So far so good, but you can be using --sport too to only allow connections from priveleged ports, and I olso played with something like this /sbin/iptables -I INPUT -i eth0 -p tcp --tcp-flags ACK ACK --dport 80 \ -m string --string 'cmd.exe' -j REJECT --reject-with tcp-reset and add it permanent for a few days as well as for root.exe, but it looks good so far!!!
Regards, Lavinius Romio Petru Network Administrator www.rom-tech.net [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Douglas J Hunley Sent: Saturday, 12 January 2002 5:49 AM To: [EMAIL PROTECTED] Subject: opinions on this iptables script just wondering if all the gurus could comment on this script (below) before we move it into production. seems to work nicely on test box. thanks. *-*-*-*-* #!/bin/bash # set to location of iptables IPTABLES="/sbin/iptables" # TCP ports to allow TCP_ALLOW="22 25 53 79 80 113 119 617 873" # UDP ports to allow (ports 6112, 6119, and 4000?) UDP_ALLOW="53 68 79 113 617 873" # Internet interface INET_IFACE="eth0" # LAN interface LAN_IFACE="eth1" # LAN Addresses INTERNAL_LAN="192.168.1.0/24" # Addresses to be MASQ'd (overridden by MAC_MASQ) MASQ_LAN="192.168.1.0/24" # Addresses that need static NAT SNAT_LAN="" # Default action of packets we don't want # DROP # REJECT # TREJECT (Reject with tcp-reset for TCP) # LDROP (log and drop) # LREJECT (log and reject) # LTREJECT (log and reject with tcp-reset) # ULDROP (ULOG and DROP) DROP="TREJECT" # Internet hosts that should be completely denied (inbound) DENY_ALL="" # Host/Port to deny TCP (format is IP>PORT) DENY_HOSTWISE_TCP="" # Host/Port to deny UDP (format is IP>PORT) DENY_HOSTWISE_UDP="" # People you dont want *any* communiction with (in or out) BLACKHOLE="" # What to do for the blackholed people BLACKHOLE_DROP="DROP" # Internet hosts that should have full access (inbound) ALLOW_ALL="" # Host/Port to allow TCP (format it IP>PORT) ALLOW_HOSTWISE_TCP="192.168.1.11>110" # Host/Port to allow UDP (format is IP/PORT) ALLOW_HOSTWISE_UDP="" # TCP ports to forward (format is SPORT:DPORT>IP) TCP_FW="" # UDP ports to forward (format is SPORT:DPORT>IP) UDP_FW="" # TOS optimizations on or off MANGLE_TOS_OPTIMIZE="TRUE" # Enable the firewall ? (Y/N) ENABLE="Y" # Flooding control # Logging limit LOG_FLOOD="2/s" # Global SYN packet limit SYN_FLOOD="20/s" # Global ICMP echo-reply limit PING_FLOOD="1/s" # Flooding control end # LAN hosts to be forwarded out on TCP ALLOW_OUT_TCP="" # Below here is experimental # Mac addresses of those permitted to do MASQ (blank turns off) MAC_MASQ="" # Mac addresses of those permitted to do SNAT (format MAC:external IP) MAC_SNAT="" # number of hops on LAN (needs netfilter patch) TTL_SAFE="" # Use TCP Syncookies USE_SYNCOOKIES="TRUE" # Use rp_filter on interfaces RP_FILTER="TRUE" # Use source-routing ACCEPT_SOURCE_ROUTE="FALSE" # Proxy address (format host:port) PROXY="" # Running a DHCP server for LAN? (if so, needs LAN_IFACE) DHCP_SERVER="TRUE" # ICMP message types to disallow from Internet BAD_ICMP="5 9 10 15 16 17 18" # ALPHA code .. don't use DMZ_IFACE="" # ----------------------------------------------------------------------| # These control basic script behavior, there should be no need to | # change any of these settings for normal use. | # ----------------------------------------------------------------------| FILTER_CHAINS="INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT TREJECT LTREJECT" UL_FILTER_CHAINS="ULDROP ULREJECT ULTREJECT" LOOP_IFACE="lo" # ----------------------------------------------------------------------| # Main Script Starts | # ----------------------------------------------------------------------| case $1 in start) # Let's load it! echo "Loading iptables firewall:" # Configuration Sanity Checks echo -n "Checking