After upgrading my gateway to latest cooker (destroying my uptime so I
can test the RPM's :-) I had to re-do my firewall to be iptables based.
We knocked it about a bit on IRC and this is its current status:
It works(ish) by doing the following
Forwarding connections from the inet to various internal servers
Allows internal clients to surf with inpunity (via SNAT)
Logs some suspicious activity to syslog
I've managed to re-break the ability to surf my homepage from within my
lan (thats what:
/sbin/iptables -t nat -A POSTROUTING -d $ZHEER -s $INTNET -p tcp --dport
80 -j SNAT --to $ZHEER
was meant to sort out).
Anyway available for your comments
--
[EMAIL PROTECTED]
http://www.bennee.com/~alex/
#! /bin/sh
#
# My iptables firewall including a bunch of hacks from Ryan Edwards
# ipchains based iridium firewall to grok IP addresses etc.
FWVER="0.1"
FWDATE="20-March-2002"
FWNAME="Hacked up firewall"
FWCOPY="Copyright (C) Alex Bennee (portions (c)2000-2001 Ryan Edwards)"
FWWP="http://www.bennee.com/~alex/firewall/";
FWEMAIL="[EMAIL PROTECTED]"
readonly FWVER FWDATE FWNAME FWCOPY FWWP FWEMAIL
#
--------------------------------------------------------------------------- #
# Path: Set up a new PATH so that we can safely run in the ip-up
environment.
#
ORIGPATH=$PATH
export PATH="/sbin:/bin:/usr/bin"
#
--------------------------------------------------------------------------- #
# Interfaces: Define the internal and external interfaces. The firewall
# will automatically determine the TCP settings for each interface.
#
INTIF="eth0" # internal network interface
EXTIF="ppp0" # external network interface
#
--------------------------------------------------------------------------- #
# IP Port Forwarded Addresses
# The servers I run
ZHEER="192.168.1.110"
TRENT="192.168.1.1"
#
--------------------------------------------------------------------------- #
# Addresses: Cool. He said "grok".
#
function grok_interface()
{
if [ ! -z "`ifconfig $1 2>/dev/null | grep UP`" ];
then
echo "1"
else
echo "0"
fi
}
function grok_mask()
{
MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4`
echo "$MASK"
}
function grok_address()
{
IP=`ifconfig $1 2>/dev/null | grep inet | cut -d : -f 2 | cut -d \
-f 1`
echo "$IP"
}
function grok_net()
{
NET=`route -n | grep $1 | grep $2 | grep -w "U" | cut -d\ -f1`
echo "$NET"
}
function grok_broadcast()
{
BROAD=`ifconfig $1 | awk '/inet addr/ { gsub(".*:", "", $3) ; print
$3 }'`
echo "$BROAD"
}
function grok_gateway()
{
GW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo "$GW"
}
function check_interfaces()
{
echo -n " Checking External Interface ($EXTIF)... "
if [ "`grok_interface $EXTIF`" != "1" ];
then
echo -e "\033[01;31munavailable!\033[00m Aborting."
export PATH=$ORIGPATH
exit
else
EXTMASK=`grok_mask $EXTIF`
EXTNET="`grok_net $EXTIF $EXTMASK`/$EXTMASK"
EXTIP="`grok_address $EXTIF`/$EXTMASK"
EXTIP2="`grok_address $EXTIF`"
EXTGW=`grok_gateway $EXTIF`
EXTBROAD=`grok_broadcast $EXTIF`
echo "found."
echo " External Interface Data:"
echo " Address: $EXTIP"
echo " Network: $EXTNET"
echo " Broadcast: $EXTBROAD"
echo " Gateway: $EXTGW"
fi
echo -n " Checking Internal Interface ($INTIF)... "
if [ "`grok_interface $INTIF`" != "1" ];
then
echo -e "\033[01;31munavailable!\033[00m Aborting."
