| allend |
12-09-2008 07:30 PM |
This is a firewall script that I use on a Linux server acting as a gateway to Windows machines on two separate interfaces. ( I have masked some IP addresses ). This server is successfully forwarding VNC traffic.
It is modified from a much earlier script that I downloaded long ago from the net. Hope this offers some ideas.
Code:
#!/bin/sh
#
# rc.firewall-2.4-stronger
#
FWVER=0.80s
# An example of a stronger IPTABLES firewall with IP Masquerade
# support for 2.4.x kernels.
#
# Log:
#
# 0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
# default of the ip_conntrack_irc to NOT load by default, and
# added additional kernel module comments
# 0.79s - ruleset now uses modprobe instead of insmod
# 0.78s - REJECT is not a legal policy yet; back to DROP
# 0.77s - Changed the default block behavior to REJECT not DROP
# 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
# where to put optional PORTFW commands
# 0.75s - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.74s - Changed the EXTIP command to work on NON-English distros
# 0.73s - Added comments in the output section that DHCPd is optional
# and changed the default settings to disabled
# 0.72s - Changed the filter from the INTNET to the INTIP to be
# stateful; moved the command VARs to the top and made the
# rest of the script to use them
# 0.70s - Added a disabled examples for allowing internal DHCP
# and external WWW access to the server
# 0.63s - Added support for the IRC module
# 0.62s - Initial version based upon the basic 2.4.x rc.firewall
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/sbin/iptables
#
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
EXTIF="eth0"
INTIF="eth2"
INTIF1="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " Internal Interface: $INTIF1"
echo " ---"
# Specify your Static IP address here or let the script take care of it
# for you.
#
# If you prefer to use STATIC addresses in your firewalls, un-# out the
# static example below and # out the dynamic line. If you don't care,
# just leave this section alone.
#
# If you have a DYNAMIC IP address, the ruleset already takes care of
# this for you. Please note that the different single and double quote
# characters and the script MATTER.
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
# #ed out command below underneath the PPP section AND replace the word
# "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
# etc) on the lines for "ppp-ip" and "extip". You should also note that the
# DHCP server can and will change IP addresses on you. To deal with this,
# users should configure their DHCP client to re-run the rc.firewall ruleset
# everytime the DHCP lease is renewed.
#
# NOTE #1: Some DHCP clients like the original "pump" (the newer
# versions have been fixed) did NOT have the ability to run
# scripts after a lease-renew. Because of this, you need to
# replace it with something like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
#
# NOTE #3: For Pump users, put the following line in /etc/pump.conf:
#
# script /etc/rc.d/rc.firewall
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when
# a PPP connection comes up. Because of this, we can make the ruleset go and
# get the new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you need to create the
# following link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
# The following line will determine your external IP address. This
# line is somewhat complex and confusing but it will also work for
# all NON-English Linux distributions:
#
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
# For users who wish to use STATIC IP addresses:
#
# # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.1/24"
echo " Internal Network1: $INTNET"
echo " Internal IP: $INTIP"
INTNET1="192.168.2.0/24"
INTIP1="192.168.2.1/24"
echo " Internal Network2: $INTNET1"
echo " Internal IP: $INTIP1"
echo " ---"
# External network addresses allowed privileged access
EXTNET1="aaa.bbb.ccc.0/24"
EXTNET2="aaa.bbb.ddd.0/24"
# External server addresses allowed privileged access
ADELIE02="aaa.bbb.ccc.yyy"
ADELIE03="aaa.bbb.ccc.zzz"
# Internal host addresses with VNC access
LTQ10541="192.168.2.2"
M540500="192.168.2.4"
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable the following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
#echo " Enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet
# mask connecting to the Internet on external interface "eth0".
# This example will MASQ internal traffic out to the Internet
# but not allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
#
# You CANNOT change this to REJECT as it isn't a vaild policy setting.
# If you want REJECT, you must explictly REJECT at the end of a giving
# INPUT, OUTPUT, or FORWARD chain
#
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine. The default is "REJECT" but feel free to
# change this below.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $INTNET1 -d $UNIVERSE -j drop-and-log-it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# ----- Begin OPTIONAL INPUT Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# SSH - Secure shell uses port 22
#
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
# NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY
# for users that plan on running Apache on the MASQ server itself
#
#echo -e " - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# Samba uses UDP on ports 137 & 138 for nmbd and
# Samba uses TCP on ports 139 & 445 for smbd
$IPTABLES -A INPUT -i $EXTIF -p udp -s $EXTNET1 --dport 137 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -s $EXTNET1 --dport 138 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET1 --dport 139 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET1 --dport 445 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -s $EXTNET2 --dport 137 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -s $EXTNET2 --dport 138 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET2 --dport 139 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET2 --dport 445 -j ACCEPT
# CUPS uses TCP and UDP on port 631 for printing. Accept from Adelie02 and Adelie03
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $ADELIE02 --dport 631 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -s $ADELIE02 --dport 631 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $ADELIE03 --dport 631 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -s $ADELIE03 --dport 631 -j ACCEPT
# ntpd (Network Time Protocol daemon) uses UDP on port 123
$IPTABLES -A INPUT -i $EXTIF -p udp --sport 123 --dport 123 -j ACCEPT
# Accept TCP on port 80 for http
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
## Open ports for RealVNC
# Accept TCP on port 5801 for VNC java viewer for LTQ10541
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET1 --dport 5801 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET2 --dport 5801 -j ACCEPT
# Accept TCP on port 5901 for VNC viewer for LTQ10541
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET1 --dport 5901 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET2 --dport 5901 -j ACCEPT
# Accept TCP on port 5802 for VNC java viewer for M540500
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET1 --dport 5802 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET2 --dport 5802 -j ACCEPT
# Accept TCP on port 5902 for VNC viewer for M540500
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET1 --dport 5902 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $EXTNET2 --dport 5902 -j ACCEPT
# ----- End OPTIONAL INPUT Section -----
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP -d $INTNET1 -j ACCEPT
# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET1 -j drop-and-log-it
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# ----- Begin OPTIONAL OUTPUT Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
# - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#
# ----- End OPTIONAL OUTPUT Section -----
# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
# ----- Begin OPTIONAL FORWARD Section -----
#
# Initialise the forward chain
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p udp -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp -j ACCEPT
# Port forwarding for RealVNC
# Port forward external port 5801 to LTQ10541 port 5800
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5801 -j DNAT \
--to-destination $LTQ10541:5800
# Port forward external port 5901 to LTQ10541 port 5900
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5901 -j DNAT \
--to-destination $LTQ10541:5900
# Port forward external port 5802 to M540500 port 5800
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5802 -j DNAT \
--to-destination $M540500:5800
# Port forward external port 5902 to M540500 port 5900
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5902 -j DNAT \
--to-destination $M540500:5900
#
# ----- End OPTIONAL FORWARD Section -----
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nDone.\n"
|