configuration..." # It's hard to run an iptables script without iptables... if ! [ -x $IPTABLES ] ; then echo echo "ERROR IN CONFIGURATION: ${IPTABLES} doesn't exist or isn't executable!" exit 1 fi # Basic interface sanity if [ "$DMZ_IFACE" = "$LAN_IFACE" ] && [ "$LAN_IFACE" != "" ]; then echo echo "ERROR IN CONFIGURATION: DMZ_IFACE and LAN_IFACE can't be the same!" exit 1 fi # Create a test chain to work with for system ablilities testing ${IPTABLES} -N SYSTEST # Check for ULOG support ${IPTABLES} -A SYSTEST -j ULOG > /dev/null 2>&1 if [ "$?" = "0" ] ; then HAVE_ULOG="true" else HAVE_ULOG="false" fi # Check for stateful matching ${IPTABLES} -A SYSTEST -m state --state ESTABLISHED -j ACCEPT > /dev/null 2>&1 if [ "$?" != "0" ] ; then echo echo "Your kernel lacks stateful matching, this would break this script. Aborting." exit 3 fi # Check DROP sanity if [ "$DROP" = "" ] ; then echo echo "There needs to be a DROP policy (try TREJECT)!" exit 1 fi if [ "$DROP" = "ACCEPT" ] ; then echo echo "The DROP policy is set to ACCEPT; there is no point in loading the firewall as there wouldn't be one." exit 2 fi if [ "$DROP" = "ULDROP" ] || [ "$DROP" = "ULREJECT" ] || [ "$DROP" = "ULTREJECT" ] ; then if [ "$HAVE_ULOG" != "true" ] ; then echo echo "You have selected a ULOG policy, but your system lacks ULOG support." echo "Please choose a policy that your system has support for." exit 3 fi fi # Problems with blackholes? if [ "$BLACKHOLE" != "" ] && [ "$BLACKHOLE_DROP" = "" ] ; then echo echo "You can't use blackholes and not have a policy for them!" exit 1 fi # Has it been configured? if ! [ "$ENABLE" = "Y" ] ; then echo echo "You need to edit your configuration and set ENABLE to Y!" exit 99 fi # Flush and remove the chain SYSTEST ${IPTABLES} -F SYSTEST ${IPTABLES} -X SYSTEST # Seems ok... echo "passed" # =============================================== # -------Set some Kernel stuff via SysCTL-------- # =============================================== # Turn on IP forwarding if [ "$INTERNAL_LAN" != "" ] ; then echo -n "Checking IP Forwarding..." if [ -e /proc/sys/net/ipv4/ip_forward ] ; then echo 1 > /proc/sys/net/ipv4/ip_forward echo "enabled." else echo "support not found! This will cause problems if you need to do any routing." fi fi # Enable TCP Syncookies echo -n "Checking IP SynCookies..." if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo "enabled." else echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo "disabled." fi else echo "support not found, but that's OK." fi # Enable Route Verification to prevent martians and other such crud that # seems to be commonplace on the internet today echo -n "Checking Route Verification..." if [ "$INET_IFACE" != "" ] ; then if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter ] ; then if [ "$RP_FILTER" = "TRUE" ] ; then echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter echo -n "activated:${INET_IFACE} " else echo 0 > /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter echo -n "disabled:${INET_IFACE} " fi else echo "not found:${INET_IFACE} " fi fi if [ "$LAN_IFACE" != "" ] ; then if [ -e /proc/sys/net/ipv4/conf/$LAN_IFACE/rp_filter ] ; then if [ "$RP_FILTER" = "TRUE" ] ; then echo 1 > /proc/sys/net/ipv4/conf/$LAN_IFACE/rp_filter echo -n "activated:${LAN_IFACE} " else echo 0 > /proc/sys/net/ipv4/conf/$LAN_IFACE/rp_filter echo -n "disabled:${LAN_IFACE} " fi else echo "not found:${LAN_IFACE} " fi fi if [ "$DMZ_IFACE" != "" ] ; then if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter ] ; then if [ "$RP_FILTER" = "TRUE" ] ; then echo 1 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter echo -n "activated:${DMZ_IFACE} " else echo 0 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter echo -n "disabled:${DMZ_IFACE} " fi else echo "not