#!/bin/sh # # BCA's Initial SIMPLE IP Firewall test script for 2.4.x # # Brian R. Aust (baust at nc dot rr dot com) 2001-Nov-04 # # chkconfig specific parameters follow # iptables: # chkconfig: 2345 82 80 # description: starts or stops netfilter rules LAN_IP_RANGE="10.1.1.0/24" LAN_IP="10.1.1.1/32" LAN_BCAST_ADRESS="10.1.1.255/32" LOCALHOST_IP="127.0.0.1/32" INET_IFACE="eth0" LAN_IFACE="eth1" IPTABLES="/sbin/iptables" ANYWHERE="0/0" BROADCAST="255.255.255.255/32" case "$1" in start) # # CRITICAL: Enable IP forwarding since it is disabled by default. # echo -n "Enabling IP Forwarding ... " echo "1" > /proc/sys/net/ipv4/ip_forward echo "done." # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # option. This enables dynamic-ip address hacking in IP MASQ, making the connection # with Diald and similar programs much easier. # echo -n "Enabling dynamic IP addressing ... " echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo "done." # # The allowed chain for TCP connections (tcp_allowed) # # This chain will be utilised if someone tries to connect to an allowed # port from the internet. If they are opening the connection, or if it's # already established we ACCEPT the packages, if not we fuck them. This is # where the state matching is performed also, we allow ESTABLISHED and # RELATED packets. echo -n "Creating tcp_allowed chain ... " $IPTABLES -N tcp_allowed $IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT $IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A tcp_allowed -p TCP -j DROP echo "done." # # Enable simple IP FORWARDing and Masquerading # echo -n "Setting up FORWARD chain and MASQUERADE ... " $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j MASQUERADE # ACCEPT all LAN traffic $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT # ACCEPT all packets RELATED to and establised session from the LAN back in $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # LOG anything else that doesn't match a LAN request or response back to the LAN $IPTABLES -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "FORWARD : " echo "done." # # Set default policies for the INPUT, FORWARD and OUTPUT chains # Guess what? We DROP everything by default! echo -n "Setting up default policies ... " $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP echo "done." # # Create separate chains for ICMP, TCP and UDP to traverse # echo -n "Creating ICMP, TCP and UDP accepting chains ... " $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udp_packets echo "done." # # ICMP rules # echo -n "Setting up icmp_packets chain ... " $IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 0 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 3 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 5 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 11 -j ACCEPT echo "done." # # TCP rules # # Allow ssh and smtp. # echo -n "Setting up tcp_packets chain ... " $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 21 -j tcp_allowed $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 22 -j tcp_allowed $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 25 -j tcp_allowed $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 113 -j tcp_allowed $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 80 -j tcp_allowed echo "done." # # UDP ports # # Allow DHCP # $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 53 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --destination-port 53 -j ACCEPT echo -n "Setting up udp_packets... " $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 67 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 68 -j ACCEPT echo "done." # # PREROUTING chain. # # Do some checks for obviously spoofed IP's coming to our Internet # interface # echo -n "Blocking private networks ... " $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP echo "done." # # INPUT chain # echo -n "Associating packet types with their chains ... " $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets echo "done." echo -n "Setting up the INPUT chain ... " $IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $BROADCAST -j ACCEPT $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT # $IPTABLES -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ # --log-level DEBUG --log-prefix "INPUT : " echo "done." echo -n "Setting up OUTPUT chain ... " $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -d $LOCALHOST_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -d $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # $IPTABLES -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ # --log-level DEBUG --log-prefix "OUTPUT : " echo "done." ;; stop) # Flush all rules echo -n "Flushing all rules ... " $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -X $IPTABLES -t nat -X echo "done." ;; restart) $0 stop $0 start ;; status) $IPTABLES -nL ;; *) echo "usage: $0 {start|stop|restart|status}" exit 1 esac exit 0