#!/bin/sh # #DONT TOUCH THIS MANUALLY. RUN THE SCRIPT ONCE #ALL CHANGES SHOULD BE DONE IN /etc/firewall/firewall.conf clear ########################################################################## # # # Copyright (c) 2001 Patrik Hildingsson ph@kurd.nu # # Marc Schoechlin schoechlin@linetics.de # # (enhanced & securitychecked) # # # ########################################################################## # NOTE: # Because of some problems with the ip_conntrack* modules # I decided to deactivate some features. # Please search for that changes and enable them if you like. # (you can find them with the "BUG" keyword) ########################################################################## #### REVIEW BELOW SETTINGS ONLY IF YOU KNOW WHAT YOU'RE DOING. ##### ########################################################################## if [ -f /etc/redhat-release ]; then . /etc/rc.d/init.d/functions fi loadconfig () { echo "Loading the Configuration ..." ORIGPATH="$PATH" export PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" ########################################################################## ## Check if /etc/firewall/firewall.conf exists IP_MAC=/etc/firewall if [ ! -e "$IP_MAC" ]; then mkdir $IP_MAC fi if [ ! -f /etc/firewall/firewall.conf ]; then echo "Creating /etc/firewall/firewall.conf with default settings" echo " ########################################################################## ## Variables IPTABLES=\"/sbin/iptables\" ## Location of iptables binary SERIAL=\"sl+\" ## Leave field empty if diald is not in use INTERNAL=\"eth0\" ## Internal Interface EXTERNAL=\"ppp0\" ## External Interface LOOPBACK=\"lo\" ## Loopback Interface DMZ_IF=\"eth1\" ## DMZ Interface IRC=\"n\" ## y/n, Enable for DCC connection-track EGG=\"n\" ## y/n, Enable for Eggdrop HUB-bot on your net DMZ=\"n\" ## y/n, Enable to use DMZ MASQ_TYPE=\"\" ## Use \"STAT\" if static IP is used on EXTERNAL, ## use \"STAT-NOCHECK\" if static IP without MAC-CHECKING ## else just leave blank CHECK_MAC=\"n\" ## y/n, Enable to check macadress on internal hosts ########################################################################## DMZ_NET=\"192.168.0.128/25\" ## DMZ NET INTERNAL_NET=\"192.168.0.0/25,192.168.2.0/24\" ## Internal Net/s. Separate with comma INT_IP=\"192.168.0.1\" ## IP address of the Internal Interface DMZ_IP=\"192.168.0.129\" ## IP address of the DMZ interface EXT_IP=\"194.17.248.156\" ## IP address of the External Interface. Set ## "auto" for automatic setup ## Only needed if MASQ_TYPE is set to STAT and ## REDIR2PROXY is set to dnat IPLIMIT_SSH=\"0\" ## Limit inbound ssh_connections/ip/net. Disable with 0 SNAT_MASQ_REDIRECT=\"y\" ## Optional SNAT/Masquerading and Redirection ## Former known as \"MASQ_REDIRECT_HOST\" TRUST_EXT=\"194.17.248.0/24\" ## External Hosts that we trust for ## (ICMP Echo Request AND ssh) ########################################################################## ## DNAT - REDIRECTION OF SERVERAL PROTOCOLS TO MACHINES BEHIND THE ## FIREWALL ## SSH REDIRECT SSH_REDIR=\"y\" ## REDIR_SSH_EXT_PORT=\"10000\" ## SSH-Port on External Interface REDIR_SSH_INT=\"10.0.1.250:22\" ## Destination-Host IP and Port ## HTTP REDIRECT HTTP_REDIR=\"y\" REDIR_HTTP_EXT_PORT=\"10001\" ## SSH-Port on External Interface REDIR_HTTP_INT=\"10.0.1.250:80\" ## Destination-Host IP and Port ########################################################################## INTERNAL_TCP_PORTS=\"20,21,22,23,25,53,80,443,110,113,119,389,993,1024:\" INTERNAL_UDP_PORTS=\"53,1024:\" EXTERNAL_TCP_PORTS=\"20,21,25,53,80,110,113,119,389,443,993\" ## TCP-ports that we want to open up on the EXTERNAL interface EXTERNAL_UDP_PORTS=\"53,389\" ## UDP-ports that we want to open up on the EXTERNAL interface NETBIOS=\"y\" ## Set to \"y\" for allowing Local NETBIOS access REDIR2PROXY=\"n\" ## Options are \"n,local,dnat\". Use local if ## proxy is localhost, dnat if other box, n if ## to disable proxying of 80/tcp and 443/tcp FOREIGN_PROXY=\"194.17.248.139\" ## If \"dnat\" is set in REDIR2PROXY we'll need a box to send our packets to PROXY_PORT=\"8080\" ## Optional Proxyport DMZ_TCP_PORTS=\"20,21,25,53,110,113,119,389,443,993\" ## TCP-ports that we want to open up on the DMZ interface ## and the internal Interface DMZ_TCP_MACHINEPORTS=\"129.69.93.5p80,129.69.93.5p2000\" ## TCP-ports that we want to open up on the DMZ interface ## and the internal Interface for certain machines with certain tcp-ports ## seperate IP-Adress and Ports with a p-char DMZ_UDP_PORTS=\"53,389\" ## UDP-ports that we want to open up on the DMZ interface DMZ_UDP_MACHINEPORTS=\"129.69.93.5p80,129.69.93.5p2000\" ## TCP-ports that we want to open up on the DMZ interface ## and the internal Interface dor certain machines with certain udp-ports ## seperate IP-Adress and Ports with a p-char USE_FXP=\"0\" ## Enables FXP for FTPclients IRCTRACK=\"6665,6666,6667,6668,6669,7000\" ## Track these ports on IRC. ## (MAX 8 by default) Thanks Patrick Bauer FTP_PORT=\"21\" ## FTP port/s (MAX 8 by default) that we want to track ## Separate with a comma. F.e. \"21,6921,2121\" ## Requires ip_conntrack_ftp.o Leave empty if ## patch-o-matic ftp haven't been applied GATEWAY=\"62.66.2.6\" ## Our Gateway LOGLEVEL=\"debug\" ## Choose which level messages should be logged as ## Loglevels can be found in 'man 2 syslog' LIMITLEVEL=\"5/minute\" ## Set your limitrate here. Check iptables ## manpage for more info VERSION=\"1.0\" READY=\"n\" ## Set to \"y\" to enable the script. This is for your own safety " >/etc/firewall/firewall.conf #################################################################################################### ## Check if $IP_MAC exists if [ -e "$IP_MAC" ]; then echo "Creating examplefiles in $IP_MAC." echo "These will be used when masquerade/SNATing," echo "and for proxy-redirection" echo echo "192.168.0.21 ## Host that will be SNAT/Masqueraded/Redirected 00:90:27:77:e5:60 ## MAC address of 192.168.0.21" > $IP_MAC/host1 echo "192.168.0.22 ## Host that will be SNAT/Masqueraded/Redirected 00:90:27:64:4b:54 ## MAC address of 192.168.0.22" > $IP_MAC/host2 echo "192.168.0.23 ## Host that will be SNAT/Masqueraded/Redirected 00:e0:18:90:51:37 ## MAC address of 192.168.0.23" > $IP_MAC/host3 ## Sets mode to 0700 to $IP_MAC recursive chmod 0700 $IP_MAC chmod 0600 $IP_MAC/* fi fi ############################################################################### ############################################################################### ## Check & load new strings from /etc/firewall/firewall.conf if [ -f /etc/firewall/firewall.conf ]; then IPTABLES=`egrep -h ^IPTABLES= /etc/firewall/firewall.conf|cut -d "\"" -f 2` INTERNAL=`egrep -h ^INTERNAL= /etc/firewall/firewall.conf|cut -d "\"" -f 2` EXTERNAL=`egrep -h ^EXTERNAL= /etc/firewall/firewall.conf|cut -d "\"" -f 2` SERIAL=`egrep -h ^SERIAL= /etc/firewall/firewall.conf|cut -d "\"" -f 2` LOOPBACK=`egrep -h ^LOOPBACK= /etc/firewall/firewall.conf|cut -d "\"" -f 2` DMZ_IF=`egrep -h ^DMZ_IF= /etc/firewall/firewall.conf|cut -d "\"" -f 2` IRC=`egrep -h ^IRC= /etc/firewall/firewall.conf|cut -d "\"" -f 2` EGG=`egrep -h ^EGG= /etc/firewall/firewall.conf|cut -d "\"" -f 2` DMZ=`egrep -h ^DMZ= /etc/firewall/firewall.conf|cut -d "\"" -f 2` MASQ_TYPE=`egrep -h ^MASQ_TYPE= /etc/firewall/firewall.conf|cut -d "\"" -f 2` CHECK_MAC=`egrep -h ^CHECK_MAC= /etc/firewall/firewall.conf|cut -d "\"" -f 2` DMZ_NET=`egrep -h ^DMZ_NET= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` INTERNAL_NET=`egrep -h ^INTERNAL_NET= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` INT_IP=`egrep -h ^INT_IP= /etc/firewall/firewall.conf|cut -d "\"" -f 2` DMZ_IP=`egrep -h ^DMZ_IP= /etc/firewall/firewall.conf|cut -d "\"" -f 2` EXT_IP=`egrep -h ^EXT_IP= /etc/firewall/firewall.conf|cut -d "\"" -f 2` if [ "$EXT_IP" = "auto" ]; then if [ -f /sbin/ip ]; then EXT_IP=`/sbin/ip add sh dev $EXTERNAL | tail -1 | awk '{print $2}'` elif [ -f /sbin/ifconfig ]; then EXT_IP=`/sbin/ifconfig $EXTERNAL | egrep 'inet' | cut -d ':' -f 2 | cut -d \ -f 1` else echo "Can't find ifconfig or ip in /sbin. You should be worried" fi fi echo "External-IP is: $EXT_IP" SNAT_MASQ_REDIRECT=`egrep -h ^SNAT_MASQ_REDIRECT= /etc/firewall/firewall.conf|cut -d "\"" -f 2` MASQ_REDIRECT_HOST=`egrep -h ^MASQ_REDIRECT_HOST= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` TRUST_EXT=`egrep -h ^TRUST_EXT= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` SSH_REDIR=`egrep -h ^SSH_REDIR= /etc/firewall/firewall.conf|cut -d "\"" -f 2` REDIR_SSH_EXT_PORT=`egrep -h ^REDIR_SSH_EXT_PORT= /etc/firewall/firewall.conf|cut -d "\"" -f 2` REDIR_SSH_INT=`egrep -h ^REDIR_SSH_INT= /etc/firewall/firewall.conf|cut -d "\"" -f 2` HTTP_REDIR=`egrep -h ^HTTP_REDIR= /etc/firewall/firewall.conf|cut -d "\"" -f 2` REDIR_HTTP_EXT_PORT=`egrep -h ^REDIR_HTTP_EXT_PORT= /etc/firewall/firewall.conf|cut -d "\"" -f 2` REDIR_HTTP_INT=`egrep -h ^REDIR_HTTP_INT= /etc/firewall/firewall.conf|cut -d "\"" -f 