> Does anyone have any simple rules out there to enable the following:
>
> eth0 local
> eth1 dmz
> eth2 internet
>
> all local can see dmz and internet
> all dmz can see only internet
Have a look at ipcop's tables - these are from my box - been messed by
addons
Maurice
****************************
/etc/rc.d/rc.firewall
****************************
#!/bin/sh
#
# $Id: rc.firewall,v 1.7.2.24 2007/11/17 08:12:29 owes Exp $
#
eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings)
if [ -f /var/ipcop/red/iface ]; then
IFACE=`/bin/cat /var/ipcop/red/iface 2> /dev/null | /usr/bin/tr -d
'\012'`
fi
if [ -f /var/ipcop/red/device ]; then
DEVICE=`/bin/cat /var/ipcop/red/device 2> /dev/null | /usr/bin/tr -d
'\012'`
fi
iptables_init() {
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# Empty LOG_DROP and LOG_REJECT chains
/sbin/iptables -N LOG_DROP
/sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
/sbin/iptables -A LOG_DROP -j DROP
/sbin/iptables -N LOG_REJECT
/sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
/sbin/iptables -A LOG_REJECT -j REJECT
# This chain will log, then DROPs packets with certain bad
combinations
# of flags might indicate a port-scan attempt (xmas, null, etc)
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG
--log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG
--log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG
--log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG
--log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# New tcp packets without SYN set - could well be an obscure type of
port scan
# that's not covered above, may just be a broken windows machine
/sbin/iptables -N NEWNOTSYN
/sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG
--log-prefix "NEW not SYN? "
/sbin/iptables -A NEWNOTSYN -j DROP
# Chain to contain all the rules relating to bad TCP flags
/sbin/iptables -N BADTCP
# Disallow packets frequently used by port-scanners
# nmap xmas
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j
PSCAN
# Null
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# FIN
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
/sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j
NEWNOTSYN
/sbin/iptables -A INPUT -j BADTCP
/sbin/iptables -A FORWARD -j BADTCP
}
iptables_red() {
/sbin/iptables -F REDINPUT
/sbin/iptables -F REDFORWARD
/sbin/iptables -t nat -F REDNAT
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A REDINPUT -i $RED_DEV -j
ACCEPT
fi
fi
fi
# PPTP over DHCP
if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ];
then
/sbin/iptables -A REDINPUT -p tcp --source-port 67
--destination-port 68 -i $DEVICE -j ACCEPT
/sbin/iptables -A REDINPUT -p udp --source-port 67
--destination-port 68 -i $DEVICE -j ACCEPT
fi
# Orange pinholes
if [ "$ORANGE_DEV" != "" ]; then
# This rule enables a host on ORANGE network to connect to
the outside
# (only if we have a red connection)
if [ "$IFACE" != "" ]; then
/sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p tcp
-o $IFACE -j ACCEPT
/sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p udp
-o $IFACE -j ACCEPT
fi
fi
if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
/sbin/iptables -A REDINPUT -p tcp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A REDINPUT -p udp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ];
then
/sbin/iptables -A REDINPUT -p tcp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A REDINPUT -p udp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
fi
# Outgoing masquerading
/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
}
# See how we were called.
case "$1" in
start)
iptables_init
# Limit Packets- helps reduce dos/syn attacks
# original do nothing line
#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
-m limit --limit 10/sec
# the correct one, but the negative '!' do nothing...
#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
-m limit ! --limit 10/sec -j DROP
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
# filtering from GUI
/sbin/iptables -N GUIINPUT
/sbin/iptables -A INPUT -j GUIINPUT
# Accept everything connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
# traffic from ipsecX/tun/tap interfaces, before "-i GREEN_DEV"
accept everything
/sbin/iptables -N IPSECVIRTUAL
/sbin/iptables -N OPENSSLVIRTUAL
/sbin/iptables -A INPUT -j IPSECVIRTUAL
/sbin/iptables -A INPUT -j OPENSSLVIRTUAL
/sbin/iptables -A FORWARD -j IPSECVIRTUAL
/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j
ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j
DROP # Loopback not on lo
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j
DROP
/sbin/iptables -A FORWARD -i lo -m state --state NEW -j
ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j
DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j
DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j
ACCEPT -p ! icmp
/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j
ACCEPT
# If a host on orange tries to initiate a connection to IPCop's red
IP and
# the connection gets DNATed back through a port forward to a server
on orange
# we end up with orange -> orange traffic passing through IPCop
[ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV
-o $ORANGE_DEV -m state --state NEW -j ACCEPT
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
# IPsec
/sbin/iptables -N IPSECPHYSICAL
/sbin/iptables -A INPUT -j IPSECPHYSICAL
# OpenSSL
/sbin/iptables -N OPENSSLPHYSICAL
/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -A INPUT -j REDINPUT
/sbin/iptables -N REDFORWARD
/sbin/iptables -A FORWARD -j REDFORWARD
/sbin/iptables -t nat -N REDNAT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
# DMZ pinhole chain. setdmzholes setuid prog adds rules here to
allow
# ORANGE to talk to GREEN / BLUE.
/sbin/iptables -N DMZHOLES
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state
NEW -j DMZHOLES
fi
# XTACCESS chain, used for external access
/sbin/iptables -N XTACCESS
/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
# Custom prerouting chains (for transparent proxy and port
forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# Custom mangle chain (for port fowarding)
/sbin/iptables -t mangle -N PORTFWMANGLE
/sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
# Postrouting rules (for port forwarding)
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
--to-source $GREEN_ADDRESS
if [ "$BLUE_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j
SNAT --to-source $BLUE_ADDRESS
fi
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j
SNAT --to-source $ORANGE_ADDRESS
fi
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local start
fi
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG
--log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG
--log-prefix "OUTPUT "
;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT
if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" -a "$IFACE" != "" ];
then
/sbin/iptables -A INPUT -p tcp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" -a "$IFACE" !=
"" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67
--destination-port 68 -i $IFACE -j ACCEPT
fi
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local stop
fi
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG
--log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG
--log-prefix "OUTPUT "
;;
reload)
iptables_red
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local reload
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac
exit 0
****************************
/var/ipcop/ethernet/settings
****************************
CONFIG_TYPE=2
GREEN_DRIVER=8139too
GREEN_DRIVER_OPTIONS=
GREEN_DEV=eth0
GREEN_DISPLAYDRIVER=8139too
GREEN_ADDRESS=192.168.0.1
GREEN_NETMASK=255.255.255.0
GREEN_NETADDRESS=192.168.0.0
GREEN_BROADCAST=192.168.0.255
ORANGE_DEV=
BLUE_DEV=
RED_DEV=eth1
RED_DRIVER=
RED_DRIVER_OPTIONS=
RED_DISPLAYDRIVER=8139too
RED_DHCP_HOSTNAME=gateway
RED_ADDRESS=192.168.1.2
RED_NETMASK=255.255.255.0
RED_TYPE=STATIC
RED_NETADDRESS=192.168.1.0
RED_BROADCAST=192.168.1.255
DNS1=192.168.1.1
DNS2=
DEFAULT_GATEWAY=192.168.1.1
