Thats strange that you can ping everything on the linux box but nothing on the windows box. This idicates that maq or nat isnt working properly.
|------------------|
| windows box |-------im a packet-------> Linux firewall/routeing script |<------- note that this needs to be in the same
|------------------| to yahoo.com should forward this out to the internet | thing no seperation of firewall/nat
Here is firegates script from my server
NOTE I HAVE NOT REMVOED ANYTHING HERE SO CHECK IT BEFORE USING TO MAKE SURE ITS CORRECT
---------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
# Program Name = FIRE|GATE
# Intended Use = An IPtables firewall ruleset and NAT gateway
# Revision Lvl = 0.79
# Created File = 20 Jan 2002
# Last Updated = 01 Sep 2003
# Download URL =
http://firegate.lunarfox.com
# Copyright 2002-2003 Jeff Bonner (firegate@lunarfox.com)
# OSI Certified Open Source Software
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, Version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307 USA
# CAUTION: THIS SCRIPT IS IN DEVELOPMENT AND MAY NOT BE SUITABLE
# FOR USE IN A PRODUCTION ENVIRONMENT. Concerns and questions are
# prefixed with "FIXME" to denote they need to be addressed. You
# should review the code thoroughly to ensure it is appropriate for
# your location and situation.
### SET NECESSARY VARIABLES --------------------------------------------------
#
VER="v0.79"
IPT="/usr/sbin/iptables" # Location of your IPtables
EXT="eth0" # External interface name
INT="eth1" # Internal interface name
MASQ="10.10.10.0/24" # LAN IP range to masquerade; see
#
http://dmdl.uvm.edu/subnet.shtml
# Null "" allows ANY traffic in:
DHCP="192.168.0.1 192.168.0.11" # DHCP server(s) to allow inbound
DNS="209.244.0.3 209.244.0.4" # DNS server(s) to allow inbound
IDENT="0" # Use Ident/Auth? 0=REJECT 1=ACCEPT
SSH="1" # SSH in from Internet? 0=NO 1=YES
PING="1" # Allow PINGs inbound? 0=NO 1=YES
QUIET="1" # Ignore common scans? 0=NO 1=YES
DROPEXT="0" # Drop all external traffic when you
# stop the firewall? 0=NO 1=YES
WEBPORT="80" # If ISP blocks port 80, change here
HTTP="" # Forward HTTP > LAN IP; "" disables
SMTP="" # Forward SMTP > LAN IP; "" disables
AIM="" # Port(s) forwarded to internal LAN
ICQ="" # machines using IP masq; null value
MSN="1863" # "" disables that one. For a range
P2P="" # (eg ICQ) use colon between ports.
CAM="" # Forward port number to internal IP;
CAMIP="" # a null value "" for both disables
COLOR="1" # Use ANSI color msgs? 0=NO 1=YES
if [ $COLOR = "1" ]
then
NORM="\\033[0;39m" # You may adjust these as desired to
GREEN="\\033[1;32m" # use other colors, insert different
RED="\\033[1;31m" # sequences (non-ANSI), sound your
WHITE="\\033[1;29m" # terminal bell CTRL-G, et cetera
fi
### BLACKLISTED IPs ----------------------------------------------------------
#
# This section can be used against nefarious sites you want to prevent
EVIL="219.96.228.226 150.108.236.20 210.80.207.147 200.222.3.3 24.148.22.92 216.127.74.43"
# ***** END OF USER VARIABLES; EXERCISE CAUTION EDITING BELOW THIS LINE *****
# [START] ====================================================================
#
case "$1" in
start)
echo -e "\n"$NORM"FIRE|GATE $VER$GREEN starting"$NORM"..."