found:${DMZ_IFACE} " fi fi echo # Tell the Kernel to Ignore Source Routed Packets echo -n "Refusing SSR Packets via SysCtl..." if [ "$INET_IFACE" != "" ] ; then if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route ] ; then if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then echo "1" > /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route echo -n "disabled:${INET_IFACE} " else echo "0" > /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route echo -n "activated:${INET_IFACE} " fi else echo "not found:${INET_IFACE} " fi fi if [ "$LAN_IFACE" != "" ] ; then if [ -e /proc/sys/net/ipv4/conf/$LAN_IFACE/accept_source_route ] ; then if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then echo "1" > /proc/sys/net/ipv4/conf/$LAN_IFACE/accept_source_route echo -n "disabled:${LAN_IFACE} " else echo "0" > /proc/sys/net/ipv4/conf/$LAN_IFACE/accept_source_route echo -n "activated:${LAN_IFACE} " fi else echo "not found:${LAN_IFACE} " fi fi if [ "$DMZ_IFACE" != "" ] ; then if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route ] ; then if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then echo "1" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route echo -n "disabled:${DMZ_IFACE} " else echo "0" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route echo -n "activated:${DMZ_IFACE} " fi else echo "not found:${DMZ_IFACE} " fi fi echo # =============================================== # --------Actual NetFilter Stuff Follows--------- # =============================================== # Flush everything # If you need compatability, you can comment some or all of these out, # but remember, if you re-run it, it'll just add the new rules in, it # won't remove the old ones for you then, this is how it removes them. echo -n "Flush: " ${IPTABLES} -t filter -F INPUT echo -n "INPUT " ${IPTABLES} -t filter -F OUTPUT echo -n "OUTPUT1 " ${IPTABLES} -t filter -F FORWARD echo -n "FORWARD " ${IPTABLES} -t nat -F PREROUTING echo -n "PREROUTING1 " ${IPTABLES} -t nat -F OUTPUT echo -n "OUTPUT2 " ${IPTABLES} -t nat -F POSTROUTING echo -n "POSTROUTING " ${IPTABLES} -t mangle -F PREROUTING echo -n "PREROUTING2 " ${IPTABLES} -t mangle -F OUTPUT echo -n "OUTPUT3" echo # Create new chains # Output to /dev/null in case they don't exist from a previous invocation echo -n "Creating chains: " for chain in ${FILTER_CHAINS} ; do ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -N ${chain} echo -n "${chain} " done if [ ${HAVE_ULOG} = "true" ] ; then for chain in ${UL_FILTER_CHAINS} ; do ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -N ${chain} echo -n "${chain} " done fi echo # Default Policies # INPUT policy is drop # Policy can't be reject because of kernel limitations echo -n "Default Policies: " ${IPTABLES} -t filter -P INPUT DROP echo -n "INPUT:DROP " ${IPTABLES} -t filter -P OUTPUT ACCEPT echo -n "OUTPUT:ACCEPT " ${IPTABLES} -t filter -P FORWARD DROP echo -n "FORWARD:DROP " echo # =============================================== # -------Chain setup before jumping to them------ # =============================================== #These logging chains are valid to specify in DROP= above #Set up LDROP echo -n "Setting up drop chains chains: " ${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Dropped " ${IPTABLES} -t filter -A LDROP -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Dropped " ${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Dropped " ${IPTABLES} -t filter -A LDROP -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Dropped " ${IPTABLES} -t filter -A LDROP -j DROP echo -n "LDROP " #And LREJECT too ${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected " ${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected " ${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected " ${IPTABLES} -t filter -A LREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected " ${IPTABLES} -t filter -A LREJECT -j REJECT echo -n "LREJECT " #Don't forget TREJECT ${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset ${IPTABLES} -t filter -A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable ${IPTABLES} -t filter -A TREJECT -p icmp -j DROP ${IPTABLES} -t filter -A TREJECT -j REJECT echo -n "TREJECT " #And LTREJECT ${IPTABLES} -t filter -A LTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected " ${IPTABLES} -t filter -A LTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected " ${IPTABLES} -t filter -A LTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected " ${IPTABLES} -t filter -A LTREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected " ${IPTABLES} -t filter -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset ${IPTABLES} -t filter -A LTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable ${IPTABLES} -t filter -A LTREJECT -p icmp -j DROP ${IPTABLES} -t filter -A LTREJECT -j REJECT echo -n "LTREJECT " #And ULOG stuff, same as above but ULOG instead of LOG if [ ${HAVE_ULOG} = "true" ] ; then ${IPTABLES} -t filter -A ULDROP -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_TCP ${IPTABLES} -t filter -A ULDROP -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_UDP ${IPTABLES} -t filter -A ULDROP -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_ICMP ${IPTABLES} -t filter -A ULDROP -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_FRAG ${IPTABLES} -t filter -A ULDROP -j DROP echo -n "ULDROP " ${IPTABLES} -t filter -A ULREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_TCP ${IPTABLES} -t filter -A ULREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP ${IPTABLES} -t filter -A ULREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP ${IPTABLES} -t filter -A ULREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_FRAG ${IPTABLES} -t filter -A ULREJECT -j REJECT echo -n "LREJECT " ${IPTABLES} -t filter -A ULTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_TCP ${IPTABLES} -t filter -A ULTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_UDP ${IPTABLES} -t filter -A ULTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_ICMP ${IPTABLES} -t filter -A ULTREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_FRAG ${IPTABLES} -t filter -A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset ${IPTABLES} -t filter -A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable ${IPTABLES} -t filter -A ULTREJECT -p icmp -j DROP ${IPTABLES} -t filter -A ULTREJECT -j REJECT echo -n "ULTREJECT " fi #newline echo # Set up the per-proto ACCEPT chains echo -n "Setting up per-proto ACCEPT: " # TCPACCEPT # SYN Flood "Protection" ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${SYN_FLOOD} -j ACCEPT ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Possible SynFlood " ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ${DROP} ${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT # Log anything that hasn't matched yet and ${DROP} it since it isn't TCP and shouldn't be here ${IPTABLES} -t filter -A TCPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch in TCPACCEPT " ${IPTABLES} -t filter -A TCPACCEPT -j ${DROP} echo -n "TCPACCEPT " #UDPACCEPT ${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT # Log anything not UDP and ${DROP} it since it's not supposed to be here ${IPTABLES} -t filter -A UDPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch on UDPACCEPT " ${IPTABLES} -t filter -A UDPACCEPT -j ${DROP} echo -n "UDPACCEPT " #Done echo # ================================================= # ----------------Explicit Denies------------------ # ================================================= #Blackholes