Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # ----------------------------------------------------------------------|
- # This is it...MonMotha's Firewall 2.3.8-pre9! |
- # I wrote a firewall and all I got was this cheesy tagline |
- # ----------------------------------------------------------------------|
- # 2.3 RELEASE NOTES: This is the 2.2 series with some extra stuff, |
- # including MAC address matching, stateful matching, port forwarding, |
- # per-proto accept behavior, and some other stuff that I might think |
- # about adding later. |
- # ----------------------------------------------------------------------|
- # COMMENTS from MonMotha: |
- # |
- # Please do not email me directly with usage questions. I don't have |
- # the time or resources to keep up. Check the configuration help at |
- # the URL posted below then post to the users list if you have any |
- # further questions. |
- # --MonMotha |
- # |
- # When emailing me or the mailing lists, keep in mind that HTML email |
- # may be silently rejected as an anti-spam measure. Configure your UA |
- # to use plain text for mail. |
- # --MonMotha |
- # |
- # A list of known bugs can be found at: |
- # http://www.mplug.org/phpwiki/index.php?MonMothaKnownBugs |
- # please check this list before reporting bugs. Bugs can be reported |
- # directly to me or to the devel mailing list. Please ask to be CCed |
- # if you mail the devel list and are not a member. |
- # --MonMotha |
- # |
- # Mailing lists are now available. See the distribution website at |
- # <http://monmotha.mplug.org> for more info. |
- # --MonMotha |
- # |
- # Note another change of my email address. New address is: |
- # <[email protected]>. Hopefully I can keep this one for a while. |
- # --MonMotha |
- # |
- # I will be entering "feature freeze" when 2.3.8 goes final. Please |
- # make sure to have any patches or feature requests in by then. |
- # I expect 2.3.7 to be closing in on deserving the "stable" marking. |
- # --MonMotha |
- # |
- # Please note the change of my e-mail address. The new address is: |
- # [email protected]. The old address ([email protected]) will be |
- # discontinued as of July 31, 2001. |
- # --MonMotha |
- # |
- # When e-mailing to report a bug, please check first that it has not |
- # already been fixed in the next prerelease (which can be found at the |
- # distribution site). |
- # --MonMotha |
- # |
- # Before e-mailing me, please check the distribution site (which can be |
- # found at http://freshmeat.net/projects/mothafirewall as it changes |
- # sometimes) for a new version. |
- # --MonMotha |
- # |
- # Please...PLEASE give me feedback on your experiences with this script |
- # I would really like to know what everyone wants, what works, and |
- # about the inevitable bugs present in anything. |
- # |
- # Direct all feedback to: [email protected] |
- # --MonMotha |
- # |
- # When e-mailing with problems, please include firewall script version, |
- # iptables version, kernel version, and GNU BASH version. If you think |
- # your problem might be related to kernel configuration, please attach |
- # the .config file for your kernel. |
- # --MonMotha |
- # |
- # ----------------------------------------------------------------------|
- # SYSTEM REQUIREMENTS: You must have either compiled the appropriate |
- # iptables support into your 2.4 kernel or have loaded all the |
- # applicable modules BEFORE you run this script. This script will not |
- # load modules for you. |
- # |
- # You will need (at least) the following kernel options to use |
- # this firewall: CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, |
- # CONFIG_IP_NF_FILTER, CONFIG_IP_NF_MATCH_STATE and |
- # CONFIG_IP_NF_TARGET_REJECT. |
- # To use the masquerading you will also need (at least): |
- # CONFIG_IP_NF_CONNTRACK, CONFIG_IP_NF_NAT, CONFIG_IP_NF_NAT_NEEDED |
- # and CONFIG_IP_NF_TARGET_MASQUERADE. |
- # Additional options may be needed to use other features. |
- # |
- # You need iptables. Get it at "http://netfilter.filewatcher.org". |
- # Some of the features will need patches only present in the CVS |
- # |
- # This script was written (and partially tested) with iptables CVS |
- # and kernel 2.4.x (non testing) in mind. |
- # |
- # Also, this is a BASH shell script...any 2.x version of GNU BASH |
- # should work. |
- # ----------------------------------------------------------------------|
- # |
- # ALL USERS, READ THE FOLLOWING: |
- # |
- # This is distributed under the BSD liscense sans advertising clause: |
- # |
- # Redistribution and use in source and binary forms, with or without |
- # modification, are permitted provided that the following conditions |
- # are met: |
- # |
- # 1.Redistributions of source code must retain the above copyright |
- # notice, this list of conditions and the following disclaimer. |
- # 2.Redistributions in binary form must reproduce the above |
- # copyright notice, this list of conditions and the following |
- # disclaimer in the documentation and/or other materials provided |
- # with the distribution. |
- # 3.The name of the author may not be used to endorse or promote |
- # products derived from this software without specific prior |
- # written permission. |
- # |
- # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
- # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
- # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
- # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
- # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
- # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE |
- # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER |
- # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
- # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
- # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE |
- # |
- # While this may be used freely for commercial use, I do REQUEST that |
- # any commercial users please tell me via e-mail at |
- # [email protected] that they are using it, why they chose it, |
- # how well it works, etc. |