### SYSCTL: PERFORMANCE TUNING, DoS, ETC -------------------------------------
#
http://www.tldp.org/HOWTO/Adv-Routin...l.obscure.html
#
echo -e "\n - SYSCTL, performance tuning"
echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP masq
echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rewrite new address
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Smurf amplify off
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redir
echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/GB Ethernet
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # ICMP redirects off
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No bcast response
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # No return path mod
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # No bad msgs
for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter
echo 1 > $r # (default for Debian
done # installations)
### ERASE PREVIOUS RULES, DEFINE DEFAULT POLICY ------------------------------
#
echo " - Flush; default policy DENY"
$IPT -F # Flush built-in rules
$IPT -X # Erase custom rules
$IPT -Z # Zero all counters
$IPT -t nat -F # Flush pre/postroute
$IPT -t mangle -F # Flush packet mangle
$IPT -P INPUT DROP #
$IPT -P OUTPUT DROP # Default policy
$IPT -P FORWARD DROP #
$IPT -A INPUT -i lo -j ACCEPT # Allow traffic on
$IPT -A OUTPUT -o lo -j ACCEPT # loopback interface
# You should never see legitimate traffic originating from any of these
# addresses to the external interface, but a misconfigured router or hack
# attempt could produce this behavior. Comcast sends broadcast messages
# from 10.0.0.0/8 to bootpc for whatever reason (check it yourself with
# "iptables -L -n -v"), but it does not appear to matter if we drop them.
# See
http://again.net/cidr for a list of these addresses plus tables of
# subnets, ICMP codes, and more. Toss any packets to external interface
# claiming to be:
echo " - No reserved IPs coming from" $EXT
$IPT -A INPUT -i $EXT -s 10.0.0.0/8 -j DROP #
$IPT -A INPUT -i $EXT -s 172.16.0.0/12 -j DROP # RFC1918 Private
$IPT -A INPUT -i $EXT -s 192.168.0.0/16 -j DROP #
$IPT -A INPUT -i $EXT -s 0.0.0.0/8 -j DROP # Broadcast
$IPT -A INPUT -i $EXT -s 127.0.0.0/8 -j DROP # Loopback
$IPT -A INPUT -i $EXT -s 192.0.2.0/24 -j DROP # TEST-NET
$IPT -A INPUT -i $EXT -s 169.254.0.0/16 -j DROP # Unconfigured DHCP
$IPT -A INPUT -i $EXT -s 224.0.0.0/4 -j DROP # Class D / Multicast
$IPT -A INPUT -i $EXT -s 240.0.0.0/5 -j DROP # Class E / Reserved
$IPT -A INPUT -i $EXT -s 255.255.255.255 -j DROP # Broadcast
### DROP BLACKLIST SITES (SCANS, WORMS, ETC) ---------------------------------
#
if [ "$EVIL" ]
then
echo " - Drop traffic for blacklisted IP(s)"