will not be overridden by hostwise allows if [ "$BLACKHOLE" != "" ] ; then echo -n "Blackholes: " for host in ${BLACKHOLE} ; do ${IPTABLES} -t filter -A INPUT -s ${host} -j ${BLACKHOLE_DROP} ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ${BLACKHOLE_DROP} ${IPTABLES} -t filter -A FORWARD -s ${host} -j ${BLACKHOLE_DROP} ${IPTABLES} -t filter -A FORWARD -d ${host} -j ${BLACKHOLE_DROP} echo -n "${host} " done echo fi if [ "$DENY_ALL" != "" ] ; then echo -n "Denying hosts: " for host in ${DENY_ALL} ; do ${IPTABLES} -t filter -A INPUT -s ${host} -j ${DROP} ${IPTABLES} -t filter -A FORWARD -s ${host} -j ${DROP} echo -n "${host}:${DROP}" done echo fi if [ "$DENY_HOSTWISE_TCP" != "" ] ; then echo -n "Hostwise TCP Denies: " for rule in ${DENY_HOSTWISE_TCP} ; do echo "$rule" | { IFS='>' read host port ${IPTABLES} -t filter -A INPUT -p tcp -s ${host} --dport ${port} -j ${DROP} ${IPTABLES} -t filter -A FORWARD -p tcp -s ${host} --dport ${port} -j ${DROP} echo -n "${rule} " } done echo fi if [ "$DENY_HOSTWISE_UDP" != "" ] ; then echo -n "Hostwise UDP Denies: " for rule in ${DENY_HOSTWISE_UDP} ; do echo "$rule" | { IFS='>' read host port ${IPTABLES} -t filter -A INPUT -p udp -s ${host} --dport ${port} -j ${DROP} ${IPTABLES} -t filter -A FORWARD -p udp -s ${host} --dport ${port} -j ${DROP} echo -n "${rule} " } done echo fi #Invalid packets are always annoying echo -n "${DROP}ing invalid packets..." ${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP} echo "done" # ------------------------------------------------------------------------ # Internet jumps to INET chains and DMZ # Set up INET chains echo -n "Setting up INET chains: " ${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN ${IPTABLES} -t filter -A FORWARD -i ${INET_IFACE} -o ${LAN_IFACE} -j INETIN echo -n "INETIN " ${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT ${IPTABLES} -t filter -A FORWARD -o ${INET_IFACE} -i ${LAN_IFACE} -j INETOUT echo -n "INETOUT " echo # For now we'll subject the DMZ to the same rules as the internet when going onto the trusted LAN # And we'll let it go anywhere on the internet if [ "$DMZ_IFACE" != "" ] ; then echo -n "Setting up DMZ Chains: " ${IPTABLES} -A OUTPUT -o ${DMZ_IFACE} -j DMZOUT ${IPTABLES} -A FORWARD -i ${LAN_IFACE} -o ${DMZ_IFACE} -j DMZOUT ${IPTABLES} -A FORWARD -i ${INET_IFACE} -o ${DMZ_IFACE} -j ACCEPT echo -n "DMZOUT " echo -n "DMZ for Internet Forwarding to INETOUT..." ${IPTABLES} -A DMZOUT -j INETOUT ${IPTABLES} -A INPUT -i ${DMZ_IFACE} -j DMZIN ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${LAN_IFACE} -j DMZIN ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${INET_IFACE} -j ACCEPT echo -n "DMZIN " echo echo -n "DMZ for LAN and localhost Forwarding to INETIN..." ${IPTABLES} -A DMZIN -j INETIN echo "done" echo -n "done" fi # ------------------------------------------------------------------------ # Local traffic to internet or crossing subnets # This should cover what we need if we don't use masquerading # Unfortunately, MAC address matching isn't bidirectional (for # obvious reasons), so IP based matching is done here echo -n "Local Traffic Rules: " if [ "$INTERNAL_LAN" != "" ] ; then for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t filter -A INPUT -s ${subnet} -j ACCEPT echo -n "${subnet}:ACCEPT " done fi # 127.0.0.0/8 used to need an entry in INTERNAL_LAN, but routing of that isn't needed # so an allow is placed on INPUT so that the computer can talk to itself :) ${IPTABLES} -t filter -A INPUT -i ${LOOP_IFACE} -j ACCEPT echo -n "loopback:ACCEPT " # DHCP server magic # Allow broadcasts from LAN to UDP port 67 (DHCP server) if [ "$DHCP_SERVER" = "TRUE" ] ; then ${IPTABLES} -t filter -A INPUT -i ${LAN_IFACE} -p udp --dport 67 -j ACCEPT echo -n "dhcp:ACCEPT" fi