#!/bin/sh
#
# Local Settings
#
SYSCTL="/sbin/sysctl -w"
IPT="/usr/local/sbin/iptables"
IPTS="/usr/local/sbin/iptables-save"
IPTR="/usr/local/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="192.168.251.3"
# Local Interface Information
LOCAL_IFACE="eth2"
LOCAL_IP="192.168.252.1"
LOCAL_NET="192.168.252.0/24"
LOCAL_BCAST="192.168.252.255"
# Static IP - Terminal Server Interfac
TS_IFACE="eth0"
TS_IP="xxx.xxx.xxx.xxx"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
###############################################################################
#
# Kernel Parameter Configuration
#
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="0"
fi
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# bad_packets chain
#
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "IPT - Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
# --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "IPT - New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
#Ping From Out side Enable or disable
# icmp_packets chain
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "IPT - ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j DROP
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# Identify ports at:
#
http://www.chebucto.ns.ca/~rakerman/port-table.html
#
http://www.iana.org/assignments/port-numbers
# udp_inbound chain
#
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# sshd
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# CUSTOM
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.0.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.40.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.30.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.102.72.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.0.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.1 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.3 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.99.0.5 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.8.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.60.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.61.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.62.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.63.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.89.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.10.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.8.0.0/24 -d $LOCAL_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.252.0/24 -d $LOCAL_IP -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# RULE TO BLOCK P2P FILE SHARING
#$IPT -A INPUT -p udp -i $LOCAL_IFACE -j QUEUE
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p ALL -i $TS_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -p TCP -i $TS_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $TS_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $TS_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
#$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT - INPUT packet died: "
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
#$IPT -A FORWARD -p udp --source-port ! 53 -j DROP
# Port Forward SSH Connections
# Port forward httpd
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
# RULE TO BLOCK P2P FILE SHARING
#$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j QUEUE
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -i $TS_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT - FORWARD packet died: "
###############################################################################
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $TS_IFACE -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT - OUTPUT packet died: "
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."
###############################################################################
#
# PREROUTING chain
#
$IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_ADDRESS
$IPT -t nat -A POSTROUTING -o $TS_IFACE \
-j SNAT --to-source $TS_IP
###############################################################################
#
# mangle table
#
###############################################################################
# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.
echo "Load rules for mangle table ..."
$IPT -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPT -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
$IPT -t mangle -A PREROUTING -j CONNMARK --save-mark
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto shoutcast -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto ares -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto imesh -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto napster -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto audiogalaxy -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto shoutcast -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto http-rtsp -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto flash -j DROP
#$IPT -t mangle -A POSTROUTING -m layer7 --l7proto httpaudio -j DROP
$IPT -t mangle -A POSTROUTING -m layer7 --l7proto httpvideo -j DROP