1 | #!/bin/sh
|
2 | #
|
3 | # rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
|
4 | #
|
5 | # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
|
6 | #
|
7 | # This program is free software; you can redistribute it and/or modify
|
8 | # it under the terms of the GNU General Public License as published by
|
9 | # the Free Software Foundation; version 2 of the License.
|
10 | #
|
11 | # This program is distributed in the hope that it will be useful,
|
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
|
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
14 | # GNU General Public License for more details.
|
15 | #
|
16 | # You should have received a copy of the GNU General Public License
|
17 | # along with this program or from the site that you downloaded it
|
18 | # from; if not, write to the Free Software Foundation, Inc., 59 Temple
|
19 | # Place, Suite 330, Boston, MA 02111-1307 USA
|
20 | #
|
21 |
|
22 | ###########################################################################
|
23 | #
|
24 | # 1. Configuration options.
|
25 | #
|
26 |
|
27 | #
|
28 | # 1.1 Internet Configuration.
|
29 | #
|
30 |
|
31 | INET_IFACE="eth0"
|
32 |
|
33 | #
|
34 | # 1.1.1 DHCP
|
35 | #
|
36 |
|
37 | #
|
38 | # Information pertaining to DHCP over the Internet, if needed.
|
39 | #
|
40 | # Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
|
41 | # over the Internet set this variable to yes, and set up the proper IP
|
42 | # address for the DHCP server in the DHCP_SERVER variable.
|
43 | #
|
44 |
|
45 | DHCP="no"
|
46 | DHCP_SERVER="195.22.90.65"
|
47 |
|
48 | #
|
49 | # 1.1.2 PPPoE
|
50 | #
|
51 |
|
52 | # Configuration options pertaining to PPPoE.
|
53 | #
|
54 | # If you have problem with your PPPoE connection, such as large mails not
|
55 | # getting through while small mail get through properly etc, you may set
|
56 | # this option to "yes" which may fix the problem. This option will set a
|
57 | # rule in the PREROUTING chain of the mangle table which will clamp
|
58 | # (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
|
59 | #
|
60 | # Note that it is better to set this up in the PPPoE package itself, since
|
61 | # the PPPoE configuration option will give less overhead.
|
62 | #
|
63 |
|
64 | PPPOE_PMTU="no"
|
65 |
|
66 | #
|
67 | # 1.2 Local Area Network configuration.
|
68 | #
|
69 | # your LAN's IP range and localhost IP. /24 means to only use the first 24
|
70 | # bits of the 32 bit IP address. the same as netmask 255.255.255.0
|
71 | #
|
72 |
|
73 | LAN_IP="192.168.0.2"
|
74 | LAN_IP_RANGE="192.168.0.0/16"
|
75 | LAN_IFACE="eth1"
|
76 |
|
77 | #
|
78 | # 1.3 DMZ Configuration.
|
79 | #
|
80 |
|
81 | #
|
82 | # 1.4 Localhost Configuration.
|
83 | #
|
84 |
|
85 | LO_IFACE="lo"
|
86 | LO_IP="127.0.0.1"
|
87 |
|
88 | #
|
89 | # 1.5 IPTables Configuration.
|
90 | #
|
91 |
|
92 | IPTABLES="/usr/sbin/iptables"
|
93 |
|
94 | #
|
95 | # 1.6 Other Configuration.
|
96 | #
|
97 |
|
98 | ###########################################################################
|
99 | #
|
100 | # 2. Module loading.
|
101 | #
|
102 |
|
103 | #
|
104 | # Needed to initially load modules
|
105 | #
|
106 |
|
107 | /sbin/depmod -a
|
108 |
|
109 | #
|
110 | # 2.1 Required modules
|
111 | #
|
112 |
|
113 | /sbin/modprobe ip_conntrack
|
114 | /sbin/modprobe ip_tables
|
115 | /sbin/modprobe iptable_filter
|
116 | /sbin/modprobe iptable_mangle
|
117 | /sbin/modprobe iptable_nat
|
118 | /sbin/modprobe ipt_LOG
|
119 | /sbin/modprobe ipt_limit
|
120 | /sbin/modprobe ipt_MASQUERADE
|
121 |
|
122 | #
|
123 | # 2.2 Non-Required modules
|
124 | #
|
125 |
|
126 | #/sbin/modprobe ipt_owner
|
127 | #/sbin/modprobe ipt_REJECT
|
128 | #/sbin/modprobe ip_conntrack_ftp
|
129 | #/sbin/modprobe ip_conntrack_irc
|
130 | #/sbin/modprobe ip_nat_ftp
|
131 | #/sbin/modprobe ip_nat_irc
|
132 |
|
133 | ###########################################################################
|
134 | #
|
135 | # 3. /proc set up.