- # |
- # ----------------------------------------------------------------------|
- # IMPORTANT: This firewall is currently in beta! It may be too |
- # restrictive or insecure. |
- # ----------------------------------------------------------------------|
- # CHANGELOG: (Since 2.3.0-pre1a only) |
- # version 2.3.8-pre9: Correct typo in config help wiki |
- # Re-order FILTER_CHAINS for TREJECT change |
- # rp_filter support multiple INET interfaces |
- # version 2.3.8-pre8: Fix typo in ULREJECT chain creation status |
- # Remove one-liner config help - use wiki |
- # version 2.3.8-pre8b: Show liscense on unconfigured run |
- # Experimental multiple internet devices |
- # -Breakage of DMZ guaranteed |
- # version 2.3.8-pre8a: LTREJECT jump to TREJECT after logging |
- # Fix transparent proxy when on masqed LAN; |
- # See discussion list archives for Jun |
- # 2002 for more info |
- # Clarify source route messages |
- # version 2.3.8-pre7: Fix syntax error in ALLOW_HOSTWISE_PROTO |
- # version 2.3.8-pre7b: More sanity checking |
- # LOCIP option for DENY_HOSTWISE options |
- # LOCIP option for DENY_ALL |
- # version 2.3.8-pre7a: Clarify liscense |
- # Alias TCP_ALLOW and UDP_ALLOW to |
- # ALLOW_HOSTWISE_xxx as they contain |
- # redundant code |
- # Move BAD_ICMP to non-experimental options |
- # Changed exit status; review your scripts |
- # Additional sanity checking |
- # Add ALLOW_HOSTWISE_PROTO option |
- # version 2.3.8-pre6: Fix comment errors |
- # Fix a bug in config checks |
- # Add BRAINDEAD_ISP option |
- # version 2.3.8-pre5: More fixes for multiple LAN interfaces |
- # Fix a syntax error in ALLOW_HOSTWISE_TCP |
- # version 2.3.8-pre5d: Intersubnet Routing should work again |
- # TOS Mangles default to off |
- # version 2.3.8-pre5c: Port forwards apply to all interfaces only |
- # when LOCIP is used |
- # Multiple LAN Interfaces (breaks DMZ) |
- # version 2.3.8-pre5b: Fix missing fi near line 1160 |
- # version 2.3.8-pre5a: Fix BAD_ICMP and echo-request |
- # Fix port forwards |
- # Add checks for limit and REJECT |
- # Local IP options for TCP/UDP allows (and |
- # hostwise allows) |
- # Port forwards now apply to all interfaces |
- # Remove redundant disclaimer |
- # version 2.3.8-pre4: Fix typo in SUPER_EXEMPT |
- # Fix reversal of DMZIN/OUT |
- # Fix reversed logic in port forwards |
- # version 2.3.8-pre3: Fix DHCP server syntax error |
- # Replace ALLOW_ALL with SUPER_EXEMPT |
- # Fix ALLOW_OUT_TCP |
- # Fix SNAT status reporting |
- # Removed some obsoleted code |
- # Move DHCP server to stable options |
- # Add local IP to port forwards |
- # version 2.3.8-pre2: Don't create ULDROP unless used in case |
- # system doesn't have ULOG support |
- # ALLOW_OUT_TCP now allows a destination port |
- # Additional sanity checks |
- # Add ULREJECT and ULTREJECT targets |
- # BLACKHOLEs should now work |
- # Fix status reporting in local traffic rules |
- # DMZ Fixes (Hans Bieshaar) |
- # Flush and delete SYSTEST (Hans) |
- # Syncookies set off if not on (Hans) |
- # Fix REJECT messages for ICMP (Hans) |
- # Explicit denies are now global (Hans) |
- # Remove FORWARD -d $INTERNAL_LAN; it is not |
- # needed for internet and can pose a |
- # security risk (this may break things) |
- # (Hans) |
- # SYNCOOKIES default to off (Hans) |
- # We had a debate on this one, feel free |
- # to email me regarding it. |
- # Config directives for RP_FILTER and |
- # accept strict source routed (Hans) |
- # Add BAD_ICMP directive |
- # version 2.3.8-pre1: Add ULDROP (ULOG and DROP) target |
- # Restructuring to allow the following: |
- # BLACKHOLEs are now global (not just inet) |
- # All explicit denies override TCP/UDP |
- # forwards. |
- # All explicit denies ovrride ALLOW_HOSTWISE |
- # BLACKHOLEs should now work for computers |
- # behind the firewall as well as the |
- # firewall itself. |
- # Fix for iptables 1.2.3 log level info |
- # version 2.3.7: No changes from pre8 |
- # version 2.3.7-pre8: Change email address on liscense |
- # Revert to pre6 behavior of dropping ICMP |
- # echo-request (take global DROP= policy) |
- # Allow everything from interface lo |
- # Correct pre7 changelog |
- # Special rules for DHCP servers |
- # version 2.3.7-pre7: Fix version number in changelog entry below |
- # Fix 127.0.0.1 INPUT handling. |
- # Only enable IP forwarding if it's needed |
- # (INTERNAL_LAN defined) |
- # Tweak flood parameters |
- # Hostwise allows now override explicit, |
- # denies but not blackholes |
- # ICMP echo-request will no longer take the |
- # specified drop policy when it doesn't |
- # comply with limits, straight DROP will |
- # be used instead |
- # Fix REJECT handling in TREJECT and LTREJECT |
- # Add transparent proxy support (Joshua Link) |
- # version 2.3.7-pre6: Fix status reporting on SSR SysCtl loop |
- # Fix the SSR SysCtl loop |
- # Remove stateful match from forward chain |
- # version 2.3.7-pre5: Make the default policy actually be DROP |
- # instead of just saying it is |
- # Add stateful matching to forward chain to |
- # prevent people from routing onto your |
- # internal network (please tell me if |
- # breaks anything). Thanks to Martin |
- # Mosny for noticing this |
- # Block Source Routed Packets to help with |
- # the above problem |
- # Add option for TCP SynCookies on or off |
- # Fix BLACKHOLE directive (was being applied |
- # to INPUT/OUTPUT after the jump for |
- # INETIN/INETOUT so didn't apply for |
- # the internet). Thanks to Gerry Doris |
- # for noticing this |
- # Add DHCP client to default UDP port allows |
- # Note email address change |
- # Changed emphesis in comments |
- # Forwarding of port ranges (Vinny and Eddie) |
- # version 2.3.7-pre4: Line 414, missing subnet match caused all |
- # packets from anywhere to be allowed. |
- # Fixed. |
- # version 2.3.7-pre3: Fix missing fi (fatal syntax error) |
- # Fix logging in TCPACCEPT chain |
- # version 2.3.7-pre2: Add route verification (thanks to Jeremy |
- # Frank) |
- # Add blackhole directive |
