#!/bin/sh # # 1. Configuration options # # # 1.1 Internet Configuration # INET_IP=$2 echo $INET_IP INET_IFACE=$3 # # 1.2 Local Area Network configuration # LAN_IP="192.168.0.1" LAN_IP_RANGE="192.168.0.0/16" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFAC="eth0" # # 1.3 Localhost Configuration # LO_IF="lo" LO_IP="127.0.0.1" # # 1.4 Iptables configuration # IPTABLES=/sbin/iptables # # 1.5 Other configurations or variable # WINMXCLIENT="192.168.0.10" FTPCLIENT="192.168.0.10" ######################################################################## case "$1" in on) echo -n "Starting firewall" # # 2. rules set up # ### # 2.1 Filter table # # # 2.1.1 Set policies # # default delete all rules $IPTABLES -F $IPTABLES -X # default all pakets are troped $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 2.1.2 Create userspecified chains # # # Create chain for bad tcp packets # $IPTABLES -N bad_tcp_packets # # Create seperate chains for ICMP,TCP and UDP to traverse # $IPTABLES -N allowed $IPTABLES -N icmp_pakets $IPTABLES -N tcp_pakets $IPTABLES -N udpincoming_pakets # # 2.1.3 Create content in userspecified chains # # # bad_tcp_chain # $IPTABLES -A bad_tcp_pakets -p tcp ! --syn -m state NEW -j LOG\ --log-prefix "New not syn" --log-level 9 $IPTABLES -A bad_tcp_pakets -p tcp ! --syn -m state NEW -j DROP # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allwoed -j DROP # # TCP rules # # FTP $IPTABLES -A tcp_packets -p TCP -i $LAN_IFACE --dport 21 -allowed # WINMX $IPTABLES -A tcp_packets -p TCP -i $LAN_IFACE --dport 6699 -allowed # DNS $IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 53 -j allowed # SAMBA $IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 137 -j allowed $IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 138 -j allowed $IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 139 -j allowed # # UDP # # WINMX $IPTABLES -A udpincoming_packets -p UDP -i $INET_IFACE --dport 6257 -j ACCEPT # # ICMP rules # $IPTABLES -A icmp_packets -p ICMP -i $LAN_IFACE -s $LAN_IP_RANGE --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -i $LAN_IFACE -s $LAN_IP_RANGE --icmp-type 11 -j ACCEPT # # 2.1.4 INPUT chain # # # Bad TCP packets we dont want # $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # # Rules for special networks not part of internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT # # Rules for incoming packets from the internet # $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Log packets that dont match the above # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\ --log-level 9 --log-prefix "IPT INPUT packet died: " # # 2.1.5 FORWARD chain # # # Bad packets we dont want # $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Accept the packets we want aktually to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED.RELATED -j ACCEPT # WINMX $IPTABLES -A FORWARD -i $INET_IFACE -p tcp -d $WINMXCLIENT --dport 6699 -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -p udp -d $WINMXCLIENT --dport 6257 -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -p udp -s $WINMXCLIENT --sport 6257 -j ACCEPT # # Log weird packets that dont match the above # $IPTABLES -A FORWARD -m limit 3/minute --limit-burst 3 -j LOG \ --log-level 9 --log-prefix "IPT FORWARD packet died: " # # 2.1.6 OUTPUT chain # # # Bad packets we dont want # $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Special OUTPUT rules to decide which IP's allow # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # # Log weird packets that dont match the above # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\ --log-level 9 --log-prefix "IPT OUTPUT packet died: " ###### # 3.2 nat table # # # 3.2.1 Set policies # $IPTABLES -t nat -F # # 3.2.2 Create user specified chains # # # 3.2.3 Create content in user speciefied chains # # # 3.2.4 PREROUTING chain # # WINMX $IPTABLES -t nat -A PREROUTING -p tcp --dport 6699 -i $INET_IFACE -j DNAT\ --to $WINMXCLIENT:6699 $IPTABLES -t nat -A PREROUTING -p udp --dport 6257 -i $INET_IFACE -j DNAT\ --to $WINMXCLIENT:6257 # FTP $IPTABLES -t nat -A PREROUTING -p tcp --dport 21 -i $INET_IFACE - j DNAT\ --to $FTPCLIENT:21 # # 3.2.5 POSTROUTING chain # #MASQ $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP ###### # 3.3 mangle table # # # 3.3.1 Set policies # # # 3.4.2 Create user specified chains # # # 3.4.3 Create content in user speciefied chains # # # 3.4.4 PREROUTING chain # # # 3.4.5 INPUT chain # # # 3.4.6 FORWARD chain # # # 3.4.7 OUTPUT chain # # # 4.3.8 POSTROUTING chain # ;; off) echo -n "Shut down firewall" # # reset the default policies in the filter table # $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # reset the default polecies in the nat table # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mange table # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all rules in the filter and nat table # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # erase all chains thats not default in filter and nat table # $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X ;; esac