echo if [ "$PROXY" != "" ] ; then echo -n "Setting up Transparent Proxy to ${PROXY}: " for subnet in ${INTERNAL_LAN} ; do echo "$PROXY" | { IFS=':' read host port if [ "$host" = "localhost" ] || [ "$host" = "127.0.0.1" ] ; then ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j REDIRECT --to-port ${port} echo -n "${subnet}:PROXY " else ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j DNAT --to ${host}:${port} echo -n "${subnet}:PROXY " fi } done echo fi if [ "$ALLOW_OUT_TCP" != "" ] ; then echo -n "Internet censorship TCP allows: " for rule in ${ALLOW_OUT_TCP} ; do echo "$rule" | { IFS=':' read intip destip dport ${IPTABLES} -t filter -A FORWARD -s ${intip} -d ${destip} --dport ${dport} -o ${INET_IFACE} -j ACCEPT ${IPTABLES} -t filter -A FORWARD -d ${intip} -s ${destip} -i ${INET_IFACE} -j ACCEPT echo -n "${intip}:${destip} " } done echo fi # Set up basic NAT if the user wants it if [ "$MASQ_LAN" != "" ] ; then echo -n "Setting up masquerading: " if [ "$MAC_MASQ" = "" ] ; then for subnet in ${MASQ_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE echo -n "${subnet}:MASQUERADE " done else for address in ${MAC_MASQ} ; do ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE echo -n "${address}:MASQUERADE " done fi echo fi if [ "$SNAT_LAN" != "" ] ; then #Static NAT used echo -n "Setting up static NAT: " if [ "$MAC_SNAT" = "" ] ; then for rule in ${SNAT_LAN} ; do echo "$rule" | { IFS=':' read host destip ${IPTABLES} -t nat -A POSTROUTING -s ${host} -o ${INET_IFACE} -j SNAT --to-source ${destip} echo -n "${subnet}:SNAT " } done else for rule in ${MAC_SNAT} ; do echo "$rule" | { IFS=':' read address destip ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${destip} echo -n "${address}:SNAT " } done fi echo fi #TCP Port-Forwards if [ "$TCP_FW" != "" ] ; then echo -n "TCP Port Forwards: " for rule in ${TCP_FW} ; do echo "$rule" | { IFS=':>' read srcport destport host echo "$srcport" | { IFS='-' read fsp lsp if [ "$lsp" != "" ] ; then echo "$destport" | { IFS='-' read fdp ldp ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport} ${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport ${fdp}:${ldp} -j ACCEPT } else ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to-destination ${host}:${destport} ${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport ${destport} -j ACCEPT fi echo -n "${rule} " } } done echo fi #UDP Port Forwards if [ "$UDP_FW" != "" ] ; then echo -n "UDP Port Forwards: " for rule in ${UDP_FW} ; do echo "$rule" | { IFS=':>' read srcport destport host echo "$srcport" | { IFS='-' read fsp lsp if [ "$lsp" != "" ] ; then echo "$destport" | { IFS='-' read fdp ldp ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport} ${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport ${fdp}:${ldp} -j ACCEPT } else ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to-destination ${host}:${destport} ${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport ${destport} -j ACCEPT fi echo -n "${rule} " } } done echo fi # ================================================================ # ------------Allow stuff we have chosen to allow in-------------- # ================================================================ # Hostwise allows if [ "$ALLOW_ALL" != "" ] ; then echo -n "Hostwise Input Allow: " for host in ${ALLOW_ALL} ; do ${IPTABLES} -t filter -A INETIN -s ${host} -j ACCEPT echo -n "${host} " done echo fi if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then echo -n "Hostwise TCP Allows: " for rule in ${ALLOW_HOSTWISE_TCP} ; do echo "$rule" | { IFS='>' read host port ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ACCEPT echo -n "${rule} " } done echo fi if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then echo -n "Hostwise UDP Allows: " for