2` PROXY_PORT=`egrep -h ^PROXY_PORT= /etc/firewall/firewall.conf|cut -d "\"" -f 2` REDIR2PROXY=`egrep -h ^REDIR2PROXY= /etc/firewall/firewall.conf|cut -d "\"" -f 2` USE_FXP=`egrep -h ^USE_FXP= /etc/firewall/firewall.conf|cut -d "\"" -f 2` NETBIOS=`egrep -h ^NETBIOS= /etc/firewall/firewall.conf|cut -d "\"" -f 2` FTP_PORT=`egrep -h ^FTP_PORT= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ cut -d " " -f 1-` LOGLEVEL=`egrep -h ^LOGLEVEL= /etc/firewall/firewall.conf|cut -d "\"" -f 2` LIMITLEVEL=`egrep -h ^LIMITLEVEL= /etc/firewall/firewall.conf|cut -d "\"" -f 2` GATEWAY=`egrep -h ^GATEWAY= /etc/firewall/firewall.conf|cut -d "\"" -f 2` if [ "$IRC" = "y" ]; then MASQ_TCP_PORTS=`egrep ^INTERNAL_TCP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | sed 's/$/ 6667:7000/'` IRCTRACK=`egrep -h ^IRCTRACK= /etc/firewall/firewall.conf|cut -d "\"" -f2` else MASQ_TCP_PORTS=`egrep ^INTERNAL_TCP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g'` fi INTERNAL_TCP_PORTS=`egrep ^INTERNAL_TCP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | sed "s/$/ $PROXY_PORT/"` INTERNAL_UDP_PORTS=`egrep -h ^INTERNAL_UDP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` EXTERNAL_TCP_PORTS=`egrep -h ^EXTERNAL_TCP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` EXTERNAL_UDP_PORTS=`egrep -h ^EXTERNAL_UDP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` DMZ_TCP_PORTS=`egrep -h ^DMZ_TCP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` DMZ_TCP_MACHINEPORTS=`egrep -h ^DMZ_TCP_MACHINEPORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` DMZ_UDP_PORTS=`egrep -h ^DMZ_UDP_PORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` DMZ_UDP_MACHINEPORTS=`egrep -h ^DMZ_UDP_MACHINEPORTS= /etc/firewall/firewall.conf|cut -d "\"" -f 2 |\ sed 's/,/ /g' | cut -d " " -f 1-` IPLIMIT_SSH=`egrep -h ^IPLIMIT_SSH= /etc/firewall/firewall.conf|cut -d "\"" -f 2` VERSION=`egrep -h ^VERSION= /etc/firewall/firewall.conf|cut -d "\"" -f 2` READY=`egrep -h ^READY= /etc/firewall/firewall.conf|cut -d "\"" -f 2` if [ ! "$VERSION" = "1.0" ]; then echo "Old version of /etc/firewall/firewall.conf found. Please backup & remove it." export PATH="$ORIGPATH" exit ## die fi if [ ! "$READY" = "y" ]; then echo "Oops! Check your settings in /etc/firewall/firewall.conf" export PATH="$ORIGPATH" exit ## die fi else echo "/etc/firewall/firewall.conf does NOT exists! Something is wrong. Exiting" export PATH="$ORIGPATH" exit fi } #################################################################################################### #################################################################################################### #################################################################################################### fw_start () { ## LOAD THE CONFIGURATION loadconfig #################################################################################################### #################################################################################################### echo "Starting Firewall version $VERSION" echo "This will take some time ... (depends on your machine-speed:-)" ## Make sure we are root if [ ! "`id 2>&1 | egrep 'uid=0' | cut -d '(' -f1`" = "uid=0" ]; then echo "This script needs to be run as root" export PATH="$ORIGPATH" exit ## Exits the script fi #################################################################################################### ## Check if iptables and filter/nat/mangle-tables are compiled as module ## or direct into kernel. If module, then we load it. if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then /sbin/modprobe ip_tables else echo "Assuming IPTables compiled into kernel" fi #################################################################################################### ## Check ip_conntrack exists if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o ]; then if [ ! "`lsmod 2>&1 | egrep 'ip_conntrack' | awk ' {print $1}' | egrep -x "ip_conntrack"`" = "ip_conntrack" ]; then echo "Loading connection-tracking" #BUG /sbin/modprobe ip_conntrack hashsize=256 /sbin/modprobe ip_conntrack fi fi #################################################################################################### ## Check ip_conntrack_ftp exists if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o -a /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then if [ "`lsmod 2>&1 | egrep 'ip_conntrack_ftp' | awk ' {print $1}' | egrep -x "ip_conntrack_ftp"`" = "ip_conntrack_ftp" -a -n "$FTP_PORT" ]; then /sbin/rmmod ip_nat_ftp 2>&1 /sbin/rmmod ip_conntrack_ftp 2>&1 if [ "$USE_FXP" = "1" -a -n "$FTP_PORT" ]; then echo "Reloading FTP connection-track with FXP support on port/s $FTP_PORT" #BUG/sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT fxp=1 2>&1 /sbin/modprobe ip_conntrack_ftp 2>&1 /sbin/modprobe ip_nat_ftp 2>&1 elif [ -n "$FTP_PORT" ]; then echo "Reloading FTP connection-track on port/s $FTP_PORT" #BUG /sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT 2>&1 /sbin/modprobe ip_conntrack_ftp 2>&1 /sbin/modprobe ip_nat_ftp 2>&1 fi else if [ "$USE_FXP" = "1" -a -n "$FTP_PORT" ]; then echo "Loading FTP connection-track with FXP support on port/s $FTP_PORT" #BUG/sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT fxp=1 2>&1 /sbin/modprobe ip_conntrack_ftp 2>&1 /sbin/modprobe ip_nat_ftp 2>&1 elif [ -n "$FTP_PORT" ]; then echo "Loading FTP connection-track on port/s $FTP_PORT" #/sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT 2>&1 /sbin/modprobe ip_conntrack_ftp 2>&1 /sbin/modprobe ip_nat_ftp 2>&1 fi fi if [ "`lsmod 2>&1 | egrep 'ip_conntrack_ftp' | awk ' {print $1}' | egrep -x "ip_conntrack_ftp"`" = "ip_conntrack_ftp" -a -z "$FTP_PORT" ]; then /sbin/rmmod ip_nat_ftp 2>&1 /sbin/rmmod ip_conntrack_ftp 2>&1 echo "Reloading FTP connection-track" /sbin/modprobe ip_conntrack_ftp 2>&1 /sbin/modprobe ip_nat_ftp 2>&1 elif [ -z "$FTP_PORT" ]; then echo "Loading FTP connection-track" /sbin/modprobe ip_conntrack_ftp 2>&1 /sbin/modprobe ip_nat_ftp 2>&1 fi else echo "we're dead, No FTP Connection Track will be done" fi #################################################################################################### ## Check ip_conntrack_irc exists if [ "$IRC" = "y" ]; then if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o -a /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then if [ "`lsmod 2>&1 | egrep 'ip_conntrack_irc' | awk ' {print $1}' | egrep -x "ip_conntrack_irc"`" = "ip_conntrack_irc" ]; then echo "Reloading IRC connection-track on ports $IRCTRACK" /sbin/rmmod ip_nat_irc 2>&1 /sbin/rmmod ip_conntrack_irc 2>&1 /sbin/modprobe ip_conntrack_irc ports=$IRCTRACK 2>&1 /sbin/modprobe ip_nat_irc ports=$IRCTRACK 2>&1 else echo "Loading IRC connection-track on ports $IRCTRACK" /sbin/modprobe ip_conntrack_irc ports=$IRCTRACK 2>&1 /sbin/modprobe ip_nat_irc ports=$IRCTRACK 2>&1 fi else echo "Please compile ip_conntrack_irc as module for IRC DCC connection-track!" sleep 3 fi else /sbin/rmmod ip_conntrack_irc 1>/dev/null 2>/dev/null /sbin/rmmod ip_nat_irc 1>/dev/null 2>/dev/null #just to make sure there are no modules left fi #################################################################################################### ## Check ip_conntrack_egg exists if [ "$EGG" = "y" ]; then if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_egg.o ]; then if [ "`lsmod 2>&1 | egrep 'ip_conntrack_egg' | awk ' {print $1}' | egrep -x "ip_conntrack_egg"`" = "ip_conntrack_egg" ]; then echo "Reloading Eggdrop HUB-bot connection-track" /sbin/rmmod ip_conntrack_egg /sbin/modprobe ip_conntrack_egg 2>&1 else echo "Loading Eggdrop HUB-bot connection-track" /sbin/modprobe ip_conntrack_egg 2>&1 fi else echo "Please compile ip_conntrack_egg as module for Eggdrop HUB-bot connection-track!" sleep 3 fi else /sbin/rmmod ip_conntrack_egg 1>/dev/null 2>/dev/null #just to make sure there's no module left fi export PATH="$ORIGPATH" #################################################################################################### ## Check iptables compatible with kernel ## if [ ! "`$IPTABLES --version | egrep 'iptables v1.2'`" = "iptables v1.2" ]; then echo "IPtables v1.2 required OR kernel not configured for iptables. Aborting!" echo "Get IPtables 1.2 from http://netfilter.kernelnotes.org/ and Linux Kernel 2.4.x from http://ftp.kernel.org/" exit fi #################################################################################################### ## Attempt to Flush All Rules in Filter Table $IPTABLES -F ## Flush Built-in Rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD ## Flush Rules/Delete User Chains in Mangle Table $IPTABLES -F -t mangle $IPTABLES -t mangle -X ## Delete all user-defined chains, reduces dumb warnings if you run ## this script more than once. $IPTABLES -X ## Set Default Policies $IPTABLES -P INPUT DROP ## Highly Recommended $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ## Other Reserved Addresses ## ## Refuse addresses defined as reserved by