rc.DMZ.firewall.txt

rc.DMZ.firewall.txt - v i а SеrgеniuS, 05/01/2011 06:17 am

Download (8.4 KB)

 
1
#!/bin/sh
2
#
3
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
4
#
5
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
6
#
7
# This program is free software; you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
9
# the Free Software Foundation; version 2 of the License.
10
#
11
# This program is distributed in the hope that it will be useful,
12
# but WITHOUT ANY WARRANTY; without even the implied warranty of
13
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14
# GNU General Public License for more details.
15
#
16
# You should have received a copy of the GNU General Public License
17
# along with this program or from the site that you downloaded it
18
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
19
# Place, Suite 330, Boston, MA  02111-1307   USA
20
#
21




22
###########################################################################





23
#





24
# 1. Configuration options.





25
#





26




27
#





28
# 1.1 Internet Configuration.





29
#





30




31
INET_IP="194.236.50.152"





32
HTTP_IP="194.236.50.153"





33
DNS_IP="194.236.50.154"





34
INET_IFACE="eth0"





35




36
#





37
# 1.1.1 DHCP





38
#





39




40
#





41
# 1.1.2 PPPoE





42
#





43




44
#





45
# 1.2 Local Area Network configuration.





46
#





47
# your LAN's IP range and localhost IP. /24 means to only use the first 24





48
# bits of the 32 bit IP address. the same as netmask 255.255.255.0





49
#





50




51
LAN_IP="192.168.0.1"





52
LAN_IFACE="eth1"





53




54
#





55
# 1.3 DMZ Configuration.





56
#





57




58
DMZ_HTTP_IP="192.168.1.2"





59
DMZ_DNS_IP="192.168.1.3"





60
DMZ_IP="192.168.1.1"





61
DMZ_IFACE="eth2"





62




63
#





64
# 1.4 Localhost Configuration.





65
#





66




67
LO_IFACE="lo"





68
LO_IP="127.0.0.1"





69




70
#





71
# 1.5 IPTables Configuration.





72
#





73




74
IPTABLES="/usr/sbin/iptables"





75




76
#





77
# 1.6 Other Configuration.





78
#





79




80
###########################################################################





81
#





82
# 2. Module loading.





83
#





84




85
#





86
# Needed to initially load modules





87
#





88
/sbin/depmod -a





89




90




91




92
#





93
# 2.1 Required modules





94
#





95




96
/sbin/modprobe ip_tables





97
/sbin/modprobe ip_conntrack





98
/sbin/modprobe iptable_filter





99
/sbin/modprobe iptable_mangle





100
/sbin/modprobe iptable_nat





101
/sbin/modprobe ipt_LOG





102
/sbin/modprobe ipt_limit





103
/sbin/modprobe ipt_state





104




105
#





106
# 2.2 Non-Required modules





107
#





108




109
#/sbin/modprobe ipt_owner





110
#/sbin/modprobe ipt_REJECT





111
#/sbin/modprobe ipt_MASQUERADE





112
#/sbin/modprobe ip_conntrack_ftp





113
#/sbin/modprobe ip_conntrack_irc





114
#/sbin/modprobe ip_nat_ftp





115
#/sbin/modprobe ip_nat_irc





116




117
###########################################################################





118
#





119
# 3. /proc set up.





120
#





121




122
#





123
# 3.1 Required proc configuration





124
#





125




126
echo "1" > /proc/sys/net/ipv4/ip_forward





127




128
#





129
# 3.2 Non-Required proc configuration





130
#





131




132
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter





133
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp





134
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr





135




136
###########################################################################





137
#





138
# 4. rules set up.





139
#





140




141
######





142
# 4.1 Filter table





143
#





144




145
#





146
# 4.1.1 Set policies





147
#





148




149
$IPTABLES -P INPUT DROP





150
$IPTABLES -P OUTPUT DROP





151
$IPTABLES -P FORWARD DROP





152




153
#





154
# 4.1.2 Create userspecified chains





155
#





156




157
#





158
# Create chain for bad tcp packets





159
#





160




161
$IPTABLES -N bad_tcp_packets





162




163
#





164
# Create separate chains for ICMP, TCP and UDP to traverse





165
#





166




167
$IPTABLES -N allowed





168
$IPTABLES -N icmp_packets





169




170
#





171
# 4.1.3 Create content in userspecified chains





172
#





173




174
#





175
# bad_tcp_packets chain





176
#





177




178
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \





179
-m state --state NEW -j REJECT --reject-with tcp-reset





180
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \





181
--log-prefix "New not syn:"





182
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP





183




184
#





185
# allowed chain





186
#





187




188
$IPTABLES -A allowed -p TCP --syn -j ACCEPT





189
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT





190
$IPTABLES -A allowed -p TCP -j DROP





191




192
#





193
# ICMP rules





194
#





195




196
# Changed rules totally





197
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT





198
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT





199




200
#





201
# 4.1.4 INPUT chain





202
#





203




204
#





205
# Bad TCP packets we don't want





206
#





207




208
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets





209




210
#





211
# Packets from the Internet to this box





212
#





213




214
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets





215




216
#





217
# Packets from LAN, DMZ or LOCALHOST





218
#





219




220
#





221
# From DMZ Interface to DMZ firewall IP





222
#





223




224
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT





225




226
#





227
# From LAN Interface to LAN firewall IP





228
#





229




230
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT





231




232
#





233
# From Localhost interface to Localhost IP's





234
#





235




236
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT





237
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT





238
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT





239




240
#





241
# Special rule for DHCP requests from LAN, which are not caught properly





242
# otherwise.