- # Updated configuration sanity checks |
- # Ripped out SSH Stuff as it isn't needed |
- # True default DROP on INPUT |
- # Don't run the INTERNAL_LAN loop if no nets |
- # Upped the default SYN limit as large |
- # numbers of small FTP transfers would |
- # overload it quickly |
- # Form cleanups |
- # version 2.3.7-pre1: Maybe the FTP will work now (fixes for the |
- # RELATED state) |
- # Now works with both LAN and DMZ iface null |
- # Moved static NAT to stable options |
- # Change parser to /bin/bash not /bin/sh |
- # version 2.3.6: Add TTL mangling |
- # Added some more EFNet servers to the list |
- # Fix in the DMZOUT chain |
- # Fix FTP stuff |
- # version 2.3.5: Fixes to make port forwarding work again |
- # version 2.3.4: USE_MASQ has been changed to MASQ_LAN in port fw |
- # Fix syntax error in TCP port forwards |
- # General cleanup |
- # Fixes in port forwarding |
- # It's LTREJECT, not TLREJECT |
- # More TOS mangling |
- # version 2.3.3: Fatal syntax error in IP forward detect fix |
- # Don't bail on no IP forward for no LAN |
- # version 2.3.3-pre1: Reject with tcp-reset for TCP option |
- # Removed the huge list of censorship |
- # Moved the port forwards to stable options |
- # Moved the TOS mangling to stable options |
- # Check before enabling IP Forwarding and |
- # IP SynCookies |
- # Don't run censorship loop if no rules |
- # Request low latency TOS on UDP packets for |
- # games on ports 4000-7000 (Diablo II) |
- # Fix bad syntax in the port forwarding loops |
- # Reversed DMZIN and DMZOUT fixed |
- # Various syntax fixes |
- # Stateful inspection on forward chain |
- # Other stateful matching changes |
- # version 2.3.2: Fixed bad syntax in DMZ_IFACE loop |
- # version 2.3.2-pre2: Put a real liscense on it (BSD liscense) |
- # Changed format of ALLOW_HOSTWISE and |
- # DENY_HOSTWISE to be less confusing |
- # (the ":" was changed to ">") |
- # Added LOG_FLOOD option to tweak log limit |
- # Added SYN_FLOOD option to tweak SYN limit |
- # Added PING_FLOOD option to tweak PING limit |
- # version 2.3.2-pre1: Stateful matching on active FTP and SSH |
- # rules (thanks to Len Padilla) |
- # Fixed a minor bug in chain creation order |
- # (thanks to Peter Lindman) |
- # TOS Optimizations (thanks to vesa alatalo) |
- # Begin DMZ Support |
- # Proofread comments and correct |
- # Use BASH builtins instead of sed |
- # (thanks to Craig Ludington) |
- # Fixed "USE_SNAT" bug in port forwarding |
- # (has been changed to "SNAT_LAN") |
- # (thanks to Frédéric Marchand) |
- # Tuned down default TCP allows (remove POP3) |
- # version 2.3.1: Option for 1:1 or subnet:1 static NAT |
- # Internet censorship options |
- # version 2.3.1-pre2: Added option to deny specific ports from |
- # specific hosts |
- # Added limiting to logging chains to prevent |
- # log DoSing |
- # Spiffed up comments |
- # Changed the "AUTH_ALLOW" and "DNS" options |
- # to be more generic and flexible |
- # version 2.3.1-pre1: Updated comments for new kernel version |
- # Removed double drop setting |
- # Updated for iptables-1.2 |
- # Began a kernel option list |
- # version 2.3.0: No changes from pre1g |
- # version 2.3.0-pre1g: Tuned down default TCP allows |
- # Restructure to SSH loop |
- # Status Reporting Fixes (newlines, etc.) |
- # Fix log prefix length on accept loops |
- # version 2.3.0-pre1f: Moved the ICMP echo-request limit to where |
- # it should have been |
- # Allows the rest of the ICMP like it should |
- # Remove the interface matching from ICMP |
- # echo-request (not needed) |
- # version 2.3.0-pre1e: Fixed an issue in the invalid matching |
- # version 2.3.0-pre1d: Spiffed up comments |
- # Port Forwarding |
- # Moved the deny setting to normal options |
- # version 2.3.0-pre1c: Minor fixes that don't (currently) affect |
- # functionality |
- # version 2.3.0-pre1b: Security fix documented in 2.1.13 |
- # Slight logic change in TCP_ALLOW loop |
- # Don't print allow messages if nothign is |
- # allowed by that loop |
- # Changed IPTables download URL |
- # version 2.3.0-pre1a: Initial branch from 2.1.12 |
- # Add stuff in release notes except port fw |
- # ----------------------------------------------------------------------|
- # You NEED to set this! |
- # Configuration follows: |
- # |
- # Main configuration, modify to suit your setup. Help can be found at:
- # -------------------------------------------------------------------------
- # |!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!|
- # |!*********************************************************************!|
- # |!*** http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide ***!|
- # |!*********************************************************************!|
- # |!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!|
- # -------------------------------------------------------------------------
- # --------------------------READ THE URL ABOVE!----------------------------
- # -------------------------------------------------------------------------
- # Main Options
- IPTABLES="/sbin/iptables"
- TCP_ALLOW="53 67 68 80 6000 6001 6002 6003 49200 22 113 139 445 8080 20666 20668 49152"
- UDP_ALLOW="53 67 68 177 68 6112 6119 4000 137 138 20667"
- INET_IFACE="ppp0"
- LAN_IFACE="wlan0"
- INTERNAL_LAN="192.168.2.0/24 192.168.43.0/24"
- MASQ_LAN="192.168.2.0/24 192.168.43.0/24"
- SNAT_LAN=""
- DROP="TREJECT"
- DENY_ALL=""
- DENY_HOSTWISE_TCP=""
- DENY_HOSTWISE_UDP=""
- BLACKHOLE=""
- BLACKHOLE_DROP="DROP"
- ALLOW_HOSTWISE_TCP=""
- ALLOW_HOSTWISE_UDP=""
- TCP_FW=""
- UDP_FW=""
- MANGLE_TOS_OPTIMIZE="FALSE"
- DHCP_SERVER="TRUE"
- BAD_ICMP="5 9 10 15 16 17 18"
- ENABLE="Y"
- # Flood Params
- LOG_FLOOD="2/s"
- SYN_FLOOD="20/s"
- PING_FLOOD="1/s"
- # Outbound filters
- # FIXME: Update config help wiki then remove one-liner help
- ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP (do not put this/these host/s in INTERNAL_LAN, but do define their method of access [snat, masq] if not a public ip)
- PROXY="" # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the proxy is "host:port".