the IANA RESERVED_NET=" 0.0.0.0/8 \ 1.0.0.0/8 \ 2.0.0.0/8 \ 5.0.0.0/8 \ 7.0.0.0/8 \ 23.0.0.0/8 \ 27.0.0.0/8 \ 31.0.0.0/8 \ 36.0.0.0/8 \ 37.0.0.0/8 \ 39.0.0.0/8 \ 41.0.0.0/8 \ 42.0.0.0/8 \ 49.0.0.0/8 \ 50.0.0.0/8 \ 58.0.0.0/7 \ 60.0.0.0/8 \ 67.0.0.0/8 \ 68.0.0.0/6 \ 72.0.0.0/5 \ 80.0.0.0/4 \ 96.0.0.0/3 \ 127.0.0.0/8 \ 169.254.0.0/16 \ 192.0.2.0/24 \ 197.0.0.0/8 \ 218.0.0.0/7 \ 220.0.0.0/6" ############################################################################### ## Special Chains ############################################################################### ############################################################################### ## Special chain KEEP_STATE to handle incoming, outgoing, and ## established connections. $IPTABLES -N KEEP_STATE $IPTABLES -F KEEP_STATE ##------------------------------------------------------------------------## ## DROP packets associated with an "INVALID" connection. $IPTABLES -A KEEP_STATE -m state --state INVALID -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "INVALID STATE:" $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## UNCLEAN match target # $IPTABLES -A KEEP_STATE -m unclean -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "UNCLEAN MATCH:" $IPTABLES -A KEEP_STATE -m unclean -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT certain packets which are starting a new connection or are ## related to an established connection. $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT ##------------------------------------------------------------------------## ############################################################################### ## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain ## TCP flags set. $IPTABLES -N CHECK_FLAGS $IPTABLES -F CHECK_FLAGS ##------------------------------------------------------------------------## ## NMAP FIN/URG/PSH $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NMAP-XMAS:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## SYN/RST $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SYN/RST:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## SYN/FIN -- Scan(possibly) $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SYN/FIN:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## TCP Option Check $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix \ "Bogus TCP FLAG 64" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix \ "Bogus TCP FLAG 128" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP ##------------------------------------------------------------------------## ## Following three lines may be used to DoS you. Think twice before uncommenting these! # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT ############################################################################### ## Special Chain DENY_PORTS ## This chain will REJECT and LOG packets based on port number (thx Godot) $IPTABLES -N DENY_PORTS $IPTABLES -F DENY_PORTS ##------------------------------------------------------------------------## ## NFS, X, SMB $IPTABLES -A DENY_PORTS -p tcp -i ! $INTERNAL --dport 137:139 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Netbios SRC:" $IPTABLES -A DENY_PORTS -p tcp -o ! $INTERNAL --sport 137:139 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Netbios DST:" $IPTABLES -A DENY_PORTS -p tcp -i ! $INTERNAL --dport 137:139 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp -o ! $INTERNAL --sport 137:139 -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## $IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## ## Possible rpc.statd exploit shell $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "rpc.statd(9704) Shell:" $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "rpc.statd(9704) Shell:" $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## NetBus and NetBus Pro $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "NetBus Pro:" $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "NetBus:" $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j REJECT --reject-with tcp-reset ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Trinoo $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP $IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP $IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP $IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Back Orifice $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-TCP:" $IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-UDP:" $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-TCP:" $IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit $LIMITLEVEL \ -j LOG --log-level $LOGLEVEL --log-prefix "BackOrifice-UDP:" $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j REJECT --reject-with tcp-reset $IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP ##------------------------------------------------------------------------## ############################################################################### ## Special Chain ALLOW_NETBIOS ## Rules to allow packets destined for the external interface based on port ## number. $IPTABLES -N ALLOW_NETBIOS $IPTABLES -F ALLOW_NETBIOS ##------------------------------------------------------------------------## ## ALLOW machines to access netbios service. $IPTABLES -A ALLOW_NETBIOS -p tcp --sport 445 -j ACCEPT $IPTABLES -A ALLOW_NETBIOS -p tcp --dport 445 -j ACCEPT $IPTABLES -A ALLOW_NETBIOS -p tcp --sport 137:139 -j ACCEPT $IPTABLES -A ALLOW_NETBIOS -p tcp --dport 137:139 -j ACCEPT $IPTABLES -A ALLOW_NETBIOS -p udp --sport 137:139 -j ACCEPT $IPTABLES -A ALLOW_NETBIOS -p udp --dport 137:139 -j ACCEPT ##------------------------------------------------------------------------## ############################################################################### ## Special Chain ALLOW_PORTS-EXTERNAL ## Rules to allow packets destined for the external interface based on port ## number. $IPTABLES -N ALLOW_PORTS-EXTERNAL $IPTABLES -F ALLOW_PORTS-EXTERNAL ##------------------------------------------------------------------------## ## ALLOW foreign machines to access certain services. ## SSH from trusted hosts (could be set to 0/0) ## If iplimit_ssh set to 0, just allow ssh inbound, if not, apply the ## iplimit match. ##------------------------------------------------------------------------## if [ "$IPLIMIT_SSH" = "0" ];then ## Non-limiting Sessions for TRUST_EXT_SSH in $TRUST_EXT; do $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -m state --state NEW -p tcp \ -s $TRUST_EXT_SSH -m multiport --dport 22,23 -j ACCEPT done else ##------------------------------------------------------------------------## ## Limit Sessions for TRUST_EXT_SSH in $TRUST_EXT; do $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -m state --state NEW -p tcp \ -s $TRUST_EXT_SSH -m multiport --dport 22,23 \ -m iplimit ! --iplimit-above $IPLIMIT_SSH -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## MULTIPORTS if [ -n "$EXTERNAL_TCP_PORTS" ]; then for PORTS in $EXTERNAL_TCP_PORTS; do $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -m state --state NEW -p tcp \ --dport $PORTS -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ -n "$EXTERNAL_UDP_PORTS" ]; then for PORTS in $EXTERNAL_UDP_PORTS; do $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -m state --state NEW -p udp \ --dport $PORTS -j ACCEPT done fi ##------------------------------------------------------------------------## ############################################################################### ## Special Chain ALLOW_PORTS-INTERNAL ## Rules to allow packets destined for the internal interface based on port ## number. $IPTABLES -N ALLOW_PORTS-INTERNAL $IPTABLES -F ALLOW_PORTS-INTERNAL ##------------------------------------------------------------------------## ## ALLOW foreign machines to access certain services.