243
#





244




245
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT





246




247
#





248
# All established and related packets incoming from the internet to the





249
# firewall





250
#





251




252
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \





253
-j ACCEPT





254




255
#





256
# In Microsoft Networks you will be swamped by broadcasts. These lines





257
# will prevent them from showing up in the logs.





258
#





259




260
#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST \





261
#--destination-port 135:139 -j DROP





262




263
#





264
# If we get DHCP requests from the Outside of our network, our logs will





265
# be swamped as well. This rule will block them from getting logged.





266
#





267




268
#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 \





269
#--destination-port 67:68 -j DROP





270




271
#





272
# If you have a Microsoft Network on the outside of your firewall, you may





273
# also get flooded by Multicasts. We drop them so we do not get flooded by





274
# logs





275
#





276




277
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP





278




279
#





280
# Log weird packets that don't match the above.





281
#





282




283
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \





284
--log-level DEBUG --log-prefix "IPT INPUT packet died: "





285




286
#





287
# 4.1.5 FORWARD chain





288
#





289




290
#





291
# Bad TCP packets we don't want





292
#





293




294
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets





295




296




297
#





298
# DMZ section





299
#





300
# General rules





301
#





302




303
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT





304
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \





305
--state ESTABLISHED,RELATED -j ACCEPT





306
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT





307
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \





308
--state ESTABLISHED,RELATED -j ACCEPT





309




310
#





311
# HTTP server





312
#





313




314
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \





315
--dport 80 -j allowed





316
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \





317
-j icmp_packets





318




319
#





320
# DNS server





321
#





322




323
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \





324
--dport 53 -j allowed





325
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \





326
--dport 53 -j ACCEPT





327
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \





328
-j icmp_packets





329




330
#





331
# LAN section





332
#





333




334
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT





335
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT





336




337
#





338
# Log weird packets that don't match the above.





339
#





340




341
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \





342
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "





343




344
#





345
# 4.1.6 OUTPUT chain





346
#





347




348
#





349
# Bad TCP packets we don't want.





350
#





351




352
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets





353




354
#





355
# Special OUTPUT rules to decide which IP's to allow.





356
#





357




358
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT





359
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT





360
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT





361




362
#





363
# Log weird packets that don't match the above.





364
#





365




366
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \





367
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "





368




369
######





370
# 4.2 nat table





371
#





372




373
#





374
# 4.2.1 Set policies





375
#





376




377
#





378
# 4.2.2 Create user specified chains





379
#





380




381
#





382
# 4.2.3 Create content in user specified chains





383
#





384




385
#





386
# 4.2.4 PREROUTING chain





387
#





388




389
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \





390
-j DNAT --to-destination $DMZ_HTTP_IP





391
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \





392
-j DNAT --to-destination $DMZ_DNS_IP





393
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \





394
-j DNAT --to-destination $DMZ_DNS_IP





395




396
#





397
# 4.2.5 POSTROUTING chain





398
#





399




400
#





401
# Enable simple IP Forwarding and Network Address Translation





402
#





403




404
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP





405




406
#





407
# 4.2.6 OUTPUT chain





408
#





409




410
######





411
# 4.3 mangle table





412
#





413




414
#





415
# 4.3.1 Set policies





416
#





417




418
#





419
# 4.3.2 Create user specified chains





420
#





421




422
#





423
# 4.3.3 Create content in user specified chains





424
#





425




426
#





427
# 4.3.4 PREROUTING chain





428
#





429




430
#





431
# 4.3.5 INPUT chain





432
#





433




434
#





435
# 4.3.6 FORWARD chain





436
#





437




438
#





439
# 4.3.7 OUTPUT chain





440
#





441




442
#





443
# 4.3.8 POSTROUTING chain





444
#














        
				

    





	












About Project
History
Screenshots
Logos and themes
Video
Reviews
Introduction
Contact Us
Donations



	
Development
News
Calculate Linux



Products
Calculate Directory Server
Calculate Linux Desktop
Calculate Linux Scratch
Support
Downloads
License



Documentation
Installing Calculate
Working with Calculate
Working with Portage
Calculate Utilities
Server Configuration
Workstation Setup
Calculate Network Configuration
Hardware Setup
Manuals
Guides



Services
Newest Packages
GLSA
Browse Packages
USE Flags
All Licenses



	
OpenID Server
Pastebin



Community
Blogs
Forums
Wiki
BugTracker



	
Calculate User Map
LinuxQuestions
Facebook
Google+
Telegram
Twitter








If you find a mistake, please highlight it and press Ctrl+Enter.





Thank you!