- MY_IP="" # Set to the internal IP of this box (with the firewall), only needed for PROXY=
- # Below here is experimental (please report your successes/failures)
- MAC_MASQ="" # Currently Broken
- MAC_SNAT="" # Ditto...
- TTL_SAFE=""
- USE_SYNCOOKIES="FALSE"
- RP_FILTER="TRUE"
- ACCEPT_SOURCE_ROUTE="FALSE"
- SUPER_EXEMPT=""
- BRAINDEAD_ISP="FALSE"
- ALLOW_HOSTWISE_PROTO=""
- # Only touch these if you're daring (PREALPHA stuff, as in basically non-functional)
- DMZ_IFACE="" # Interface your DMZ is on (leave blank if you don't have one) - Obsolete: Will be removed before 2.4.0
- # ----------------------------------------------------------------------|
- # These control basic script behavior; there should be no need to |
- # change any of these settings for normal use. |
- # ----------------------------------------------------------------------|
- FILTER_CHAINS="INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT LTREJECT TREJECT"
- UL_FILTER_CHAINS="ULDROP ULREJECT ULTREJECT"
- LOOP_IFACE="lo"
- # Colors
- NORMAL="\033[0m"
- GREEN=$'\e[32;01m'
- YELLOW=$'\e[33;01m'
- RED=$'\e[31;01m'
- NORMAL=$'\e[0m'
- # Undocumented Features
- OVERRIDE_NO_FORWARD="FALSE"
- OVERRIDE_SANITY_CHECKS="FALSE"
- # ----------------------------------------------------------------------|
- # You shouldn't need to modify anything below here |
- # Main Script Starts |
- # ----------------------------------------------------------------------|
- # Let's load it!
- echo "Loading iptables firewall:"
- # Configuration Sanity Checks
- echo -n "Checking configuration..."
- if [ "$OVERRIDE_SANITY_CHECKS" = "TRUE" ] ; then
- echo "skipped! If it breaks, don't complain!"
- echo "If there's a reason you needed to do this, please report to the developers list!"
- echo
- echo -n "Wait 5 seconds..."
- sleep 5
- echo "continuing"
- echo
- echo
- else
- # Has it been configured?
- if ! [ "$ENABLE" = "Y" ] ; then
- echo
- echo "${RED}You need to *EDIT YOUR CONFIGURATION* and set ENABLE to Y!"
- echo "${YELLOW}End User Liscense Agreement:${NORMAL}"
- echo -n "$GREEN"
- cat << EOF
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1.Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2.Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials provided
- with the distribution.
- 3.The name of the author may not be used to endorse or promote
- products derived from this software without specific prior
- written permission.
- THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
- GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
- IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
- IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE
- EOF
- echo "${RED}You need to *EDIT YOUR CONFIGURATION* and set ENABLE to Y!${NORMAL}"
- exit 99
- fi
- # It's hard to run an iptables script without iptables...
- if ! [ -x $IPTABLES ] ; then
- echo
- echo "ERROR IN CONFIGURATION: ${IPTABLES} doesn't exist or isn't executable!"
- exit 4
- fi
- # Basic interface sanity
- for dev in ${LAN_IFACE} ; do
- if [ "$dev" = "${DMZ_IFACE}" ] && [ "$dev" != "" ]; then
- echo
- echo "ERROR IN CONFIGURATION: DMZ_IFACE and LAN_IFACE can't have a duplicate interface!"
- exit 1
- fi
- done
- # Create a test chain to work with for system ablilities testing
- ${IPTABLES} -N SYSTEST
- if [ "$?" != "0" ] ; then
- echo
- echo "IPTABLES can't create new chains or the script was interrupted previously!"
- echo "Flush IPTABLES rulesets and chains and try again."
- exit 4
- fi
- # Check for ULOG support
- ${IPTABLES} -A SYSTEST -j ULOG > /dev/null 2>&1
- if [ "$?" = "0" ] ; then
- HAVE_ULOG="true"
- else
- HAVE_ULOG="false"
- fi
- # Check for LOG support
- ${IPTABLES} -A SYSTEST -j LOG > /dev/null 2>&1
- if [ "$?" != "0" ] ; then
- echo
- echo "Your kernel lacks LOG support reqiored by this script. Aborting."
- exit 3
- fi
- # Check for stateful matching
- ${IPTABLES} -A SYSTEST -m state --state ESTABLISHED -j ACCEPT > /dev/null 2>&1
- if [ "$?" != "0" ] ; then
- echo
- echo "Your kernel lacks stateful matching, this would break this script. Aborting."
- exit 3
- fi
- # Check for the limit match
- ${IPTABLES} -A SYSTEST -m limit -j ACCEPT > /dev/null 2>&1
- if [ "$?" != "0" ] ; then
- echo
- echo "Support not found for limiting needed by this script. Aborting."
- exit 3
- fi
- # Check for REJECT
- ${IPTABLES} -A SYSTEST -j REJECT > /dev/null 2>&1
- if [ "$?" != "0" ] ; then
- echo
- echo "Support not found for the REJECT target needed by this script. Aborting."
- exit 3
- fi
- # Check DROP sanity
- if [ "$DROP" = "" ] ; then
- echo
- echo "There needs to be a DROP policy (try TREJECT)!"
- exit 1
- fi
- if [ "$DROP" = "ACCEPT" ] ; then
- echo
- echo "The DROP policy is set to ACCEPT; there is no point in loading the firewall as there wouldn't be one."
- exit 2
- fi
- if [ "$DROP" = "ULDROP" ] || [ "$DROP" = "ULREJECT" ] || [ "$DROP" = "ULTREJECT" ] ; then
- if [ "$HAVE_ULOG" != "true" ] ; then
- echo
- echo "You have selected a ULOG policy, but your system lacks ULOG support."