(Examples) ##------------------------------------------------------------------------## ## MULTIPORTS if [ -n "$INTERNAL_TCP_PORTS" ]; then for PORTS in $INTERNAL_TCP_PORTS; do $IPTABLES -A ALLOW_PORTS-INTERNAL -i $INTERNAL -m state --state NEW -p tcp \ --dport $PORTS -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ -n "$INTERNAL_UDP_PORTS" ]; then for PORTS in $INTERNAL_UDP_PORTS; do $IPTABLES -A ALLOW_PORTS-INTERNAL -i $INTERNAL -m state --state NEW -p udp \ --dport $PORTS -j ACCEPT done fi ##------------------------------------------------------------------------## ############################################################################### ## Special Chain ALLOW_ICMP ## This chain contains rules to allow/drop specific types of ICMP datagrams. $IPTABLES -N ALLOW_ICMP $IPTABLES -F ALLOW_ICMP ##------------------------------------------------------------------------## ## Echo Reply (pong) $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type 0 -j ACCEPT ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Destination Unreachable $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type 3 -j ACCEPT ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Accept Pings at the rate of one per second from external hosts ## $IPTABLES -A ALLOW_ICMP -i $INTERNAL -p icmp --icmp-type 8 -m limit \ --limit 1/second -j ACCEPT ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ -n "$TRUST_EXT" ]; then ## Accept Pings at the rate of one per second from external hosts ## for TRUST_EXT_PING in $TRUST_EXT; do $IPTABLES -A ALLOW_ICMP -i ! $INTERNAL -s $TRUST_EXT_PING -p icmp --icmp-type 8 -m limit \ --limit 1/second -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## TTL Exceeded (traceroute) $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type 11 -j ACCEPT ##------------------------------------------------------------------------## ############################################################################### ## Special Chain CHECK_MAC ## Rules to Provide Egress Filtering Based on MAC Hardware Address. CHECK_US=`ls $IP_MAC/host*` if [ -e /etc/firewall -a "$CHECK_MAC" = "y" ]; then $IPTABLES -N CHECK_MAC $IPTABLES -F CHECK_MAC ##------------------------------------------------------------------------## ## Allow known mac adresses with ip-adresses for I in $CHECK_US; do $IPTABLES -A CHECK_MAC -m mac --mac-source `egrep -i \ '^[a-z|0-9]+:[a-z|0-9]' $I | cut -d '#' -f1` -j RETURN done ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Drop the rest $IPTABLES -A CHECK_MAC -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "WRONG_MAC:" $IPTABLES -A CHECK_MAC -j DROP ##------------------------------------------------------------------------## ############################################################################### ## Special Chain CHECK_MAC_NAT ## Rules to Provide Egress Filtering Based on Source IP and MAC Hardware Address $IPTABLES -N CHECK_MAC_NAT $IPTABLES -F CHECK_MAC_NAT ##------------------------------------------------------------------------## ## Allow known mac adresses with ip-adresses for I in $CHECK_US; do $IPTABLES -A CHECK_MAC_NAT -m mac --mac-source `egrep -i \ '^[a-z|0-9]+:[a-z|0-9]' $I | cut -d '#' -f1` \ -s `egrep -i '^[a-z|0-9]+\.' $I | cut -d '#' -f1` -j RETURN done ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Drop the rest $IPTABLES -A CHECK_MAC_NAT -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "WRONG_MAC_NAT:" $IPTABLES -A CHECK_MAC_NAT -j DROP ##------------------------------------------------------------------------## fi ############################################################################### ## Special Chain SRC_EGRESS ## Rules to Provide Egress Filtering Based on Source IP Address. $IPTABLES -N SRC_EGRESS $IPTABLES -F SRC_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. ## Class A Reserved $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SRC_EGRESS:" $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP ## Class B Reserved $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SRC_EGRESS:" $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP ## Class C Reserved $IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SRC_EGRESS:" $IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP ## Class D Reserved $IPTABLES -A SRC_EGRESS -s 224.0.0.0/3 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SRC_EGRESS:" $IPTABLES -A SRC_EGRESS -s 224.0.0.0/3 -j DROP ## Class E Reserved $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "SRC_EGRESS:" $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP for NET in $RESERVED_NET; do $IPTABLES -A SRC_EGRESS -s $NET -j DROP done ##------------------------------------------------------------------------## ############################################################################### ## Special Chain DST_EGRESS ## Rules to Provide Egress Filtering Based on Destination IP Address. $IPTABLES -N DST_EGRESS $IPTABLES -F DST_EGRESS ##------------------------------------------------------------------------## ## Allow Gateway to send IGMP broadcasts to us. ## $IPTABLES -A DST_EGRESS -i $EXTERNAL -p igmp -s $GATEWAY \ -d 224.0.0.1 -j ACCEPT ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses ## Class A Reserved $IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "DST_EGRESS:" $IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP ## Class B Reserved $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "DST_EGRESS:" $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP ## Class C Reserved $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "DST_EGRESS:" $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP ## Class D Reserved $IPTABLES -A DST_EGRESS -d 224.0.0.0/3 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "DST_EGRESS:" $IPTABLES -A DST_EGRESS -d 224.0.0.0/3 -j DROP ## Class E Reserved $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "DST_EGRESS:" $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP for NET in $RESERVED_NET; do $IPTABLES -A DST_EGRESS -d $NET -j DROP done ##------------------------------------------------------------------------## ############################################################################### ## Special Chain MANGLE_OUTPUT ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) $IPTABLES -t mangle -N MANGLE_OUTPUT $IPTABLES -t mangle -F MANGLE_OUTPUT ##------------------------------------------------------------------------------## $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8 ##------------------------------------------------------------------------------## ############################################################################### ## Special Chain MANGLE_PREROUTING ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) $IPTABLES -t mangle -N MANGLE_PREROUTING $IPTABLES -t mangle -F MANGLE_PREROUTING ##-------------------------------------------------------------------------------## $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8 ##-------------------------------------------------------------------------------## ############################################################################### ## Special Chain ALLOW_PORTS-DMZ ## Rules to allow packets destined for the DMZ interface based on port ## number. if [ "$DMZ" = "y" ]; then $IPTABLES -N ALLOW_PORTS-DMZ $IPTABLES -F ALLOW_PORTS-DMZ ##------------------------------------------------------------------------## ## ALLOW foreign machines to access certain services. ## MULTIPORTS if [ -n "$DMZ_TCP_PORTS" ]; then for PORTS in $DMZ_TCP_PORTS; do $IPTABLES -A ALLOW_PORTS-DMZ -m state --state NEW -p tcp \ --dport $PORTS -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ALLOW foreign machines to access certain services on certain machines. ## MULTIPORTS if [ -n "$DMZ_TCP_MACHINEPORTS" ]; then for MACHINEPORTS in $DMZ_TCP_MACHINEPORTS; do echo "Opening TCP for DMZ :: `echo $MACHINEPORTS|sed 's/p/ TCP-Port(s): /g'`" $IPTABLES -A ALLOW_PORTS-DMZ -m state --state NEW -p tcp \ -d `echo $MACHINEPORTS|sed 's/p/ --dport /g'` -j ACCEPT done fi ##------------------------------------------------------------------------## if [ -n "$DMZ_UDP_PORTS" ]; then for PORTS in $DMZ_UDP_PORTS; do $IPTABLES -A ALLOW_PORTS-DMZ -m state --state NEW -p udp \ --dport $PORTS -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ALLOW foreign machines to access certain services on certain machines. ## MULTIPORTS if [ -n "$DMZ_UDP_MACHINEPORTS" ]; then for MACHINEPORTS in $DMZ_UDP_MACHINEPORTS; do echo "Opening UDP for DMZ :: `echo $MACHINEPORTS|sed 's/p/ UDP-PORTS: /g'`" $IPTABLES -A ALLOW_PORTS-DMZ -m state --state NEW -p udp \ -d `echo $MACHINEPORTS|sed 's/p/ --dport /g'` -j ACCEPT done fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## SSH from trusted hosts (could be set to 0/0) for TRUST_EXT_SSH in $TRUST_EXT; do $IPTABLES -A ALLOW_PORTS-DMZ \ -s $TRUST_EXT_SSH -p tcp -m multiport --dport 22,23 -j ACCEPT done ##------------------------------------------------------------------------## fi ############################################################################### ## Firewall Input Chains ############################################################################### ############################################################################### ## New chain for input to the external interface $IPTABLES -N EXTERNAL-input $IPTABLES -F EXTERNAL-input ##------------------------------------------------------------------------## ## Check TCP packets coming in on the external interface for wierd flags $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter incoming packets based on port number. $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p ! icmp -j DENY_PORTS ##------------------------------------------------------------------------## ############################################################################### ## New chain for input to the internal interface $IPTABLES -N INTERNAL-input $IPTABLES -F INTERNAL-input ##------------------------------------------------------------------------## ## ACCEPT internal dhcp