rule in ${ALLOW_HOSTWISE_UDP} ; do echo "$rule" | { IFS='>' read host port ${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ACCEPT echo -n "${rule} " } done echo fi # Flood "security" # You'll still respond to these if they comply with the limits (set in config) # There is a more elegant way to set this using sysctl, however this has the # advantage that the kernel ICMP stack never has to process it, lessening # the chance of a very serious flood overloading your kernel. # This is just a packet limit, you still get the packets on the interface and # still may experience lag if the flood is heavy enough echo -n "Flood limiting: " # Ping Floods (ICMP echo-request) ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit ${PING_FLOOD} -j ACCEPT ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -j ${DROP} echo -n "ICMP-PING " echo if [ "$BAD_ICMP" != "" ] ; then echo -n "Dropping ICMP messages specified in BAD_ICMP..." for message in ${BAD_ICMP} ; do ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ${message} -j ${DROP} echo -n "${message} " done echo fi echo -n "Allowing the rest of the ICMP messages in..." ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT echo "done" if [ "$TCP_ALLOW" != "" ] ; then echo -n "TCP Input Allow: " for port in ${TCP_ALLOW} ; do ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT echo -n "${port} " done echo fi if [ "$UDP_ALLOW" != "" ] ; then echo -n "UDP Input Allow: " for port in ${UDP_ALLOW} ; do ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT echo -n "${port} " done echo fi echo -n "Allowing established outbound connections back in..." ${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT echo "done" # RELATED on high ports only for security echo -n "Allowing related inbound connections..." ${IPTABLES} -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT ${IPTABLES} -t filter -A INETIN -p udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT echo "done" # ================================================= # ----------------Packet Mangling------------------ # ================================================= # TTL mangling # This is probably just for the paranoid, but hey, isn't that what # all security guys are? :) if [ "$TTL_SAFE" != "" ] ; then ${IPTABLES} -t mangle -A PREROUTING -i ${INET_IFACE} -j TTL --ttl-set ${TTL_SAFE} fi # Type of Service mangle optimizations (the ACTIVE FTP one will only work for uploads) if [ "$MANGLE_TOS_OPTIMIZE" = "TRUE" ] ; then echo -n "Optimizing traffic: " ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay echo -n "ssh " echo fi # What to do on those INET chains when we hit the end echo -n "Setting up INET policies: " # Drop if we cant find a valid inbound rule. ${IPTABLES} -t filter -A INETIN -j ${DROP} echo -n "INETIN:${DROP} " # We can send what we want to the internet ${IPTABLES} -t filter -A INETOUT -j ACCEPT echo -n "INETOUT:ACCEPT " echo # All done! echo "Done loading the firewall!" ;; stop) echo -n "Flush: " ${IPTABLES} -t filter -F INPUT echo -n "INPUT " ${IPTABLES} -t filter -F OUTPUT echo -n "OUTPUT1 " ${IPTABLES} -t filter -F FORWARD echo -n "FORWARD " ${IPTABLES} -t nat -F PREROUTING echo -n "PREROUTING1 " ${IPTABLES} -t nat -F OUTPUT echo -n "OUTPUT2 " ${IPTABLES} -t nat -F POSTROUTING echo -n "POSTROUTING " ${IPTABLES} -t mangle -F PREROUTING echo -n "PREROUTING2 " ${IPTABLES} -t mangle -F OUTPUT echo -n "OUTPUT3" echo ;; esac -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 Admin: Linux StepByStep - http://linux.nf Alliance, n.: In international politics, the union of two thieves who have their hands so deeply inserted in each other's pocket that they cannot separately plunder a third. -- Ambrose Bierce, "The Devil's Dictionary"
smime.p7s
Description: application/pkcs7-signature