- echo "Please choose a policy that your system has support for."
- exit 5
- fi
- fi
- # Problems with blackholes?
- if [ "$BLACKHOLE" != "" ] && [ "$BLACKHOLE_DROP" = "" ] ; then
- echo
- echo "You can't use blackholes and not have a policy for them!"
- exit 1
- fi
- # Flush and remove the chain SYSTEST
- ${IPTABLES} -F SYSTEST
- ${IPTABLES} -X SYSTEST
- # Seems ok...
- echo "passed"
- fi #from override option
- # ===============================================
- # ----------------Preprocessing------------------
- # ===============================================
- # Turn TCP_ALLOW and UDP_ALLOW into ALLOW_HOSTWISE
- echo -n "Performing TCP_ALLOW and UDP_ALLOW alias preprocessing..."
- if [ "$TCP_ALLOW" != "" ] ; then
- for rule in ${TCP_ALLOW} ; do
- ALLOW_HOSTWISE_TCP="${ALLOW_HOSTWISE_TCP} 0/0>$rule"
- done
- fi
- if [ "$UDP_ALLOW" != "" ] ; then
- for rule in ${UDP_ALLOW} ; do
- ALLOW_HOSTWISE_UDP="${ALLOW_HOSTWISE_UDP} 0/0>$rule"
- done
- fi
- echo "done"
- # ===============================================
- # -------Set some Kernel stuff via SysCTL--------
- # ===============================================
- # Turn on IP forwarding
- if [ "$INTERNAL_LAN" != "" ] && [ "$OVERRIDE_NO_FORWARD" != "TRUE" ] ; then
- echo -n "Checking IP Forwarding..."
- if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo "enabled."
- else
- echo "support not found! This will cause problems if you need to do any routing."
- fi
- fi
- # Enable TCP Syncookies
- echo -n "Checking IP SynCookies..."
- if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
- if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- echo "enabled."
- else
- echo 0 > /proc/sys/net/ipv4/tcp_syncookies
- echo "disabled."
- fi
- else
- echo "support not found, but that's OK."
- fi
- # Enable Route Verification to prevent martians and other such crud that
- # seems to be commonplace on the internet today
- echo -n "Checking Route Verification..."
- if [ "$INET_IFACE" != "" ] ; then
- for dev in ${INET_IFACE} ; do
- if [ -e /proc/sys/net/ipv4/conf/$dev/rp_filter ] ; then
- if [ "$RP_FILTER" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- echo -n "activated:$dev "
- else
- echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- echo -n "disabled:$dev "
- fi
- else
- echo "not found:$dev "
- fi
- done
- fi
- if [ "$LAN_IFACE" != "" ] ; then
- for dev in ${LAN_IFACE} ; do
- if [ -e /proc/sys/net/ipv4/conf/$dev/rp_filter ] ; then
- if [ "$RP_FILTER" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- echo -n "activated:$dev "
- else
- echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- echo -n "disabled:$dev "
- fi
- else
- echo "not found:$dev "
- fi
- done
- fi
- if [ "$DMZ_IFACE" != "" ] ; then
- if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter ] ; then
- if [ "$RP_FILTER" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
- echo -n "activated:${DMZ_IFACE} "
- else
- echo 0 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
- echo -n "disabled:${DMZ_IFACE} "
- fi
- else
- echo "not found:${DMZ_IFACE} "
- fi
- fi
- echo
- # Tell the Kernel to Ignore Source Routed Packets
- echo -n "Refusing Source Routed Packets via SysCtl..."
- if [ "$INET_IFACE" != "" ] ; then
- for dev in ${INET_IFACE} ; do
- if [ -e /proc/sys/net/ipv4/conf/$dev/accept_source_route ] ; then
- if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
- echo "1" > /proc/sys/net/ipv4/conf/$dev/accept_source_route
- echo -n "disabled:$dev "
- else
- echo "0" > /proc/sys/net/ipv4/conf/$dev/accept_source_route
- echo -n "activated:$dev "
- fi
- else
- echo "not found:$dev "
- fi
- done
- fi
- if [ "$LAN_IFACE" != "" ] ; then
- for dev in ${LAN_IFACE} ; do
- if [ -e /proc/sys/net/ipv4/conf/$dev/accept_source_route ] ; then
- if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
- echo "1" > /proc/sys/net/ipv4/conf/$dev/accept_source_route
- echo -n "disabled:$dev "
- else
- echo "0" > /proc/sys/net/ipv4/conf/$dev/accept_source_route
- echo -n "activated:$dev "
- fi
- else
- echo "not found:$dev "
- fi
- done
- fi
- if [ "$DMZ_IFACE" != "" ] ; then
- if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route ] ; then
- if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
- echo "1" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
- echo -n "disabled:${DMZ_IFACE} "
- else
- echo "0" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
- echo -n "activated:${DMZ_IFACE} "
- fi
- else
- echo "not found:${DMZ_IFACE} "
- fi
- fi
- echo
- # ===============================================
- # --------Actual NetFilter Stuff Follows---------
- # ===============================================
- # Flush everything
- # If you need compatability, you can comment some or all of these out,
- # but remember, if you re-run it, it'll just add the new rules in, it
- # won't remove the old ones for you then, this is how it removes them.