traffic $IPTABLES -A INTERNAL-input -i $INTERNAL -p udp --sport 68 --dport 67 \ -s 0/0 -d 255.255.255.255 -j ACCEPT ##------------------------------------------------------------------------## ## Fix to skip logging of netbios broadcast packets $IPTABLES -A INTERNAL-input -i $INTERNAL -p udp --sport 138 --dport 138 \ -j ACCEPT ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Check TCP packets coming in on the external interface for wird flags $IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP/LOG packets based on port number. $IPTABLES -A INTERNAL-input -i $INTERNAL -p ! icmp -j DENY_PORTS ##------------------------------------------------------------------------## ############################################################################### ## New chain for input to the DMZ interface if [ "$DMZ" = "y" ]; then $IPTABLES -N DMZ-input $IPTABLES -F DMZ-input ##------------------------------------------------------------------------## ## DROP anything not coming from the DMZ network $IPTABLES -A DMZ-input -i $DMZ_IF -s ! $DMZ_NET -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NOT FROM DMZ:" $IPTABLES -A DMZ-input -i $DMZ_IF -s ! $DMZ_NET -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Check TCP packets coming in on the DMZ interface for wierd flags. $IPTABLES -A DMZ-input -i $DMZ_IF -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP/LOG packets based on port number. $IPTABLES -A DMZ-input -i $DMZ_IF -p ! icmp -j DENY_PORTS ##------------------------------------------------------------------------## fi ############################################################################### ## New chain for input to the loopback interface $IPTABLES -N LO-input $IPTABLES -F LO-input ##------------------------------------------------------------------------## ## Accept packets to the loopback interface $IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT ##------------------------------------------------------------------------## ############################################################################### ## Firewall Output Chains ############################################################################### ## New chain for output from the external interface $IPTABLES -N EXTERNAL-output $IPTABLES -F EXTERNAL-output ##------------------------------------------------------------------------## ## Check TCP packets coming in on the external interface for wierd flags. $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter outgoing packets based on port number. $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p ! icmp -j DENY_PORTS ##------------------------------------------------------------------------## ############################################################################### ## New chain for output across the internal interface $IPTABLES -N INTERNAL-output $IPTABLES -F INTERNAL-output ##------------------------------------------------------------------------## ## Filter outgoing packets based on port number. $IPTABLES -A INTERNAL-output -o $INTERNAL -p ! icmp -j DENY_PORTS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Check TCP packets going out on the internal interface for wierd flags. $IPTABLES -A INTERNAL-output -o $INTERNAL -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP packets not destined for the internal network. # MAYBE BUGGY - b for ALV in $INTERNAL_NET; do $IPTABLES -A INTERNAL-output -o $INTERNAL -d $ALV -j RETURN $IPTABLES -A INTERNAL-output -o $INTERNAL -d ! $ALV -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NOT TO INTERNAL:" $IPTABLES -A INTERNAL-output -o $INTERNAL -d ! $ALV -j DROP done ##------------------------------------------------------------------------## ############################################################################### ## New chain for output across the DMZ interface if [ "$DMZ" = "y" ]; then $IPTABLES -N DMZ-output $IPTABLES -F DMZ-output ##------------------------------------------------------------------------## ## DROP packets not destined for the DMZ_NET. $IPTABLES -A DMZ-output -o $DMZ_IF -d ! $DMZ_NET -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NOT TO DMZ:" $IPTABLES -A DMZ-output -o $DMZ_IF -d ! $DMZ_NET -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter outgoing packets based on port number. $IPTABLES -A DMZ-output -o $DMZ_IF -p ! icmp -j DENY_PORTS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Check TCP packets going out on the DMZ interface for wierd flags. $IPTABLES -A DMZ-output -o $DMZ_IF -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## fi ############################################################################### ## New chain for output across the loopback device $IPTABLES -N LO-output $IPTABLES -F LO-output ##------------------------------------------------------------------------## ## ACCEPT all traffic across loopback device $IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT ##------------------------------------------------------------------------## ############################################################################### ## Main ############################################################################### ##========================================================================## ## Jump to the mangle table rules. $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT if [ "$DMZ" = "y" ]; then $IPTABLES -t mangle -A PREROUTING -i $DMZ_IF -j MANGLE_PREROUTING fi $IPTABLES -t mangle -A PREROUTING -i $INTERNAL -j MANGLE_PREROUTING ##========================================================================## ##========================================================================## ## Possible NULL scan. ## This has to be done in mangle table $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE \ -m limit --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL \ --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP ##========================================================================## ##========================================================================## ## Jump to our INPUT chains. ##===================================================================## ## INPUT to our loopback interface. ## Jump to our LO-input Chain. $IPTABLES -A INPUT -i $LOOPBACK -j LO-input ##===================================================================## ##===================================================================## ## INPUT to our internal interface. ## DROP packets not destined for the internal IP address of the ## firewall. ## May be a problem if you use multiple IP's on your internal networkinterface $IPTABLES -A INPUT -i $INTERNAL -d ! $INT_IP -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "WRONG DEST:" $IPTABLES -A INPUT -i $INTERNAL -d ! $INT_IP -j DROP ##------------------------------------------------------------------------## ## Jump to our INTERNAL-input Chain. $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A INPUT -i $INTERNAL -j KEEP_STATE ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT internal to internal traffic if [ "$CHECK_MAC" = "y" ]; then $IPTABLES -A INPUT -i $INTERNAL -j CHECK_MAC fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT netbios packets. if [ "$NETBIOS" = "y" ]; then $IPTABLES -A INPUT -i $INTERNAL -j ALLOW_NETBIOS fi ##------------------------------------------------------------------------## ## ACCEPT packets based on port number. for ALV in $INTERNAL_NET; do $IPTABLES -A INPUT -i $INTERNAL -s $ALV -d $INT_IP \ -p ! icmp -j ALLOW_PORTS-INTERNAL done ##------------------------------------------------------------------------## ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol. $IPTABLES -A INPUT -i $INTERNAL -p icmp -j ALLOW_ICMP ##===================================================================## ##===================================================================## ## INPUT to the external Interface ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on source IP. $IPTABLES -A INPUT -i $EXTERNAL -j SRC_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on destination IP. $IPTABLES -A INPUT -i $EXTERNAL -j DST_EGRESS ##------------------------------------------------------------------------## ## Jump to our EXTERNAL_INPUT Chain. $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A INPUT -i $EXTERNAL -j KEEP_STATE ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Allow Packets On Certain External Ports. $IPTABLES -A INPUT -i $EXTERNAL -p ! icmp -j ALLOW_PORTS-EXTERNAL ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol. $IPTABLES -A INPUT -i $EXTERNAL -p icmp -j ALLOW_ICMP ##===================================================================## ##===================================================================## ## INPUT to the DMZ interface. if [ "$DMZ" = "y" ]; then ##------------------------------------------------------------------------## ## DROP packets not destined for the DMZ IP address of the ## firewall. $IPTABLES -A INPUT -i $DMZ_IF -d ! $DMZ_IP -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NOT TO DMZ_IP:" $IPTABLES -A INPUT -i $DMZ_IF -d ! $DMZ_IP -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to our EXTERNAL-input Chain. $IPTABLES -A INPUT -i $DMZ_IF -j DMZ-input ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP/ACCEPT packets based on the state of the connection. $IPTABLES -A INPUT -i $DMZ_IF -j KEEP_STATE ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT packets based on port number. $IPTABLES -A INPUT -i $DMZ_IF -p ! icmp -s $DMZ_NET \ -d $DMZ_IP -j ALLOW_PORTS-DMZ ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol. $IPTABLES -A INPUT -i $DMZ_IF -p icmp -j ALLOW_ICMP ##------------------------------------------------------------------------## fi ##===================================================================## ## End INPUT Chain Rules ## ##========================================================================## #################################################################################################### ##========================================================================## ## Jump to our OUTPUT chains. ##------------------------------------------------------------------------## ## OUTPUT on the loopback interface. ## Jump to our LO_output Chain. $IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## OUTPUT on the internal interface. ##------------------------------------------------------------------------## ## Jump to our INTERNAL-output Chain. $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP anything not coming from the firewall. $IPTABLES -A OUTPUT -o $INTERNAL -s ! $INT_IP -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NOT FROM FW:" $IPTABLES -A OUTPUT -o $INTERNAL -s ! $INT_IP -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to the KEEP_STATE chain for generic state-based packet filtering. $IPTABLES -A OUTPUT -o $INTERNAL -j KEEP_STATE ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT netbios packets. if [ "$NETBIOS" = "y" ]; then $IPTABLES -A OUTPUT -o $INTERNAL -j ALLOW_NETBIOS fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT NEW Connections from the firewall to the internal network. for ALV in $INTERNAL_NET; do $IPTABLES -A OUTPUT -o $INTERNAL -s $INT_IP \ -d $ALV -m state --state NEW -j ACCEPT done ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## OUTPUT on the external interface ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on source IP. $IPTABLES -A OUTPUT -o $EXTERNAL -j SRC_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on destination IP. $IPTABLES -A OUTPUT -o $EXTERNAL -j DST_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to our EXTERNAL_OUTPUT Chain. $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to the KEEP_STATE chain for generic state-based packet filtering. $IPTABLES -A OUTPUT -o $EXTERNAL -j KEEP_STATE ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Accept outgoing packets establishing a NEW connection. $IPTABLES -A OUTPUT -o $EXTERNAL -m state --state NEW -j ACCEPT ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ -n "$SERIAL" ]; then $IPTABLES -A OUTPUT -o $SERIAL -m state --state NEW -j ACCEPT fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## OUTPUT on the DMZ interface. if [ "$DMZ" = "y" ]; then ##------------------------------------------------------------------------## ## Jump to out DMZ_OUTPUT Chain. $IPTABLES -A OUTPUT -o $DMZ_IF -j DMZ-output ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## DROP anything not coming from the firewall. $IPTABLES -A OUTPUT -o $DMZ_IF -s ! $DMZ_IP -m limit \ --limit $LIMITLEVEL -j LOG --log-level $LOGLEVEL --log-prefix "NOT FROM FW->DMZ:" $IPTABLES -A OUTPUT -o $DMZ_IF -s ! $DMZ_IP -j DROP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to KEEP_STATE for generic stateful filtering. $IPTABLES -A OUTPUT -o $DMZ_IF -j KEEP_STATE ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to ALLOW_ICMP to allow some ICMP stuff. $IPTABLES -A OUTPUT -o $DMZ_IF -d $DMZ_NET -p icmp -j ALLOW_ICMP ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ACCEPT NEW connections from the firewall to the DMZ network. $IPTABLES -A OUTPUT -o $DMZ_IF -s $DMZ_IP -d $DMZ_NET \ -m state --state NEW -j ACCEPT ##------------------------------------------------------------------------## fi ##------------------------------------------------------------------------## ## End OUTPUT Chain Rules ## ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Jump to our FORWARD chains. ##------------------------------------------------------------------------## ## Jump to our (INTERFACE)_INPUT/OUTPUT Chains. ##------------------------------------------------------------------------## $IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ "$CHECK_MAC" = "y" ]; then $IPTABLES -A FORWARD -i $INTERNAL -j CHECK_MAC_NAT fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## $IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ "$DMZ" = "y" ]; then $IPTABLES -A FORWARD -i $DMZ_IF -j DMZ-input fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## $IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## $IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## if [ "$DMZ" = "y" ]; then $IPTABLES -A FORWARD -o $DMZ_IF -j DMZ-output fi ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## More rules to DROP stuff. ##----------------------------------------------------------------## ## DROP any attempted NEW connections to the internal network. for ALV in $INTERNAL_NET; do $IPTABLES -A FORWARD -i $EXTERNAL -d $ALV -m state \ --state NEW -m limit --limit $LIMITLEVEL -j LOG \ --log-level $LOGLEVEL --log-prefix "EXTERNAL->INTERNAL:" $IPTABLES -A FORWARD -i $EXTERNAL -d $ALV -m state \ --state NEW -j DROP done ##----------------------------------------------------------------## ## DROP all attempted NEW connections from the DMZ to the internal net. if [ "$DMZ" = "y" ]; then for ALV in $INTERNAL_NET; do $IPTABLES -A FORWARD -i $DMZ_IF -d $ALV -m state \ --state NEW -m limit --limit $LIMITLEVEL -j LOG \ --log-level $LOGLEVEL --log-prefix "DMZ->INTERNAL:" $IPTABLES -A FORWARD -i $DMZ_IF -d $ALV -m state \ --state NEW -j DROP done fi ##----------------------------------------------------------------## ## DROP any outbound traffic to the internal network that is trying to ## establish a NEW connection or is INVALID. for ALV in $INTERNAL_NET; do $IPTABLES -A FORWARD -o $INTERNAL -d $ALV \ -m state --state NEW -m limit \ --limit $LIMITLEVEL -j LOG \ --log-level $LOGLEVEL --log-prefix "FW->INTERNAL:" $IPTABLES -A FORWARD -o $INTERNAL -d $ALV \ -m state --state NEW -j DROP done ##----------------------------------------------------------------## ##----------------------------------------------------------------## ## DROP echo reply packets coming into the internal interface. $IPTABLES -A FORWARD -o $INTERNAL -p icmp --icmp-type 8 \ -m limit --limit $LIMITLEVEL -j LOG \ --log-level $LOGLEVEL --log-prefix "PING:" $IPTABLES -A FORWARD -o $INTERNAL -p icmp --icmp-type 8 \ -j DROP ##----------------------------------------------------------------## ##===================================================================## #################################################################################################### ##------------------------------------------------------------------------## ## Egress Stuff ##----------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on Source IP. $IPTABLES -A FORWARD -i $EXTERNAL -j SRC_EGRESS ## Allow connections if they are bound toward the INTERNAL_NET or ## the DMZ_NET. if [ "$DMZ" = "y" ]; then $IPTABLES -A FORWARD -i $EXTERNAL -d $DMZ_NET -j KEEP_STATE $IPTABLES -A FORWARD -o $EXTERNAL -s $DMZ_NET -j KEEP_STATE fi for ALV in $INTERNAL_NET; do $IPTABLES -A FORWARD -i $EXTERNAL -d $ALV -j KEEP_STATE $IPTABLES -A FORWARD -o $EXTERNAL -s $ALV -j KEEP_STATE done # BUGGY # if [ "$DMZ" = "y" ]; then # $IPTABLES -A FORWARD -i $EXTERNAL -d $DMZ_NET -j ACCEPT # $IPTABLES -A FORWARD -o $EXTERNAL -s $DMZ_NET -j ACCEPT # fi # TEST FOR DMZ-NET if [ "$DMZ" = "y" ]; then ## Transfer EXTERNAL <-> DMZ $IPTABLES -A FORWARD -i $EXTERNAL -d $DMZ_NET -j ALLOW_PORTS-DMZ $IPTABLES -A FORWARD -o $EXTERNAL -s $DMZ_NET -j ALLOW_PORTS-DMZ ## Transfer INTERNAL <-> DMZ $IPTABLES -A FORWARD -i $INTERNAL -d $DMZ_NET -j ALLOW_PORTS-DMZ $IPTABLES -A FORWARD -o $INTERNAL -s $DMZ_NET -j ALLOW_PORTS-DMZ fi for ALV in $INTERNAL_NET; do $IPTABLES -A FORWARD -i $EXTERNAL -d $ALV -j ACCEPT $IPTABLES -A FORWARD -o $EXTERNAL -s $ALV -j ACCEPT done ## Filter out Reserved/Private IP addresses based on destination IP. $IPTABLES -A FORWARD -i $EXTERNAL -j DST_EGRESS $IPTABLES -A FORWARD -o $EXTERNAL -j DST_EGRESS $IPTABLES -A FORWARD -o $EXTERNAL -j SRC_EGRESS ##----------------------------------------------------------------## ##----------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on