1 | #!/bin/sh
|
2 | #
|
3 | # rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
|
4 | #
|
5 | # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
|
6 | #
|
7 | # This program is free software; you can redistribute it and/or modify
|
8 | # it under the terms of the GNU General Public License as published by
|
9 | # the Free Software Foundation; version 2 of the License.
|
10 | #
|
11 | # This program is distributed in the hope that it will be useful,
|
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
|
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
14 | # GNU General Public License for more details.
|
15 | #
|
16 | # You should have received a copy of the GNU General Public License
|
17 | # along with this program or from the site that you downloaded it
|
18 | # from; if not, write to the Free Software Foundation, Inc., 59 Temple
|
19 | # Place, Suite 330, Boston, MA 02111-1307 USA
|
20 | #
|
21 |
|
22 | ###########################################################################
|
23 | #
|
24 | # 1. Configuration options.
|
25 | #
|
26 |
|
27 | #
|
28 | # 1.1 Internet Configuration.
|
29 | #
|
30 |
|
31 | INET_IP="194.236.50.152"
|
32 | HTTP_IP="194.236.50.153"
|
33 | DNS_IP="194.236.50.154"
|
34 | INET_IFACE="eth0"
|
35 |
|
36 | #
|
37 | # 1.1.1 DHCP
|
38 | #
|
39 |
|
40 | #
|
41 | # 1.1.2 PPPoE
|
42 | #
|
43 |
|
44 | #
|
45 | # 1.2 Local Area Network configuration.
|
46 | #
|
47 | # your LAN's IP range and localhost IP. /24 means to only use the first 24
|
48 | # bits of the 32 bit IP address. the same as netmask 255.255.255.0
|
49 | #
|
50 |
|
51 | LAN_IP="192.168.0.1"
|
52 | LAN_IFACE="eth1"
|
53 |
|
54 | #
|
55 | # 1.3 DMZ Configuration.
|
56 | #
|
57 |
|
58 | DMZ_HTTP_IP="192.168.1.2"
|
59 | DMZ_DNS_IP="192.168.1.3"
|
60 | DMZ_IP="192.168.1.1"
|
61 | DMZ_IFACE="eth2"
|
62 |
|
63 | #
|
64 | # 1.4 Localhost Configuration.
|
65 | #
|
66 |
|
67 | LO_IFACE="lo"
|
68 | LO_IP="127.0.0.1"
|
69 |
|
70 | #
|
71 | # 1.5 IPTables Configuration.
|
72 | #
|
73 |
|
74 | IPTABLES="/usr/sbin/iptables"
|
75 |
|
76 | #
|
77 | # 1.6 Other Configuration.
|
78 | #
|
79 |
|
80 | ###########################################################################
|
81 | #
|
82 | # 2. Module loading.
|
83 | #
|
84 |
|
85 | #
|
86 | # Needed to initially load modules
|
87 | #
|
88 | /sbin/depmod -a
|
89 |
|
90 |
|
91 |
|
92 | #
|
93 | # 2.1 Required modules
|
94 | #
|
95 |
|
96 | /sbin/modprobe ip_tables
|
97 | /sbin/modprobe ip_conntrack
|
98 | /sbin/modprobe iptable_filter
|
99 | /sbin/modprobe iptable_mangle
|
100 | /sbin/modprobe iptable_nat
|
101 | /sbin/modprobe ipt_LOG
|
102 | /sbin/modprobe ipt_limit
|
103 | /sbin/modprobe ipt_state
|
104 |
|
105 | #
|
106 | # 2.2 Non-Required modules
|
107 | #
|
108 |
|
109 | #/sbin/modprobe ipt_owner
|
110 | #/sbin/modprobe ipt_REJECT
|
111 | #/sbin/modprobe ipt_MASQUERADE
|
112 | #/sbin/modprobe ip_conntrack_ftp
|
113 | #/sbin/modprobe ip_conntrack_irc
|
114 | #/sbin/modprobe ip_nat_ftp
|
115 | #/sbin/modprobe ip_nat_irc
|
116 |
|
117 | ###########################################################################
|
118 | #
|
119 | # 3. /proc set up.
