modprobe ip_conntrack
114
/sbin/modprobe ip_tables
115
/sbin/modprobe iptable_filter
116
/sbin/modprobe iptable_mangle
117
/sbin/modprobe iptable_nat
118
/sbin/modprobe ipt_LOG
119
/sbin/modprobe ipt_limit
120
/sbin/modprobe ipt_MASQUERADE
121
122
#
123
# 2.2 Non-Required modules
124
#
125
126
#/sbin/modprobe ipt_owner
127
#/sbin/modprobe ipt_REJECT
128
#/sbin/modprobe ip_conntrack_ftp
129
#/sbin/modprobe ip_conntrack_irc
130
#/sbin/modprobe ip_nat_ftp
131
#/sbin/modprobe ip_nat_irc
132
133
###########################################################################
134
#
135
# 3. /proc set up.
136
#
137
138
#
139
# 3.1 Required proc configuration
140
#
141
142
echo "1" > /proc/sys/net/ipv4/ip_forward
143
144
#
145
# 3.2 Non-Required proc configuration
146
#
147
148
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
149
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
150
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
151
152
###########################################################################
153
#
154
# 4. rules set up.
155
#
156
157
######
158
# 4.1 Filter table
159
#
160
161
#
162
# 4.1.1 Set policies
163
#
164
165
$IPTABLES -P INPUT DROP
166
$IPTABLES -P OUTPUT DROP
167
$IPTABLES -P FORWARD DROP
168
169
#
170
# 4.1.2 Create userspecified chains
171
#
172
173
#
174
# Create chain for bad tcp packets
175
#
176
177
$IPTABLES -N bad_tcp_packets
178
179
#
180
# Create separate chains for ICMP, TCP and UDP to traverse
181
#
182
183
$IPTABLES -N allowed
184
$IPTABLES -N tcp_packets
185
$IPTABLES -N udp_packets
186
$IPTABLES -N icmp_packets
187
188
#
189
# 4.1.3 Create content in userspecified chains
190
#
191
192
#
193
# bad_tcp_packets chain
194
#
195
196
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
197
-m state --state NEW -j REJECT --reject-with tcp-reset
198
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
199
--log-prefix "New not syn:"
200
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
201
202
#
203
# allowed chain
204
#
205
206
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
207
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
208
$IPTABLES -A allowed -p TCP -j DROP
209
210
#
211
# TCP rules
212
#
213
214
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
215
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
216
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
217
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
218
219
#
220
# UDP ports
221
#
222
223
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
224
if [ $DHCP == "yes" ] ; then
225
 $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
226
 --dport 68 -j ACCEPT
227
fi
228
229
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
230
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
231
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
232
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
233
234
#
235
# In Microsoft Networks you will be swamped by broadcasts. These lines
236
# will prevent them from showing up in the logs.
237
#
238
239
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
240
#--destination-port 135:139 -j DROP
241
242
#
243
# If we get DHCP requests from the Outside of our network, our logs will
244
# be swamped as well. This rule will block them from getting logged.
245
#
246
247
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
248
#--destination-port 67:68 -j DROP
249
250
#
251
# ICMP rules
252
#
253
254
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
255
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
256
257
#
258
# 4.1.4 INPUT chain
259
#
260
261
#
262
# Bad TCP packets we don't want.
263
#
264
265
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
266
267
#
268
# Rules for special networks not part of the Internet
269
#
270
271
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
272
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
273
274
#
275
# Special rule for DHCP requests from LAN, which are not caught properly 
276
# otherwise.
277
#
278
279
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
280
281
#
282
# Rules for incoming packets from the internet.
283
#
284
285
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
286
-j ACCEPT
287
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
288
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
289
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
290
291
#
292
# If you have a Microsoft Network on the outside of your firewall, you may
293
# also get flooded by Multicasts. We drop them so we do not get flooded by
294
# logs
295
#
296
297
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
298
299
#
300
# Log weird packets that don't match the above.
301
#
302
303
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
304
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
305
306
#
307
# 4.1.5 FORWARD chain
308
#
309
310
#
311
# Bad TCP packets we don't want
312
#
313
314
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
315
316
#
317
# Accept the packets we actually want to forward
318
#
319
320
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
321
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
322
323
#
324
# Log weird packets that don't match the above.
325
#
326
327
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
328
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
329
330
#
331
# 4.1.6 OUTPUT chain
332
#
333
334
#
335
# Bad TCP packets we don't want.
336
#
337
338
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
339
340
#
341
# Special OUTPUT rules to decide which IP's to allow.
342
#
343
344
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
345
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
346
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
347
348
#
349
# Log weird packets that don't match the above.
350
#
351
352
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
353
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
354
355
######
356
# 4.2 nat table
357
#
358
359
#
360
# 4.2.1 Set policies
361
#
362
363
#
364
# 4.2.2 Create user specified chains
365
#
366
367
#
368
# 4.2.3 Create content in user specified chains
369
#
370
371
#
372
# 4.2.4 PREROUTING chain
373
#
374
375
#
376
# 4.2.5 POSTROUTING chain
377
#
378
379
if [ $PPPOE_PMTU == "yes" ] ; then
380
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
381
 -j TCPMSS --clamp-mss-to-pmtu
382
fi
383
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
384
385
#
386
# 4.2.6 OUTPUT chain
387
#
388
389
######
390
# 4.3 mangle table
391
#
392
393
#
394
# 4.3.1 Set policies
395
#
396
397
#
398
# 4.3.2 Create user specified chains
399
#
400
401
#
402
# 4.3.3 Create content in user specified chains
403
#
404
405
#
406
# 4.3.4 PREROUTING chain
407
#
408
409
#
410
# 4.3.5 INPUT chain
411
#
412
413
#
414
# 4.3.6 FORWARD chain
415
#
416
417
#
418
# 4.3.7 OUTPUT chain
419
#
420
421
#
422
# 4.3.8 POSTROUTING chain
423
#
Thank you!