export PATH=$ORIGPATH
exit
else
INTMASK=`grok_mask $INTIF`
INTNET="`grok_net $INTIF $INTMASK`/$INTMASK"
INTIP="`grok_address $INTIF`/$INTMASK"
INTBROAD=`grok_broadcast $INTIF`
echo "found."
echo " Internal Interface Data:"
echo " Address: $INTIP"
echo " Network: $INTNET"
echo " Broadcast: $INTBROAD"
fi
}
#
------------------------------------------------------------------------------------------
#
# Locks down the firewall for maintenence on the server. Use the start
option to get
# the firewall going again.
#
function lockdown_firewall()
{
# flush all rules
/sbin/iptables --flush
# Set default policies to DENY for complete lockdown.
/sbin/iptables -P FORWARD DENY
/sbin/iptables -P INPUT DENY
/sbin/iptables -P OUTPUT DENY
}
#
-------------------------------------------------------------------------------------------
#
# This is the big one: Set up the firewall.
#
# The firewall seperates everything into a few chains:
# from-inet : packets from the big wide world
# from-lan : packets from the local lan
#
function setup_firewall()
{
# Ensure that various ICMP sanity settings are there
#
echo " Enabling ICMP sanity settings:"
# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ICMP Re-directs
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $file
done
# Ensure that source-routed packets are dropped
echo " Dropping source-routed packets."
for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $file
done
# Log spoofed, source-routed, and redirect packets
echo " Logging spoofed, source-routed, and redirected packets."
for file in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $file
done
# Turn on IP Forwarding in the Linux kernel.
#
# Note: This should only be active if it is not flagged in the
/etc/network/options file.
#
echo " Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Setting up Outgoing NAT";
modprobe iptable_nat
# First flush all the old connections
/sbin/iptables -t nat --flush
/sbin/iptables -t filter --flush
/sbin/iptables -X
# Setup NAT (Masquerading, special case for dynamic IP's)
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Remap NAT'ed ports to be from gateway (so I can access bennee.com
from LAN)
/sbin/iptables -t nat -A POSTROUTING -d $ZHEER -s $INTNET -p tcp
--dport 80 -j SNAT --to $ZHEER
/sbin/iptables -t nat -A POSTROUTING -d $ZHEER -s $INTNET -p tcp
--dport 443 -j SNAT --to $ZHEER
echo "Setting up Port Forwarding";
# Setup incomming port forwarding for our public services
# SMTP
/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 25 -j
DNAT --to $ZHEER:25
# Web (http and https)
/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j
DNAT --to $ZHEER:80
/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j
DNAT --to $ZHEER:443
# allow internal boxes to get mapped to these ports too
/sbin/iptables -t nat -A PREROUTING -d $EXTIP -i $INTIF -p tcp
--dport 80 -j DNAT --to $ZHEER:80
/sbin/iptables -t nat -A PREROUTING -d $EXTIP -i $INTIF -p tcp
--dport 443 -j DNAT --to $ZHEER:443
# Secure Shell (over http tunnel)
/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8890 -j
DNAT --to $ZHEER:8890
#/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j
DNAT --to $ZHEER:22
#Gnutella and other file shares
/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6346 -j
DNAT --to $TRENT:6346
#########################################################################################
# Policies: set initial policies on the defailt rulesets. Basically if
we run out of rules
# to follow we do the basic reject
# All our processing is on the INPUT chain so OUTPUT is currently
lax
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
# FORWARD is used for NAT stuff - careful not to kill it
/sbin/iptables -P FORWARD ACCEPT
# create our from-inet, to-inet rulesets
/sbin/iptables -N from-inet
/sbin/iptables -N from-lan
# Lets deal with incomming connections first
/sbin/iptables -A INPUT -i $EXTIF -j from-inet
/sbin/iptables -A INPUT -i $INTIF -j from-lan
# Filters for things comming in on from the Internet.
# Stuff that is being portforwarded shouldn't pass through here (i
think)