|
120 | #
|
121 |
|
122 | #
|
123 | # 3.1 Required proc configuration
|
124 | #
|
125 |
|
126 | echo "1" > /proc/sys/net/ipv4/ip_forward
|
127 |
|
128 | #
|
129 | # 3.2 Non-Required proc configuration
|
130 | #
|
131 |
|
132 | #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
|
133 | #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
|
134 | #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
135 |
|
136 | ###########################################################################
|
137 | #
|
138 | # 4. rules set up.
|
139 | #
|
140 |
|
141 | ######
|
142 | # 4.1 Filter table
|
143 | #
|
144 |
|
145 | #
|
146 | # 4.1.1 Set policies
|
147 | #
|
148 |
|
149 | $IPTABLES -P INPUT DROP
|
150 | $IPTABLES -P OUTPUT DROP
|
151 | $IPTABLES -P FORWARD DROP
|
152 |
|
153 | #
|
154 | # 4.1.2 Create userspecified chains
|
155 | #
|
156 |
|
157 | #
|
158 | # Create chain for bad tcp packets
|
159 | #
|
160 |
|
161 | $IPTABLES -N bad_tcp_packets
|
162 |
|
163 | #
|
164 | # Create separate chains for ICMP, TCP and UDP to traverse
|
165 | #
|
166 |
|
167 | $IPTABLES -N allowed
|
168 | $IPTABLES -N icmp_packets
|
169 |
|
170 | #
|
171 | # 4.1.3 Create content in userspecified chains
|
172 | #
|
173 |
|
174 | #
|
175 | # bad_tcp_packets chain
|
176 | #
|
177 |
|
178 | $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
|
179 | -m state --state NEW -j REJECT --reject-with tcp-reset
|
180 | $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
|
181 | --log-prefix "New not syn:"
|
182 | $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
|
183 |
|
184 | #
|
185 | # allowed chain
|
186 | #
|
187 |
|
188 | $IPTABLES -A allowed -p TCP --syn -j ACCEPT
|
189 | $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
|
190 | $IPTABLES -A allowed -p TCP -j DROP
|
191 |
|
192 | #
|
193 | # ICMP rules
|
194 | #
|
195 |
|
196 | # Changed rules totally
|
197 | $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
|
198 | $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
|
199 |
|
200 | #
|
201 | # 4.1.4 INPUT chain
|
202 | #
|
203 |
|
204 | #
|
205 | # Bad TCP packets we don't want
|
206 | #
|
207 |
|
208 | $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
|
209 |
|
210 | #
|
211 | # Packets from the Internet to this box
|
212 | #
|
213 |
|
214 | $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
|
215 |
|
216 | #
|
217 | # Packets from LAN, DMZ or LOCALHOST
|
218 | #
|
219 |
|
220 | #
|
221 | # From DMZ Interface to DMZ firewall IP
|
222 | #
|
223 |
|
224 | $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
|
225 |
|
226 | #
|
227 | # From LAN Interface to LAN firewall IP
|
228 | #
|
229 |
|
230 | $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
|
231 |
|
232 | #
|
233 | # From Localhost interface to Localhost IP's
|
234 | #
|
235 |
|
236 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
|
237 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
|
238 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
|
239 |
|
240 | #
|
241 | # Special rule for DHCP requests from LAN, which are not caught properly
|
242 | # otherwise.
|
243 | #
|
244 |
|
245 | $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
|
246 |
|
247 | #
|
248 | # All established and related packets incoming from the internet to the
|
249 | # firewall
|
250 | #
|
251 |
|
252 | $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
|
253 | -j ACCEPT
|
254 |
|
255 | #
|
256 | # In Microsoft Networks you will be swamped by broadcasts. These lines
|
257 | # will prevent them from showing up in the logs.
|
258 | #
|
259 |
|
260 | #$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST \
|
261 | #--destination-port 135:139 -j DROP
|
262 |
|
263 | #
|
264 | # If we get DHCP requests from the Outside of our network, our logs will
|
265 | # be swamped as well. This rule will block them from getting logged.
|
266 | #
|
267 |
|
268 | #$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 \
|
269 | #--destination-port 67:68 -j DROP
|
270 |
|
271 | #
|
272 | # If you have a Microsoft Network on the outside of your firewall, you may
|
273 | # also get flooded by Multicasts. We drop them so we do not get flooded by
|
274 | # logs
|
275 | #
|
276 |
|
277 | #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
|
278 |
|
279 | #
|
280 | # Log weird packets that don't match the above.