for v in $EVIL; do
$IPT -A INPUT -s $v -j DROP # Drop blacklist traffic to firewall
done
for v in $EVIL; do
$IPT -A OUTPUT -d $v -j DROP # Don't send to any blacklist sites
done
for v in $EVIL; do
$IPT -A FORWARD -s $v -j DROP # Don't forward any blacklist traffic
done
fi
### IGNORE COMMONLY PROBED PORTS (SSH/SMTP/HTTP HANDLED LATER) ---------------
#
# FIRE|GATE assumes a default INPUT policy of DROP, so this section is just
# to cut down on nuisance logs. However, if you analyze your firewall logs
# for hack attempts (fwlogwatch, DShield, etc), you should set QUIET variable
# to "1"; otherwise, activity aimed at these ports will not be recorded. If
# you host any of these services for the Internet, you should comment out the
# appropriate ports (notably FTP).
#
if [ "$QUIET" = "1" ]
then
echo " - Ignore commonly probed ports"
$IPT -A INPUT -p tcp -i $EXT --dport 0:19 -j DROP # ... Diagnostics
$IPT -A INPUT -p udp -i $EXT --dport 0:19 -j DROP # ... Diagnostics
$IPT -A INPUT -p tcp -i $EXT --dport 21 -j DROP # ... FTPd
$IPT -A INPUT -p tcp -i $EXT --dport 23 -j DROP # ... Telnet
$IPT -A INPUT -p tcp -i $EXT --dport 111 -j DROP # ... RPC/Portmap
$IPT -A INPUT -p tcp -i $EXT --dport 135 -j DROP # ... Microsoft RPC
$IPT -A INPUT -p udp -i $EXT --dport 135 -j DROP # ... Microsoft RPC
$IPT -A INPUT -p udp -i $EXT --sport 137:138 -j DROP # ... SMB w/NetBIOS
$IPT -A INPUT -p tcp -i $EXT --sport 139 -j DROP # ... SMB w/NetBIOS
$IPT -A INPUT -p tcp -i $EXT --dport 443 -j DROP # ... HTTP w/SSL
$IPT -A INPUT -p tcp -i $EXT --dport 445 -j DROP # ... SMB w/o NetBIOS
$IPT -A INPUT -p tcp -i $EXT --dport 515 -j DROP # ... LPR/Printer
$IPT -A INPUT -p tcp -i $EXT --dport 1080 -j DROP # ... SOCKS Proxy
$IPT -A INPUT -p tcp -i $EXT --dport 27374 -j DROP # ... SubSeven
$IPT -A INPUT -p tcp -i $EXT --dport 31337 -j DROP # ... BackOrifice etc
$IPT -A INPUT -p udp -i $EXT --dport 31337 -j DROP # ... BackOrifice etc
# $IPT -A INPUT -p tcp -i $EXT --dport 1214 -j DROP # ... KaZaA
# $IPT -A INPUT -p tcp -i $EXT --dport 6346 -j DROP # ... Gnutella
fi
### DETECT & LOG SUSPECTED PORT SCANS ----------------------------------------
#
# FIXME: These need to be confirmed for correctness; 3rd rule may cause
# some false alarms during certain FTP sessions (including apt-get)
#
echo " - PortScan, Fragment, Hostile Flags"
$IPT -N SCAN
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j SCAN # `Xmas' scan
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j SCAN # `Null' scan
$IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,ACK,FIN,RST RST -j SCAN # Type?
$IPT -A SCAN -m limit --limit 2/s -j LOG --log-level info \
--log-prefix "**PORTSCAN** "
$IPT -A SCAN -j DROP
### FRAGMENTED PACKETS -------------------------------------------------------
#
# FIXME: Necessary w/NAT? Mostly hostile (need to be logged)?
#
$IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**FRAGMENT** "
$IPT -A INPUT -i $EXT -f -j DROP
### HOSTILE TCP FLAGS --------------------------------------------------------
#
# FIXME: These need to be confirmed for correctness
#
$IPT -N FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL FIN,URG,PSH -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,RST SYN,RST -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,FIN SYN,FIN -j FLAGS #QueSO
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS
$IPT -A FLAGS -m limit --limit 2/s -j LOG --log-level info \
--log-prefix "**BADFLAGS** "
$IPT -A FLAGS -j DROP
### ALLOW DHCP LEASE & RENEWAL -----------------------------------------------
#
# If running a DHCP server internally, you may need different/additional
# rules here.
#
if [ "$DHCP" ]
then
echo " - Allow only authorized DHCP servers"
for d in $DHCP; do
$IPT -A INPUT -p udp -s $d --sport 67 -d 0/0 --dport 68 -j ACCEPT
done
else
$IPT -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
fi
### ALLOW REPLIES ONLY FROM AUTHORIZED DNS SERVERS ---------------------------
#
# UDP = Short DNS answers; TCP = Long/retry DNS answers, zones
#
if [ "$DNS" ]
then
echo " - Allow only authorized DNS replies"
for u in $DNS; do
$IPT -A INPUT -p udp -s $u --sport 53 -d 0/0 -j ACCEPT
done
for t in $DNS; do
$IPT -A INPUT -p tcp -s $t --sport 53 -d 0/0 -j ACCEPT
done
else
echo " - Allow ALL incoming DNS replies"