- echo -n "Flush: "
- ${IPTABLES} -t filter -F INPUT
- echo -n "INPUT "
- ${IPTABLES} -t filter -F OUTPUT
- echo -n "OUTPUT1 "
- ${IPTABLES} -t filter -F FORWARD
- echo -n "FORWARD "
- ${IPTABLES} -t nat -F PREROUTING
- echo -n "PREROUTING1 "
- ${IPTABLES} -t nat -F OUTPUT
- echo -n "OUTPUT2 "
- ${IPTABLES} -t nat -F POSTROUTING
- echo -n "POSTROUTING "
- ${IPTABLES} -t mangle -F PREROUTING
- echo -n "PREROUTING2 "
- ${IPTABLES} -t mangle -F OUTPUT
- echo -n "OUTPUT3"
- echo
- # Create new chains
- # Output to /dev/null in case they don't exist from a previous invocation
- echo -n "Creating chains: "
- for chain in ${FILTER_CHAINS} ; do
- ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -N ${chain}
- echo -n "${chain} "
- done
- if [ ${HAVE_ULOG} = "true" ] || [ ${HAVE_ULOG} = "" ] ; then
- for chain in ${UL_FILTER_CHAINS} ; do
- ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -N ${chain}
- echo -n "${chain} "
- done
- fi
- echo
- # Default Policies
- # INPUT policy is drop as of 2.3.7-pre5
- # Policy can't be reject because of kernel limitations
- echo -n "Default Policies: "
- ${IPTABLES} -t filter -P INPUT DROP
- echo -n "INPUT:DROP "
- ${IPTABLES} -t filter -P OUTPUT ACCEPT
- echo -n "OUTPUT:ACCEPT "
- ${IPTABLES} -t filter -P FORWARD DROP
- echo -n "FORWARD:DROP "
- echo
- # ===============================================
- # -------Chain setup before jumping to them------
- # ===============================================
- #These logging chains are valid to specify in DROP= above
- #Set up LDROP
- echo -n "Setting up drop chains chains: "
- ${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Dropped "
- ${IPTABLES} -t filter -A LDROP -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Dropped "
- ${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Dropped "
- ${IPTABLES} -t filter -A LDROP -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Dropped "
- ${IPTABLES} -t filter -A LDROP -j DROP
- echo -n "LDROP "
- #And LREJECT too
- ${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected "
- ${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected "
- ${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected "
- ${IPTABLES} -t filter -A LREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected "
- ${IPTABLES} -t filter -A LREJECT -j REJECT
- echo -n "LREJECT "
- #Don't forget TREJECT
- ${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
- ${IPTABLES} -t filter -A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
- ${IPTABLES} -t filter -A TREJECT -p icmp -j DROP
- ${IPTABLES} -t filter -A TREJECT -j REJECT
- echo -n "TREJECT "
- #And LTREJECT
- ${IPTABLES} -t filter -A LTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected "
- ${IPTABLES} -t filter -A LTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected "
- ${IPTABLES} -t filter -A LTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected "
- ${IPTABLES} -t filter -A LTREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected "
- ${IPTABLES} -t filter -A LTREJECT -j TREJECT
- echo -n "LTREJECT "
- #And ULOG stuff, same as above but ULOG instead of LOG
- if [ ${HAVE_ULOG} = "true" ] || [ ${HAVE_ULOG} = "" ] ; then
- ${IPTABLES} -t filter -A ULDROP -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_TCP
- ${IPTABLES} -t filter -A ULDROP -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_UDP
- ${IPTABLES} -t filter -A ULDROP -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_ICMP
- ${IPTABLES} -t filter -A ULDROP -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_FRAG
- ${IPTABLES} -t filter -A ULDROP -j DROP
- echo -n "ULDROP "
- ${IPTABLES} -t filter -A ULREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_TCP
- ${IPTABLES} -t filter -A ULREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP
- ${IPTABLES} -t filter -A ULREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP
- ${IPTABLES} -t filter -A ULREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_FRAG
- ${IPTABLES} -t filter -A ULREJECT -j REJECT
- echo -n "ULREJECT "
- ${IPTABLES} -t filter -A ULTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_TCP
- ${IPTABLES} -t filter -A ULTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_UDP
- ${IPTABLES} -t filter -A ULTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_ICMP
- ${IPTABLES} -t filter -A ULTREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_FRAG
- ${IPTABLES} -t filter -A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset
- ${IPTABLES} -t filter -A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
- ${IPTABLES} -t filter -A ULTREJECT -p icmp -j DROP
- ${IPTABLES} -t filter -A ULTREJECT -j REJECT
- echo -n "ULTREJECT "
- fi
- #newline
- echo
- # Set up the per-proto ACCEPT chains
- echo -n "Setting up per-proto ACCEPT: "
- # TCPACCEPT
- # SYN Flood "Protection"
- ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${SYN_FLOOD} -j ACCEPT
- ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Possible SynFlood "
- ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ${DROP}
- ${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
- # Log anything that hasn't matched yet and ${DROP} it since it isn't TCP and shouldn't be here
- ${IPTABLES} -t filter -A TCPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch in TCPACCEPT "
- ${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
- echo -n "TCPACCEPT "
- #UDPACCEPT
- ${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
- # Log anything not UDP and ${DROP} it since it's not supposed to be here
- ${IPTABLES} -t filter -A UDPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch on UDPACCEPT "
- ${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
- echo -n "UDPACCEPT "
- #Done
- echo
- # =================================================
- # -------------------Exemptions--------------------
- # =================================================
- if [ "$SUPER_EXEMPT" != "" ] ; then
- echo -n "Super Exemptions: "
- for host in ${SUPER_EXEMPT} ; do
- ${IPTABLES} -t filter -A INPUT -s ${host} -j ACCEPT
- ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ACCEPT
- ${IPTABLES} -t filter -A FORWARD -s ${host} -j ACCEPT
- ${IPTABLES} -t filter -A FORWARD -d ${host} -j ACCEPT
- echo -n "${host} "
- done
- echo
- fi
- # =================================================
- # ----------------Explicit Denies------------------
- # =================================================
- #Blackholes will not be overridden by hostwise allows
- if [ "$BLACKHOLE" != "" ] ; then
- echo -n "Blackholes: "
- for host in ${BLACKHOLE} ; do
- ${IPTABLES} -t filter -A INPUT -s ${host} -j ${BLACKHOLE_DROP}
- ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ${BLACKHOLE_DROP}
- ${IPTABLES} -t filter -A FORWARD -s ${host} -j ${BLACKHOLE_DROP}
- ${IPTABLES} -t filter -A FORWARD -d ${host} -j ${BLACKHOLE_DROP}
- echo -n "${host} "
- done
- echo
- fi
- if [ "$DENY_ALL" != "" ] ; then
- echo -n "Denying hosts: "
- for rule in ${DENY_ALL} ; do
- echo "$rule" | {
- IFS='<' read shost dhost
- if [ "$dhost" == "" ] ; then
- ${IPTABLES} -t filter -A INPUT -s ${shost} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -s ${shost} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -s ${shost} -d ${dhost} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -s ${shost} -d ${dhost} -j ${DROP}
- fi
- }
- echo -n "${rule} "
- done
- echo
- fi
- if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
- echo -n "Hostwise TCP Denies: "
- for rule in ${DENY_HOSTWISE_TCP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} --dport ${port} -j ${DROP}
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
- fi
- if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
- echo -n "Hostwise UDP Denies: "
- for rule in ${DENY_HOSTWISE_UDP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} --dport ${port} -j ${DROP}
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
- fi
- #Invalid packets are always annoying
- echo -n "${DROP}ing invalid packets..."
