Firewall rc-script for redhat or lfs systems
From wiki.erlangen.ccc.de
#!/bin/sh # # apu netfilter config script # (C) and written by BeF <dr.bef@gmx.net> & Fry #
# include functions from lfs . /etc/init.d/functions
### programs ###
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
SED="sed" IFCONFIG="ifconfig" GREP="grep" LSMOD="lsmod" IPTABLES_CMD="iptables" IPTABLES=IPTABLES_FUNC CHECK=true
### ips ###
EXT_NET="192.168.100.0/24" # network of external device EXT_DEV=eth0 # external device name EXT_GW="192.168.100.1" # IP of next gateway on external device
INT_NET="192.168.23.0/24" # network of internal device INT_DEV=eth1 # internal device name
# determine the IPs of the internal and external interface EXT_IP=`$IFCONFIG $EXT_DEV |$GREP "inet addr" |$SED -e "s/.*inet addr://" -e "s/\\s*Bcast.*//"` INT_IP=`$IFCONFIG $INT_DEV |$GREP "inet addr" |$SED -e "s/.*inet addr://" -e "s/\\s*Bcast.*//"`
# some important IPs for NAT WEBSERVER_IP=192.168.23.35 SSHSERVER_IP=192.168.23.34 SSHSERVER2_IP=192.168.23.10 BEFS_RECHNER=192.168.23.98
### functions ###
IPTABLES_FUNC()
{
$IPTABLES_CMD $* || CHECK="false"
}
# rule functions # called by # rule_xxx <tcp|udp> <port> [afected network]
rule_out()
{
source_net=""
[ "$3" != "" ] && source_net="-s $3"
$IPTABLES -A OUTPUT -p $1 --dport $2 -j ACCEPT
$IPTABLES -A INPUT -p $1 --sport $2 $source_net -j ACCEPT
}
rule_in()
{
source_net=""
[ "$3" != "" ] && source_net="-s $3"
$IPTABLES -A OUTPUT -p $1 --sport $2 -j ACCEPT
$IPTABLES -A INPUT -p $1 --dport $2 $source_net -j ACCEPT
}
### rc code ### case "$1" in start) ###############
### ipchains/tables modules & forward ### [ "`$LSMOD |$GREP ipchains`" != "" ]&& rmmod ipchains echo 1 >/proc/sys/net/ipv4/ip_forward
### basic rule configuration ###
# flush $IPTABLES -F $IPTABLES -F -t nat
# policies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT DROP
### MASQ ### # masquerade nach aussen: von apu nach internet -> source addr immer apu #$IPTABLES -t nat -A POSTROUTING -o $EXT_DEV -j MASQUERADE # masquerade nach innen: von apu nach 192.168.23.0/24 -> source addr apu # aber nicht wenn ziel-host die sun ist! #$IPTABLES -t nat -A POSTROUTING -o $INT_DEV -d ! $SSHSERVER_IP -j MASQUERADE
### specific rule configuration for INPUT/OUTPUT ###
# ping in #$IPTABLES -A INPUT -p icmp --icmp-type echo-request -s $INT_NET -j ACCEPT #$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -d $INT_NET -j ACCEPT #$IPTABLES -A INPUT -p icmp --icmp-type echo-request -s $EXT_NET -j ACCEPT #$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -d $EXT_NET -j ACCEPT # let ping from road warriors and from world to bitsnbugs.myip.org $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# ping out $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# ssh #rule_in tcp 22 $INT_NET # for vpn !!! rule_in tcp 22 rule_out tcp 22
# mail rule_out tcp 25 rule_in tcp 25
# dns rule_out udp 53 rule_in udp 53
# www out rule_out tcp 80
# ftp out rule_out tcp 21
# telnet out rule_out tcp 23
# dhcp rule_in udp 67
# proxy #rule_in tcp 8889
### IPSEC SECTION ###
# isakmp/ike rule_in udp 500 rule_out udp 500
# esp $IPTABLES -A INPUT -p 50 -j ACCEPT $IPTABLES -A OUTPUT -p 50 -j ACCEPT
# icmp $IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
# fragments $IPTABLES -I FORWARD -f -j ACCEPT $IPTABLES -A INPUT -f -j ACCEPT $IPTABLES -A OUTPUT -f -j ACCEPT
### specific rule configuration for FORWARD ###
### statefull firewall ### $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -i $EXT_DEV -j DROP
### allow incoming active ftp-traffic $IPTABLES -I FORWARD -i eth0 -p tcp --sport 20 -j ACCEPT
### disable irc for michi :-) ### # $IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 6667 -j DROP
### loadproc gibt done aus echo -n "starting firewall"; loadproc $CHECK;
### NAT SECTION ###
# www $IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 80 -j DNAT --to $WEBSERVER_IP:80 $IPTABLES -I FORWARD -i eth0 -p tcp -d $WEBSERVER_IP --dport 80 -j ACCEPT
# www zu befs rechner an port 768 #$IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 768 -j DNAT --to $BEFS_RECHNER:80 #$IPTABLES -I FORWARD -i eth0 -p tcp -d $BEFS_RECHNER --dport 80 -j ACCEPT
# ssh $IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 22 -j DNAT --to $SSHSERVER_IP:22 $IPTABLES -I FORWARD -i eth0 -p tcp -d $SSHSERVER_IP --dport 22 -j ACCEPT
# telnet $IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 767 -j DNAT --to $SSHSERVER_IP:767 $IPTABLES -I FORWARD -i eth0 -p tcp -d $SSHSERVER_IP --dport 767 -j ACCEPT
# ssh zur bsd-kiste $IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 766 -j DNAT --to $SSHSERVER2_IP:22 $IPTABLES -I FORWARD -i eth0 -p tcp -d $SSHSERVER2_IP --dport 766 -j ACCEPT
############ ;; stop) ############
# flush $IPTABLES -F $IPTABLES -F -t nat
# policies $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT
# disable forwarding echo 0 >/proc/sys/net/ipv4/ip_forward
echo -n "shutting down firewall"; loadproc $CHECK;
##################
;;
restart)
$0 stop
$0 start
;;
*)
echo "USAGE: $0 {start|stop|restart}"
exit 1
esac
####################### END ######################### exit 0