Destination IP. if [ "$DMZ" = "y" ]; then $IPTABLES -A FORWARD -i $INTERNAL -d ! $DMZ_NET -j DST_EGRESS $IPTABLES -A FORWARD -o $INTERNAL -s ! $DMZ_NET -j SRC_EGRESS fi ##----------------------------------------------------------------## ##----------------------------------------------------------------## ## ACCEPT DMZ to DMZ traffic. if [ "$DMZ" = "y" ]; then $IPTABLES -A FORWARD -i $DMZ_IF -s $DMZ_NET -d $DMZ_NET -j KEEP_STATE $IPTABLES -A FORWARD -o $DMZ_IF -s $DMZ_NET -d $DMZ_NET -j KEEP_STATE $IPTABLES -A FORWARD -i $DMZ_IF -s $DMZ_NET -d $DMZ_NET -j ACCEPT $IPTABLES -A FORWARD -o $DMZ_IF -s $DMZ_NET -d $DMZ_NET -j ACCEPT ## Filter out Reserved/Private IP addresses based on Destination IP address. for ALV in $INTERNAL_NET; do $IPTABLES -A FORWARD -i $DMZ_IF -d ! $ALV -j DST_EGRESS $IPTABLES -A FORWARD -o $DMZ_IF -s ! $ALV -j SRC_EGRESS done fi ##-------------------------------------------------------------------## ## End Egress Stuff ## ##-------------------------------------------------------------------## ##-------------------------------------------------------------------## ## ACCEPT some stuff. ## Basic State Based Rules. ## $IPTABLES -A FORWARD -j KEEP_STATE ## Accept outgoing packets establishing a NEW connection. ## $IPTABLES -A FORWARD -o $EXTERNAL -m state --state NEW -j ACCEPT ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol. ## $IPTABLES -A FORWARD -p icmp -j ALLOW_ICMP ##-------------------------------------------------------------------## ## End FORWARD Chain Rules ## ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Allow us to LOG packets that are DROPed ## $IPTABLES -A INPUT -m limit --limit $LIMITLEVEL -j LOG --log-level \ $LOGLEVEL --log-prefix "UNDEFINED INPUT:" $IPTABLES -A FORWARD -m limit --limit $LIMITLEVEL -j LOG --log-level \ $LOGLEVEL --log-prefix "UNDEFINED FORWARD:" $IPTABLES -A OUTPUT -m limit --limit $LIMITLEVEL -j LOG --log-level \ $LOGLEVEL --log-prefix "UNDEFINED OUTPUT:" ##------------------------------------------------------------------------## ### END FIREWALL RULES ### ############################################################################### ## IPTABLES Network Address Translation(NAT) Rules ############################################################################### ## Flush the NAT table. $IPTABLES -F -t nat ##------------------------------------------------------------------------## ## NAT ##------------------------------------------------------------------------## ## "Redirect" packets headed for certain ports on our external interface to other ## machines on the network. if [ -n "$EXT_IP" ]; then echo "Current External IP is $EXT_IP" $IPTABLES -t nat -A PREROUTING -i $INTERNAL -d $EXT_IP -j DNAT \ --to $INT_IP ## SourceNAT packets destined to the localnet from the external ip $IPTABLES -t nat -A POSTROUTING -s $EXT_IP -o $INTERNAL -j SNAT \ --to $INT_IP fi ## "Redirect" packets headed for certain ports on our external interface to other ## machines on the network. ## SSH if [ "$SSH_REDIR" = "y" ]; then $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport $REDIR_SSH_EXT_PORT \ -j DNAT --to-destination $REDIR_SSH_INT fi ## WWW if [ "$HTTP_REDIR" = "y" ]; then $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport $REDIR_HTTP_EXT_PORT \ -j DNAT --to-destination $REDIR_HTTP_INT fi #################################################################################################### ##------------------------------------------------------------------------## ## Redirecting ##------------------------------------------------------------------------## ## Force packets set in IP_MAC through proxy. if [ "$SNAT_MASQ_REDIRECT" = "y" -a -e "$IP_MAC" ]; then if [ -z "$REDIR2PROXY" ]; then echo "please set proxyoption. Options are n/local/dnat" exit ## exit due to errors fi #################################################################################################### #HTTP LOCAL if [ "$REDIR2PROXY" = "local" ]; then for HOST in $CHECK_US; do for ALV in $INTERNAL_NET; do $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -d ! $ALV --dport 80 -j REDIRECT --to-ports $PROXY_PORT done done #################################################################################################### #HTTP-SSL LOCAL for HOST in $CHECK_US; do for ALV in $INTERNAL_NET; do $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -d ! $ALV --dport 443 \ -j REDIRECT --to-ports $PROXY_PORT done done #################################################################################################### #HTTP DNAT elif [ "$REDIR2PROXY" = "dnat" ]; then for HOST in $CHECK_US; do for ALV in $INTERNAL_NET; do $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -d ! $ALV --dport 80 \ -j DNAT --to $FOREIGN_PROXY:$PROXY_PORT done done #################################################################################################### #HTTP-SSL DNAT for HOST in $CHECK_US; do for ALV in $INTERNAL_NET; do $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -d ! $ALV --dport 443 \ -j DNAT --to $FOREIGN_PROXY:$PROXY_PORT done done fi #################################################################################################### ##------------------------------------------------------------------------## ## Source NAT -- (SNAT/Masquerading) ##------------------------------------------------------------------------## ## Source NAT allows us to "masquerade" our internal machines behind our ## firewall. if [ "$MASQ_TYPE" = "STAT" ]; then #################################################################################################### ## Static IP address ## for HOST in $CHECK_US; do if [ -n "$INTERNAL_TCP_PORTS" ]; then for PORTS in $MASQ_TCP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j SNAT --to $EXT_IP done fi if [ -n "$INTERNAL_UDP_PORTS" ]; then for PORTS in $INTERNAL_UDP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j SNAT --to $EXT_IP done fi $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p icmp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -j SNAT --to $EXT_IP done elif [ "$MASQ_TYPE" = "STAT-NOCHECK" ]; then if [ -n "$INTERNAL_TCP_PORTS" ]; then for PORTS in $MASQ_TCP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -s $INTERNAL_NET \ --dport $PORTS -j SNAT --to $EXT_IP done fi if [ -n "$INTERNAL_UDP_PORTS" ]; then for PORTS in $INTERNAL_UDP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp -s $INTERNAL_NET \ --dport $PORTS -j SNAT --to $EXT_IP done fi $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p icmp -s $INTERNAL_NET \ -j SNAT --to $EXT_IP else #################################################################################################### ## Dynamic IP address ## for HOST in $CHECK_US; do if [ -n "$INTERNAL_TCP_PORTS" ]; then for PORTS in $MASQ_TCP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j MASQUERADE done fi if [ -n "$INTERNAL_UDP_PORTS" ]; then for PORTS in $INTERNAL_UDP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j MASQUERADE done fi $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p icmp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -j MASQUERADE done fi fi ### END NAT RULES ### #################################################################################################### ############################################################################### ## Additional Kernel Configuration ############################################################################### ## Adjust for your requirements/preferences. ## Please make sure you understand what these things are doing before you ## uncomment them. A good place to start would be some of the resources ## listed at the top of this script as well as the documentation that comes ## with the linux kernel source. ## For Example: linux/Documentation/filesystems/proc.txt ## linux/Documentation/networking/ip-sysctl.txt ## - Disable source routing of packets if [ -f /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done fi ## - Enable rp_filter if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done fi ## - Ignore any broadcast icmp echo requests if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ## - Ignore all icmp echo requests on all interfaces if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all fi ## - Local port range for TCP/UDP connections if [ -f /proc/sys/net/ipv4/ip_local_port_range ]; then echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range fi ## - Log packets with impossible addresses to kernel log. if [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/all/log_martians fi ## - Don't send ICMP redirects - needed for transparent proxy if [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects fi ## - Don't accept ICMP redirects if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects fi ## - Don't accept ICMP redirects ## (You may only want to disable on the external interface) if [ -f /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects fi ## Drop the ECN flag in tcp-packets if [ -f /proc/sys/net/ipv4/tcp_ecn ];then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi ## Additional options for dialup connections with a dynamic ip address ## See: linux/Documentation/networking/ip_dynaddr.txt if [ -f /proc/sys/net/ipv4/ip_dynaddr -a "$MASQ_TYPE" = "STAT" ]; then echo 0 > /proc/sys/net/ipv4/ip_dynaddr elif [ -f /proc/sys/net/ipv4/ip_dynaddr ]; then echo 1 > /proc/sys/net/ipv4/ip_dynaddr fi ## - Enable IP Forwarding if [ -f /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward else echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn't exist" fi ## - Increase maximum limit of ip_conntrack if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then echo 16376 > /proc/sys/net/ipv4/ip_conntrack_max fi echo "Please report bugs to info@linetics.de" } #################################################################################################### #################################################################################################### #################################################################################################### fw_stop () { loadconfig ## Stop the firewall if [ -f /etc/firewall/firewall.conf ]; then IPTABLES=`egrep -h ^IPTABLES= /etc/firewall/firewall.conf|cut -d "\"" -f 2` elif [ -f /usr/local/sbin/iptables ]; then IPTABLES="/usr/local/sbin/iptables" elif [ -f /usr/local/bin/iptables ]; then IPTABLES="/usr/local/bin/iptables" elif [ -f /sbin/iptables ]; then IPTABLES="/sbin/iptables" else echo "iptables binary not found! Exiting" exit ## Exit the script fi $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -X $IPTABLES -X -t nat $IPTABLES -X -t mangle IPT=`lsmod |egrep '^ipt_' |cut -d ' ' -f1` IPNAT=`lsmod |egrep '^ip_nat_' |cut -d ' ' -f1` IPCONNMOD=`lsmod |egrep '^ip_conntrack_' |cut -d ' ' -f1` IPTABLE=`lsmod |egrep '^iptable_' |cut -d ' ' -f1` ipct=`lsmod |egrep '^ip_conntrack' |cut -d ' ' -f1` iptables=`lsmod |egrep '^ip_tables' |cut -d ' ' -f1` for A in $IPT; do rmmod $A done for B in $IPNAT; do rmmod $B done for C in $IPCONNMOD; do rmmod $C done for D in $IPTABLE; do rmmod $D done if [ "`ps -aux | awk '{print $11}'| egrep "diald$"`" ]; then echo "Connection track NOT unloaded due to diald-tracking" elif [ -n "$ipct" ]; then rmmod ip_conntrack fi if [ -n "$iptables" ]; then rmmod ip_tables fi echo "Done!" } #################################################################################################### #################################################################################################### #################################################################################################### fw_list_nat () { ## List nat-rules if [ -f /etc/firewall/firewall.conf ]; then IPTABLES=`egrep -h ^IPTABLES= /etc/firewall/firewall.conf|cut -d "\"" -f 2` elif [ -f /usr/local/sbin/iptables ]; then IPTABLES="/usr/local/sbin/iptables" elif [ -f /usr/local/bin/iptables ]; then IPTABLES="/usr/local/bin/iptables" elif [ -f /sbin/iptables ]; then IPTABLES="/sbin/iptables" else echo "iptables binary not found! Exiting" exit ## Exit the script fi $IPTABLES -t nat -L -n } #################################################################################################### #################################################################################################### #################################################################################################### fw_list_mangle () { ## List mangle-rules if [ -f /etc/firewall/firewall.conf ]; then IPTABLES=`egrep -h ^IPTABLES= /etc/firewall/firewall.conf|cut -d "\"" -f 2` elif [ -f /usr/local/sbin/iptables ]; then IPTABLES="/usr/local/sbin/iptables" elif [ -f /usr/local/bin/iptables ]; then IPTABLES="/usr/local/bin/iptables" elif [ -f /sbin/iptables ]; then IPTABLES="/sbin/iptables" else echo "iptables binary not found! Exiting" exit ## Exit the script fi $IPTABLES -t mangle -L -n } #################################################################################################### #################################################################################################### #################################################################################################### fw_list_filter () { ## List rules if [ -f /etc/firewall/firewall.conf ]; then IPTABLES=`egrep -h ^IPTABLES= /etc/firewall/firewall.conf|cut -d "\"" -f 2` elif [ -f /usr/local/sbin/iptables ]; then IPTABLES="/usr/local/sbin/iptables" elif [ -f /usr/local/bin/iptables ]; then IPTABLES="/usr/local/bin/iptables" elif [ -f /sbin/iptables ]; then IPTABLES="/sbin/iptables" else echo "iptables binary not found! Exiting" exit ## Exit the script fi $IPTABLES -L -n } #################################################################################################### #################################################################################################### #################################################################################################### fw_totalblock () { ## BLOCK EVERTHING IPTABLES=`egrep -h ^IPTABLES= /etc/firewall/firewall.conf|cut -d "\"" -f 2` $IPTABLES -F $IPTABLES -X $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP } #################################################################################################### #################################################################################################### #################################################################################################### fw_open () { ## OPEN EVERTHING # LOAD THE CONFIGURATION loadconfig $IPTABLES -F $IPTABLES -X $IPTABLES -P FORWARD ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT ##------------------------------------------------------------------------## ## Destination NAT -- (DNAT) ##------------------------------------------------------------------------## echo "Starting DNAT" ## "Redirect" packets headed for certain ports on our external interface to other ## machines on the network. # ## SSH if [ "$SSH_REDIR" = "y" ]; then $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport $REDIR_SSH_EXT_PORT \ -j DNAT --to $REDIR_SSH_INT fi ## WWW if [ "$HTTP_REDIR" = "y" ]; then $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport $REDIR_HTTP_EXT_PORT \ -j DNAT --to $REDIR_HTTP_INT fi #################################################################################################### ##------------------------------------------------------------------------## ## Source NAT -- (SNAT/Masquerading) ##------------------------------------------------------------------------## echo "Starting SNAT/Masquerading" ## Source NAT allows us to "masquerade" our internal machines behind our ## firewall. if [ "$MASQ_TYPE" = "STAT" ]; then #################################################################################################### ## Static IP address ## for HOST in $CHECK_US; do if [ -n "$INTERNAL_TCP_PORTS" ]; then for PORTS in $MASQ_TCP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j SNAT --to $EXT_IP done fi if [ -n "$INTERNAL_UDP_PORTS" ]; then for PORTS in $INTERNAL_UDP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j SNAT --to $EXT_IP done fi $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p icmp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -j SNAT --to $EXT_IP done else #################################################################################################### ## Dynamic IP address ## for HOST in $CHECK_US; do if [ -n "$INTERNAL_TCP_PORTS" ]; then for PORTS in $MASQ_TCP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j MASQUERADE done fi if [ -n "$INTERNAL_UDP_PORTS" ]; then for PORTS in $INTERNAL_UDP_PORTS; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ --dport $PORTS -j MASQUERADE done fi $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p icmp -s `egrep -i '^[a-z|0-9]+\.' $HOST | cut -d '#' -f1` \ -j MASQUERADE done fi ### END NAT RULES ### #################################################################################################### } #################################################################################################### #################################################################################################### #################################################################################################### case "$1" in ### START ### start) fw_start ;; ### STOP ### stop) fw_stop ;; ### RESTART ### restart) fw_stop && fw_start ;; ### List NAT ### listnat) fw_list_nat ;; ### List NAT ### listmangle) fw_list_mangle ;; ### List filter ### listfilter) fw_list_filter ;; ### TOTALBLOCK - DROP EVERYTHING### totalblock) fw_totalblock ;; ### OPEN EVERYTHING - DANGEROUS ### open) fw_open ;; ### Default ### *) echo "Usage: " `basename $0` "{start|stop|restart|listnat|listmangle|listfilter|totalblock|open}" esac ############################################################################### # EOF