$IPT -A INPUT -p tcp --sport 53 -j ACCEPT
fi
### HANDLE IDENTD (with DAEMON, or REJECT) -----------------------------------
#
# If you ARE NOT running an ident daemon, set IDENT as "0"; this bounces
# auth gracefully so you don't wait for a timeout, as may happen if you
# just block the port. If you DO need the real thing, set IDENT as "1".
# Debian package "harden-servers" will conflict with many common identd's
# for security reasons, but nullidentd or perhaps slidentd are acceptable.
$IPT -A INPUT -p tcp -i $INT --dport 113 -j ACCEPT # Always accept internal
if [ "$IDENT" = "1" ]
then
echo " - Allow external IDENT/auth"
$IPT -A INPUT -p tcp -i $EXT --dport 113 -j ACCEPT
else
echo " - Reject IDENT with tcp-reset"
$IPT -A INPUT -p tcp -i $EXT --dport 113 -j REJECT --reject-with tcp-reset
fi
### BLOCK OUTBOUND TROJANS & INSECURE PORTS ----------------------------------
#
# The ports listed below are not exhaustive, and blocking a particular one
# is not always effective (most new trojans can use any high port). These
# could also intentionally prevent your LAN users from using some outbound
# applications (with the same caveat as above). A well-documented list of
# trojans is available at
http://www.simovits.com/trojans/.
#
echo " - Drop, log outbound trojan ports"
$IPT -N STOPOUT
$IPT -A OUTPUT -p udp --dport 137:138 -j STOPOUT # SMB w/NetBIOS
$IPT -A OUTPUT -p tcp --dport 139 -j STOPOUT # SMB w/NetBIOS
$IPT -A OUTPUT -p tcp --dport 445 -j STOPOUT # SMB w/o NetBIOS
$IPT -A OUTPUT -p tcp --dport 4444 -j STOPOUT # W32.Blaster worm
$IPT -A OUTPUT -p tcp --dport 10008 -j STOPOUT # Lion worm
$IPT -A OUTPUT -p tcp --dport 65535 -j STOPOUT # Ramen worm
$IPT -A OUTPUT -p tcp --dport 12345 -j STOPOUT # Various trojans
$IPT -A OUTPUT -p tcp --dport 27374 -j STOPOUT # "
$IPT -A OUTPUT -p tcp --dport 31335:31337 -j STOPOUT # "
$IPT -A OUTPUT -p udp --dport 31335:31337 -j STOPOUT # "
$IPT -A STOPOUT -m limit --limit 1/s -j LOG \
--log-level info --log-prefix "**TROJAN?** " # Log these attempts
$IPT -A STOPOUT -j DROP # then drop packets
### CONTROL ICMP MESSAGES ----------------------------------------------------
#
# Certain types should be allowed for more friendly/compliant servers, but
# some must be restricted as well. Set PING to "0" if you do not want to
# respond to those, but be warned that just blocking ping at the firewall
# won't keep connection from being saturated in a Denial of Service attack
# ("ping flood"); you'd need your upstream (ISP) to filter these instead.
#
# These ICMPs are suggested by "Linux Firewalls 2nd Edition" by R Ziegler:
#
# 0 = Echo Reply, what gets sent back after a Type 8 is received here
# 3 = Destination Unreachable (inbound) or Fragmentation Needed (out)
# 4 = Source Quench tells sending IP to slow down its rate to destination
# 8 = Echo Request used for pinging hosts, but see the caution above
# 11 = Time Exceeded used for traceroute (TTL) or sometimes frag packets
# 12 = Parameter Problem is some error or weirdness detected in header
#
# See also
http://www.iana.org/assignments/icmp-parameters or RFC792
#
# FIXME: This may break traceroute from the firewall itself, but it works
# from NAT'd machines behind it.
echo -e -n " - Control ICMP messages"
$IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**ICMP FRAG** " # Log and drop any
$IPT -A INPUT -p icmp -i $EXT --fragment -j DROP # frag'd ICMPs (bad)
# No outgoing destination-unreachable; can be spoofed & sent to other hosts
$IPT -A OUTPUT -p icmp --icmp-type destination-unreachable -o $EXT -j DROP
# Specifically allow these types (just in case ESTABLISHED/RELATED doesn't)
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -i $EXT -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type source-quench -i $EXT -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -i $EXT -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type parameter-problem -i $EXT -j ACCEPT
if [ "$PING" = "1" ]
then
echo -e -n "; PING on\n"
$IPT -A INPUT -p icmp --icmp-type echo-request -i $EXT -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -o $INT -j ACCEPT
else
echo -e -n "; PING off\n"
$IPT -A INPUT -p icmp --icmp-type echo-request -i $EXT -j DROP
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -o $INT -j DROP
fi
$IPT -A INPUT -p icmp -i $INT -j ACCEPT # Accept all from LAN
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**ICMP DROP** " # Log anything else