- ${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
- echo "done"
- # ------------------------------------------------------------------------
- # Internet jumps to INET chains and DMZ
- # Set up INET chains
- echo -n "Setting up INET chains: "
- for inetdev in ${INET_IFACE} ; do
- ${IPTABLES} -t filter -A INPUT -i $inetdev -j INETIN
- for landev in ${LAN_IFACE} ; do
- ${IPTABLES} -t filter -A FORWARD -i $inetdev -o $landev -j INETIN
- done
- echo -n "INETIN "
- ${IPTABLES} -t filter -A OUTPUT -o $inetdev -j INETOUT
- for landev in ${LAN_IFACE} ; do
- ${IPTABLES} -t filter -A FORWARD -o $inetdev -i $landev -j INETOUT
- done
- echo -n "INETOUT "
- echo
- done
- if [ "$BRAINDEAD_ISP" = "TRUE" ] ; then
- ${IPTABLES} -t filter -A INETOUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- fi
- # For now we'll subject the DMZ to the same rules as the internet when going onto the trusted LAN
- # And we'll let it go anywhere on the internet
- if [ "$DMZ_IFACE" != "" ] ; then
- echo -n "Setting up DMZ Chains: "
- ${IPTABLES} -A OUTPUT -o ${DMZ_IFACE} -j DMZOUT
- ${IPTABLES} -A FORWARD -i ${LAN_IFACE} -o ${DMZ_IFACE} -j DMZOUT
- ${IPTABLES} -A FORWARD -i ${INET_IFACE} -o ${DMZ_IFACE} -j ACCEPT
- echo -n "DMZOUT "
- echo -n "DMZ for Internet Forwarding to INETOUT..."
- ${IPTABLES} -A DMZOUT -j INETOUT
- ${IPTABLES} -A INPUT -i ${DMZ_IFACE} -j DMZIN
- echo -n "DMZIN "
- echo
- echo -n "DMZ for LAN and localhost Forwarding to INETIN..."
- ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${LAN_IFACE} -j DMZOUT
- ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${INET_IFACE} -j ACCEPT
- ${IPTABLES} -A DMZOUT -o ${LAN_IFACE} -j INETIN
- echo "done"
- echo -n "done"
- fi
- # ------------------------------------------------------------------------
- # Local traffic to internet or crossing subnets
- # This should cover what we need if we don't use masquerading
- # Unfortunately, MAC address matching isn't bidirectional (for
- # obvious reasons), so IP based matching is done here
- echo -n "Local Traffic Rules: "
- if [ "$INTERNAL_LAN" != "" ] ; then
- for subnet in ${INTERNAL_LAN} ; do
- ${IPTABLES} -t filter -A INPUT -s ${subnet} -j ACCEPT
- ${IPTABLES} -t filter -A FORWARD -s ${subnet} -o ${INET_IFACE} -i ${INET_IFACE} -j ACCEPT
- echo -n "${subnet}:ACCEPT "
- done
- fi
- # 127.0.0.0/8 used to need an entry in INTERNAL_LAN, but routing of that isn't needed
- # so an allow is placed on INPUT so that the computer can talk to itself :)
- ${IPTABLES} -t filter -A INPUT -i ${LOOP_IFACE} -j ACCEPT
- echo -n "loopback:ACCEPT "
- # DHCP server magic
- # Allow broadcasts from LAN to UDP port 67 (DHCP server)
- if [ "$DHCP_SERVER" = "TRUE" ] ; then
- for dev in ${LAN_IFACE} ; do
- ${IPTABLES} -t filter -A INPUT -i $dev -p udp --dport 67 -j ACCEPT
- done
- echo -n "dhcp:ACCEPT"
- fi
- echo #newline from local traffic rules
- if [ "$PROXY" != "" ] ; then
- echo -n "Setting up Transparent Proxy to ${PROXY}: "
- for subnet in ${INTERNAL_LAN} ; do
- echo "$PROXY" | {
- IFS=':' read host port
- if [ "$host" = "localhost" ] || [ "$host" = "127.0.0.1" ] ; then
- ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j REDIRECT --to-port ${port}
- echo -n "${subnet}:PROXY "
- else
- ${IPTABLES} -t nat -A PREROUTING -s ! ${host} -p tcp --dport 80 -j DNAT --to-destination ${host}:${port}
- ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -d ${host} -j SNAT --to-source ${MY_IP} #Destination changed in PREROUTING
- echo -n "${subnet}:PROXY "
- fi
- }
- done
- echo
- fi
- if [ "$ALLOW_OUT_TCP" != "" ] ; then
- echo -n "Internet censorship TCP allows: "
- for rule in ${ALLOW_OUT_TCP} ; do
- echo "$rule" | {
- IFS=':' read intip destip dport
- ${IPTABLES} -t filter -A FORWARD -s ${intip} -d ${destip} -p tcp --dport ${dport} -o ${INET_IFACE} -j ACCEPT
- echo -n "${intip}:${destip} "
- }
- done
- echo
- fi
- # Set up basic NAT if the user wants it
- if [ "$MASQ_LAN" != "" ] ; then
- echo -n "Setting up masquerading: "
- if [ "$MAC_MASQ" = "" ] ; then
- for subnet in ${MASQ_LAN} ; do
- ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
- echo -n "${subnet}:MASQUERADE "
- done
- else
- for address in ${MAC_MASQ} ; do
- ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
- echo -n "${address}:MASQUERADE "
- done
- fi
- echo
- fi
- if [ "$SNAT_LAN" != "" ] ; then #Static NAT used
- echo -n "Setting up static NAT: "
- if [ "$MAC_SNAT" = "" ] ; then
- for rule in ${SNAT_LAN} ; do
- echo "$rule" | {
- IFS=':' read host destip
- ${IPTABLES} -t nat -A POSTROUTING -s ${host} -o ${INET_IFACE} -j SNAT --to-source ${destip}
- echo -n "${host}:SNAT "
- }
- done
- else
- for rule in ${MAC_SNAT} ; do
- echo "$rule" | {
- IFS=':' read address destip
- ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${destip}
- echo -n "${address}:SNAT "
- }
- done
- fi
- echo
- fi
- #TCP Port-Forwards
- if [ "$TCP_FW" != "" ] ; then
- echo -n "TCP Port Forwards: "
- for rule in ${TCP_FW} ; do
- echo "$rule" | {
- IFS=':><' read srcport destport host shost
- echo "$srcport" | {
- IFS='-' read fsp lsp
- if [ "$shost" = "" ] ; then
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- else
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -p tcp -d ${shost} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -p tcp -d ${shost} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
- fi
- #UDP Port Forwards
- if [ "$UDP_FW" != "" ] ; then