# We don't accept any incomming connections from the internet
# unless we want people to talk to out gateway services.
# Accept ICMP pings
/sbin/iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
# Log packets (but limit the rate)
/sbin/iptables -A from-inet -m limit -j LOG --log-prefix "[Dropped
from-inet]"
# And lose everything
/sbin/iptables -A from-inet -j DROP
# from-lan - this is not forwarded traffic but direct connections,
limit it
# allow $TRENT to ssh to the box
/sbin/iptables -A from-lan -s $TRENT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A from-lan -m limit -j LOG --log-prefix "[Dropped
from-lan]"
/sbin/iptables -A from-lan -j DROP
# tighten up some forwarding rules
/sbin/iptables -A FORWARD -i $EXTIF -s $INTNET -m limit -j LOG
--log-prefix "[Spoofed packets from $EXTIF]"
}
#
-----------------------------------------------------------------------------------------
#
# Dismantle the firewall: this flushes all rulesets, and sets the
machine to be open to anything.
function dismantle_firewall()
{
# flush
/sbin/ipchains -f
# Flush all IP Chains
flush_rulesets
echo -n " Resetting all chains..."
/sbin/ipchains -P forward ACCEPT
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
echo " done."
}
#
----------------------------------------------------------------------------------------------------------
#
# Main Case structure to handle command line inputs.
#
echo
echo "$FWNAME v$FWVER ($FWDATE)"
echo "$FWCOPY <$FWEMAIL>"
echo "$FWWP"
echo
echo "$FWNAME and all related scripts come with ABSOLUTELY NO WARRANTY;"
echo "for details see the included 'License' file. This is free
software,"
echo "and you are welcome to redistribute it under certain conditions."
echo
set -e
case "$1" in
start)
if [ $STEALTHMODE = "1" ]; then
echo -e "Assembling in \033[01;32mSTEALTH\033[00m mode:"
else
echo -e "Assembling in \033[01;34mREJECT\033[00m mode:"
fi
check_interfaces
setup_firewall
;;
stop)
echo "Dismantling:"
dismantle_firewall
;;
lockdown)
echo "Locking down... "
lockdown_firewall
;;
status)
echo -e "\r"
echo "Firewall statistics:"
echo " Operating in STEALTH mode: $STEALTHMODE"
echo " Verbose logging: $VERBOSELOGGING"
echo -e "\r"
;;
restart|force-reload)
if [ $STEALTHMODE = "1" ]; then
echo -e "Restarting in \033[01;32mSTEALTH\033[00m mode:"
else
echo -e "Restarting in \033[01;34mREJECT\033[00m mode:"
fi
dismantle_firewall
check_interfaces
setup_firewall
;;
*)
echo -e "\r"
echo "Usage: $0 { start | stop | lockdown | restart | status }" >&2
echo -e "\r"
echo " start: Starts the firewall from a clean system. The
firewall must NOT"
echo " be running beforehand, or there will be problems
like duplicate"
echo " IPCHAINS."
echo -e "\r"
echo " stop: Stops the firewall if it is already running. This
won't hurt if"
echo " it's not already loaded, but you may recieve
errors."
echo -e "\r"
echo " lockdown: Puts the system into a state of complete
dictatorship rule. All"
echo " rulesets are flushed and the default states are set
to REJECT all"
echo " incoming and outgoing packets. A true firewall."
echo -e "\r"
echo " restart: Performs the same action as if you were to STOP and
START the"
echo " firewall. It is useful when the firewall settings
have been changed"
echo " and it must be restarted for them to take effect.
This will save you"
echo " a reboot."
echo -e "\r"
echo " status: Gives a short summary of firewall information (not
really useful yet)."
echo -e "\r"
exit 1
;;
esac
echo
export PATH=$ORIGPATH
exit 0
Liste de diffusion modem ALCATEL SpeedTouch USB
Pour se désinscrire : mailto:[EMAIL PROTECTED]?subject=unsubscribe