$IPT -A INPUT -p icmp -j DROP # denied, then drop
### ALLOW SSH INTO FIREWALL FROM INTERNET ------------------------------------
#
# Blocked by default and not logged, but internal LAN use & outbound SSH
# always allowed. To permit external access FROM internet, set SSH as "1";
# be sure you also specify the proper interface for your listening address
# (i.e., in /etc/ssh/sshd_config).
$IPT -A INPUT -p tcp -i $INT --dport 22 -j ACCEPT # Allow SSH from LAN
if [ "$SSH" = "1" ]
then
echo " - Inbound SSH from Internet"
$IPT -A INPUT -p tcp -i $EXT --dport 22 -j ACCEPT # SSH from internet
elif [ "$QUIET" = "1" ]
then
echo " - No inbound SSH from Internet"
$IPT -A INPUT -p tcp -i $EXT --dport 22 -j DROP # No SSH & don't log
fi
### REDIRECT INBOUND TRAFFIC TO SERVER(S) ------------------------------------
#
# To permit access to your internal servers from those outside the LAN
# (on the internet), define all the appropriate IP(s) at top of script.
# Otherwise, this traffic will be dropped; set QUIET to 1 to not log
# these attempts either.
echo -e -n " - Redirect inbound: "
if [ "$CAM" ] && [ "$CAMIP" ]
then
echo -e -n "+CAM "
$IPT -A FORWARD -i $EXT -o $INT -p tcp --dport $CAM -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $CAM -j DNAT --to $CAMIP:$CAM # Forward webcam
elif [ "$QUIET" = "1" ] && [ "$CAM" ]
then
$IPT -A INPUT -p tcp -i $EXT --dport $CAM -j DROP # No cam & don't log
fi
if [ "$HTTP" ] && [ $WEBPORT ]
then
echo -e -n "+HTTP "
$IPT -A FORWARD -i $EXT -o $INT -p tcp --dport $WEBPORT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $WEBPORT -j DNAT --to $HTTP:$WEBPORT # Forward HTTP
elif [ "$QUIET" = "1" ]
then
$IPT -A INPUT -p tcp -i $EXT --dport 80 -j DROP # No HTTP & don't log
fi
if [ "$SMTP" ]
then
echo -e -n "+SMTP "
$IPT -A FORWARD -i $EXT -o $INT -p tcp --dport 25 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport 25 -j DNAT --to $SMTP:25 # Forward SMTP
elif [ "$QUIET" = "1" ]
then
$IPT -A INPUT -p tcp -i $EXT --dport 25 -j DROP # No SMTP & don't log
fi
### PREROUTE CLIENT PORTS FOR IM DIRECT CONNECT/FILE XFER --------------------
#
# FIXME: At this time, the following implementation results in...
#
# AIM - Allows in/outbound file xfers, direct connect
# ICQ - Allows outgoing file transfers only
# MSN - Allows incoming file transfers, no voice chat
# IRC (DCC) - Untested, but supposedly built-in to IPtables
# P2P - Believed to work but recently added; let me know
# H.323 - aka Netmeeting: see below, and read included FAQ
# Yahoo - "View My Webcam" works, but file xfers untested
#
if [ "$AIM" ]
then
echo -e -n "+AIM "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $AIM -j REDIRECT --to-ports $AIM # Allow AIM file xfer
fi
if [ "$ICQ" ]
then
echo -e -n "+ICQ "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $ICQ -j REDIRECT --to-ports $ICQ # Allow ICQ file xfer
fi
if [ "$MSN" ]
then
echo -e -n "+MSN "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $MSN -j REDIRECT --to-ports $MSN # Allow MSN file xfer
fi
if [ "$P2P" ]
then
echo -e -n "+P2P "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $P2P -j REDIRECT --to-ports $P2P # Allow P2P file share
fi
### MAIN RULESET FOR AUTHORIZED (LAN) TRAFFIC
#
echo -e "\n - Allow authorized LAN traffic"
$IPT -N TRAFFIC
$IPT -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A TRAFFIC -m state --state NEW -i ! $EXT -j ACCEPT
$IPT -A TRAFFIC -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**PACKET DROP** " # Log anything denied
$IPT -A TRAFFIC -j DROP # and drop the packets
$IPT -A INPUT -j TRAFFIC # Send INPUT to above
$IPT -A OUTPUT -j TRAFFIC # Send OUTPUT to above
$IPT -A FORWARD -j TRAFFIC # Send FORWARD above
### ENABLE sNAT/MASQUERADE #
echo " - Enable sNAT/Masquerade"
$IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INT -o $EXT -j ACCEPT
$IPT -A FORWARD -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**FORWARD DROP** " # Log anything denied
$IPT -A FORWARD -j DROP # and drop the packets
$IPT -A POSTROUTING -t nat -s $MASQ -o $EXT -j MASQUERADE
# NOTE: The last line above is intended for dynamic IPs (PPP, DHCP etc); see
# info at
http://www.netfilter.org/documentati...T-HOWTO-6.html for
# important differences between sNAT and MASQUERADE. If your IP address is
# truly static, you should use this format instead:
#
# $IPT -t nat -A POSTROUTING -o $EXT -j SNAT --to <YourIP>
#
# Of course, then you have to grep the IP or specify it manually. Since this
# is contrary to the original design of this script, it won't be accommodated
# herein (but you are free to make that modification yourself if needed).
echo -e "\n"$WHITE"FINISHED!"$NORM"\n"
touch /var/lock/firegate
;;
# [STATUS] ===================================================================
#
status)
if [ -f /var/lock/firegate ]; then
echo -e "\nFIRE|GATE $VER is "$GREEN"running$NORM.\n"
else
echo -e "\nFIRE|GATE $VER is "$RED"NOT running$NORM.\n"
fi
exit 0
;;
# [RESTART/RELOAD] ===========================================================
#
restart|reload)
$0 stop
$0 start
;;
# [STOP] =====================================================================
#
stop)
echo -e "\n"$NORM"FIRE|GATE $VER$RED stopping"$NORM"..."
echo -e "\n - IP forwarding off"
echo 0 > /proc/sys/net/ipv4/ip_forward # IP forwarding off
echo -e " - Address rewrite off"
echo 0 > /proc/sys/net/ipv4/ip_dynaddr # Address rewrite off
for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter
echo 1 > $r # (default for Debian
done # installations)
echo -e " - Flush built-in/custom/NAT/mangle"
$IPT -F # Flush built-in rules
$IPT -X # Erase custom rules
$IPT -Z # Zero all counters
$IPT -t nat -F # Flush pre/postroute
$IPT -t mangle -F # Flush packet mangle
if [ "$DROPEXT" = "1" ]
then
echo -e " - Drop all traffic on $EXT"
$IPT -A INPUT -i $EXT -j DROP # ALL external access
$IPT -A OUTPUT -o $EXT -j DROP # & forwarding disabled
else
echo -e " - Allow traffic on $EXT"
$IPT -A INPUT -i $EXT -j ACCEPT # Remote SSH works even
$IPT -A OUTPUT -o $EXT -j ACCEPT # after ./firegate stop
fi
echo -e " - Allow in/output on $INT"
$IPT -A INPUT -i $INT -j ACCEPT # Leave internal alone
$IPT -A OUTPUT -o $INT -j ACCEPT # (prevents a local SSH
$IPT -P FORWARD DROP # session lockout)
$IPT -A INPUT -i lo -j ACCEPT # Allow traffic on the
$IPT -A OUTPUT -o lo -j ACCEPT # loopback interface
rm -f /var/lock/firegate # Remove status file
echo -e "\n"$WHITE"FINISHED!"$NORM"\n"
;;
#
*)
echo -e "\nFIRE|GATE $VER usage:"
echo -e " "$WHITE"firegate {start|stop|status|restart|reload}$NORM\n"
;;
esac
exit 0