|
136 | #
|
137 |
|
138 | #
|
139 | # 3.1 Required proc configuration
|
140 | #
|
141 |
|
142 | echo "1" > /proc/sys/net/ipv4/ip_forward
|
143 |
|
144 | #
|
145 | # 3.2 Non-Required proc configuration
|
146 | #
|
147 |
|
148 | #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
|
149 | #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
|
150 | #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
151 |
|
152 | ###########################################################################
|
153 | #
|
154 | # 4. rules set up.
|
155 | #
|
156 |
|
157 | ######
|
158 | # 4.1 Filter table
|
159 | #
|
160 |
|
161 | #
|
162 | # 4.1.1 Set policies
|
163 | #
|
164 |
|
165 | $IPTABLES -P INPUT DROP
|
166 | $IPTABLES -P OUTPUT DROP
|
167 | $IPTABLES -P FORWARD DROP
|
168 |
|
169 | #
|
170 | # 4.1.2 Create userspecified chains
|
171 | #
|
172 |
|
173 | #
|
174 | # Create chain for bad tcp packets
|
175 | #
|
176 |
|
177 | $IPTABLES -N bad_tcp_packets
|
178 |
|
179 | #
|
180 | # Create separate chains for ICMP, TCP and UDP to traverse
|
181 | #
|
182 |
|
183 | $IPTABLES -N allowed
|
184 | $IPTABLES -N tcp_packets
|
185 | $IPTABLES -N udp_packets
|
186 | $IPTABLES -N icmp_packets
|
187 |
|
188 | #
|
189 | # 4.1.3 Create content in userspecified chains
|
190 | #
|
191 |
|
192 | #
|
193 | # bad_tcp_packets chain
|
194 | #
|
195 |
|
196 | $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
|
197 | -m state --state NEW -j REJECT --reject-with tcp-reset
|
198 | $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
|
199 | --log-prefix "New not syn:"
|
200 | $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
|
201 |
|
202 | #
|
203 | # allowed chain
|
204 | #
|
205 |
|
206 | $IPTABLES -A allowed -p TCP --syn -j ACCEPT
|
207 | $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
|
208 | $IPTABLES -A allowed -p TCP -j DROP
|
209 |
|
210 | #
|
211 | # TCP rules
|
212 | #
|
213 |
|
214 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
|
215 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
|
216 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
|
217 | $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
|
218 |
|
219 | #
|
220 | # UDP ports
|
221 | #
|
222 |
|
223 | $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
|
224 | if [ $DHCP == "yes" ] ; then
|
225 | $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
|
226 | --dport 68 -j ACCEPT
|
227 | fi
|
228 |
|
229 | #$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
|
230 | #$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
|
231 | $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
|
232 | $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
|
233 |
|
234 | #
|
235 | # In Microsoft Networks you will be swamped by broadcasts. These lines
|
236 | # will prevent them from showing up in the logs.
|
237 | #
|
238 |
|
239 | #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
|
240 | #--destination-port 135:139 -j DROP
|
241 |
|
242 | #
|
243 | # If we get DHCP requests from the Outside of our network, our logs will
|
244 | # be swamped as well. This rule will block them from getting logged.
|
245 | #
|
246 |
|
247 | #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
|
248 | #--destination-port 67:68 -j DROP
|
249 |
|
250 | #
|
251 | # ICMP rules
|
252 | #
|
253 |
|
254 | $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
|
255 | $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
|
256 |
|
257 | #
|
258 | # 4.1.4 INPUT chain
|
259 | #
|
260 |
|
261 | #
|
262 | # Bad TCP packets we don't want.
|
263 | #
|
264 |
|
265 | $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
|
266 |
|
267 | #
|
268 | # Rules for special networks not part of the Internet
|
269 | #
|
270 |
|
271 | $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
|
272 | $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
|
273 |
|
274 | #
|
275 | # Special rule for DHCP requests from LAN, which are not caught properly
|
276 | # otherwise.
|
277 | #
|
278 |
|
279 | $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
|
280 |
|
281 | #
|
282 | # Rules for incoming packets from the internet.
|
283 | #
|
284 |
|
285 | $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
|
286 | -j ACCEPT
|
287 | $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
|
288 | $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
|
289 | $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
|
290 |
|
291 | #
|
292 | # If you have a Microsoft Network on the outside of your firewall, you may
|
293 | # also get flooded by Multicasts. We drop them so we do not get flooded by
|
294 | # logs
|
295 | #
|
296 |
|
297 | #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
|
298 |
|
299 | #
|
300 | # Log weird packets that don't match the above.
|
301 | #
|
302 |
|
303 | $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
304 | --log-level DEBUG --log-prefix "IPT INPUT packet died: "
|
305 |
|
306 | #
|
307 | # 4.1.5 FORWARD chain
|
308 | #
|
309 |
|
310 | #
|
311 | # Bad TCP packets we don't want
|
312 | #
|
313 |
|
314 | $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
|
315 |
|
316 | #
|
317 | # Accept the packets we actually want to forward
|
318 | #
|
319 |
|
320 | $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
|
321 | $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
322 |
|
323 | #
|
324 | # Log weird packets that don't match the above.
|
325 | #
|
326 |
|
327 | $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
328 | --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
|
329 |
|
330 | #
|
331 | # 4.1.6 OUTPUT chain
|
332 | #
|
333 |
|
334 | #
|
335 | # Bad TCP packets we don't want.
|
336 | #
|
337 |
|
338 | $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
|
339 |
|
340 | #
|
341 | # Special OUTPUT rules to decide which IP's to allow.
|
342 | #
|
343 |
|
344 | $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
|
345 | $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
|
346 | $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
|
347 |
|
348 | #
|
349 | # Log weird packets that don't match the above.
|
350 | #
|
351 |
|
352 | $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
|
353 | --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
|
354 |
|
355 | ######
|
356 | # 4.2 nat table
|
357 | #
|
358 |
|
359 | #
|
360 | # 4.2.1 Set policies
|
361 | #
|
362 |
|
363 | #
|
364 | # 4.2.2 Create user specified chains
|
365 | #
|
366 |
|
367 | #
|
368 | # 4.2.3 Create content in user specified chains
|
369 | #
|
370 |
|
371 | #
|
372 | # 4.2.4 PREROUTING chain
|
373 | #
|
374 |
|
375 | #
|
376 | # 4.2.5 POSTROUTING chain
|
377 | #
|
378 |
|
379 | if [ $PPPOE_PMTU == "yes" ] ; then
|
380 | $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
|
381 | -j TCPMSS --clamp-mss-to-pmtu
|
382 | fi
|
383 | $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
|
384 |
|
385 | #
|
386 | # 4.2.6 OUTPUT chain
|
387 | #
|
388 |
|
389 | ######
|
390 | # 4.3 mangle table
|
391 | #
|
392 |
|
393 | #
|
394 | # 4.3.1 Set policies
|
395 | #
|
396 |
|
397 | #
|
398 | # 4.3.2 Create user specified chains
|
399 | #
|
400 |
|
401 | #
|
402 | # 4.3.3 Create content in user specified chains
|
403 | #
|
404 |
|
405 | #
|
406 | # 4.3.4 PREROUTING chain
|
407 | #
|
408 |
|
409 | #
|
410 | # 4.3.5 INPUT chain
|
411 | #
|
412 |
|
413 | #
|
414 | # 4.3.6 FORWARD chain
|
415 | #
|
416 |
|
417 | #
|
418 | # 4.3.7 OUTPUT chain
|
419 | #
|
420 |
|
421 | #
|
422 | # 4.3.8 POSTROUTING chain
|
423 | #
|