|
281 | #
|
282 |
|
283 | $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
284 | --log-level DEBUG --log-prefix "IPT INPUT packet died: "
|
285 |
|
286 | #
|
287 | # 4.1.5 FORWARD chain
|
288 | #
|
289 |
|
290 | #
|
291 | # Bad TCP packets we don't want
|
292 | #
|
293 |
|
294 | $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
|
295 |
|
296 |
|
297 | #
|
298 | # DMZ section
|
299 | #
|
300 | # General rules
|
301 | #
|
302 |
|
303 | $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
|
304 | $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
|
305 | --state ESTABLISHED,RELATED -j ACCEPT
|
306 | $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
|
307 | $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
|
308 | --state ESTABLISHED,RELATED -j ACCEPT
|
309 |
|
310 | #
|
311 | # HTTP server
|
312 | #
|
313 |
|
314 | $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
|
315 | --dport 80 -j allowed
|
316 | $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
|
317 | -j icmp_packets
|
318 |
|
319 | #
|
320 | # DNS server
|
321 | #
|
322 |
|
323 | $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
|
324 | --dport 53 -j allowed
|
325 | $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
|
326 | --dport 53 -j ACCEPT
|
327 | $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
|
328 | -j icmp_packets
|
329 |
|
330 | #
|
331 | # LAN section
|
332 | #
|
333 |
|
334 | $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
|
335 | $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
336 |
|
337 | #
|
338 | # Log weird packets that don't match the above.
|
339 | #
|
340 |
|
341 | $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
342 | --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
|
343 |
|
344 | #
|
345 | # 4.1.6 OUTPUT chain
|
346 | #
|
347 |
|
348 | #
|
349 | # Bad TCP packets we don't want.
|
350 | #
|
351 |
|
352 | $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
|
353 |
|
354 | #
|
355 | # Special OUTPUT rules to decide which IP's to allow.
|
356 | #
|
357 |
|
358 | $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
|
359 | $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
|
360 | $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
|
361 |
|
362 | #
|
363 | # Log weird packets that don't match the above.
|
364 | #
|
365 |
|
366 | $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
367 | --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
|
368 |
|
369 | ######
|
370 | # 4.2 nat table
|
371 | #
|
372 |
|
373 | #
|
374 | # 4.2.1 Set policies
|
375 | #
|
376 |
|
377 | #
|
378 | # 4.2.2 Create user specified chains
|
379 | #
|
380 |
|
381 | #
|
382 | # 4.2.3 Create content in user specified chains
|
383 | #
|
384 |
|
385 | #
|
386 | # 4.2.4 PREROUTING chain
|
387 | #
|
388 |
|
389 | $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
|
390 | -j DNAT --to-destination $DMZ_HTTP_IP
|
391 | $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
|
392 | -j DNAT --to-destination $DMZ_DNS_IP
|
393 | $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
|
394 | -j DNAT --to-destination $DMZ_DNS_IP
|
395 |
|
396 | #
|
397 | # 4.2.5 POSTROUTING chain
|
398 | #
|
399 |
|
400 | #
|
401 | # Enable simple IP Forwarding and Network Address Translation
|
402 | #
|
403 |
|
404 | $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
|
405 |
|
406 | #
|
407 | # 4.2.6 OUTPUT chain
|
408 | #
|
409 |
|
410 | ######
|
411 | # 4.3 mangle table
|
412 | #
|
413 |
|
414 | #
|
415 | # 4.3.1 Set policies
|
416 | #
|
417 |
|
418 | #
|
419 | # 4.3.2 Create user specified chains
|
420 | #
|
421 |
|
422 | #
|
423 | # 4.3.3 Create content in user specified chains
|
424 | #
|
425 |
|
426 | #
|
427 | # 4.3.4 PREROUTING chain
|
428 | #
|
429 |
|
430 | #
|
431 | # 4.3.5 INPUT chain
|
432 | #
|
433 |
|
434 | #
|
435 | # 4.3.6 FORWARD chain
|
436 | #
|
437 |
|
438 | #
|
439 | # 4.3.7 OUTPUT chain
|
440 | #
|
441 |
|
442 | #
|
443 | # 4.3.8 POSTROUTING chain
|
444 | #
|