- echo -n "UDP Port Forwards: "
- for rule in ${UDP_FW} ; do
- echo "$rule" | {
- IFS=':><' read srcport destport host shost
- echo "$srcport" | {
- IFS='-' read fsp lsp
- if [ "$shost" = "" ] ; then
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- else
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -p udp -d ${shost} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -p udp -d ${shost} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
- fi
- # =================================================
- # -------------------ICMP rules--------------------
- # =================================================
- if [ "$BAD_ICMP" != "" ] ; then
- echo -n "${DROP}ing ICMP messages specified in BAD_ICMP..."
- for message in ${BAD_ICMP} ; do
- ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ${message} -j ${DROP}
- echo -n "${message} "
- done
- echo
- fi
- # Flood "security"
- # You'll still respond to these if they comply with the limits (set in config)
- # There is a more elegant way to set this using sysctl, however this has the
- # advantage that the kernel ICMP stack never has to process it, lessening
- # the chance of a very serious flood overloading your kernel.
- # This is just a packet limit, you still get the packets on the interface and
- # still may experience lag if the flood is heavy enough
- echo -n "Flood limiting: "
- # Ping Floods (ICMP echo-request)
- ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit ${PING_FLOOD} -j ACCEPT
- ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -j ${DROP}
- echo -n "ICMP-PING "
- echo
- echo -n "Allowing the rest of the ICMP messages in..."
- ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -j ACCEPT
- echo "done"
- # ================================================================
- # ------------Allow stuff we have chosen to allow in--------------
- # ================================================================
- # Hostwise allows
- if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
- echo -n "Hostwise TCP Allows: "
- for rule in ${ALLOW_HOSTWISE_TCP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} --dport ${fsp}:${lsp} -j TCPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} --dport ${port} -j TCPACCEPT
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j TCPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} -d ${dhost} --dport ${port} -j TCPACCEPT
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
- fi
- if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
- echo -n "Hostwise UDP Allows: "
- for rule in ${ALLOW_HOSTWISE_UDP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} --dport ${fsp}:${lsp} -j UDPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} --dport ${port} -j UDPACCEPT
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j UDPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} -d ${dhost} --dport ${port} -j UDPACCEPT
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
- fi
- if [ "$ALLOW_HOSTWISE_PROTO" != "" ] ; then
- echo -n "Hostwise IP Protocol Allows: "
- for rule in ${ALLOW_HOSTWISE_PROTO} ; do
- echo "$rule" | {
- IFS='><' read shost proto dhost
- if [ "$dhost" == "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p ${proto} -s ${shost} -j ACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p ${proto} -s ${shost} -d ${dhost} -j ACCEPT
- fi
- echo -n "${rule} "
- }
- done
- echo
- fi
- echo -n "Allowing established outbound connections back in..."
- ${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
- echo "done"
- # RELATED on high ports only for security
- echo -n "Allowing related inbound connections..."
- ${IPTABLES} -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT
- ${IPTABLES} -t filter -A INETIN -p udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT
- echo "done"
- # =================================================
- # ----------------Packet Mangling------------------
- # =================================================
- # TTL mangling
- # This is probably just for the paranoid, but hey, isn't that what
- # all security guys are? :)
- if [ "$TTL_SAFE" != "" ] ; then
- ${IPTABLES} -t mangle -A PREROUTING -i ${INET_IFACE} -j TTL --ttl-set ${TTL_SAFE}
- fi
- # Type of Service mangle optimizations (the ACTIVE FTP one will only work for uploads)
- # Most routers tend to ignore these, it's probably better to use
- # QoS. A packet scheduler like HTB is much more efficient
- # at assuring bandwidth availability at the local end than
- # ToS is.
- if [ "$MANGLE_TOS_OPTIMIZE" = "TRUE" ] ; then
- echo -n "Optimizing traffic: "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
- echo -n "telnet "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
- echo -n "ssh "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
- echo -n "ftp-data "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
- echo -n "ftp-control "
- ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
- echo -n "diablo2 "
- echo
- fi
- # What to do on those INET chains when we hit the end
- echo -n "Setting up INET policies: "
- # Drop if we cant find a valid inbound rule.
- ${IPTABLES} -t filter -A INETIN -j ${DROP}
- echo -n "INETIN:${DROP} "
- # We can send what we want to the internet
- ${IPTABLES} -t filter -A INETOUT -j ACCEPT
- echo -n "INETOUT:ACCEPT "
- echo
- # All done!
- echo -e "\033[44;32;1m Done Loading Firewall !\033[0m"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement