Firewall_rules

1. #!/bin/bash
2. #
3. # This file contains the Firewall rules
4. # and the functions to be called by the init script.
5. # DO NOT RUN THIS FILE DIRECTLY
6. #
7. ########################
8. ###                  ###
9. ### GLOBAL VARIABLES ###
10. ###                  ###
11. ########################
12. #
13. DEFAULT_POLICY='ACCEPT'
14. GATEWAYINT='eth0'
15. LOG_FILE='/var/log/firewall/firewall.log'
16. DEFAULT_CHAINS='INPUT OUTPUT FORWARD'
17. CUSTOM_CHAINS='WORKSTATIONS WINSERVERS DMZNETWORK DEVNETWORK'
18. #
19. #########################
20. ###                   ###
21. ### NETWORK VARIABLES ###
22. ###                   ###
23. #########################
24. #
25. ### WORKSTATIONS ###
26. #
27. WSINTERFACE='eth1'
28. WSNETWORK='10.123.0.0/18'
29. WSMERCHANDISE='10.123.1.0/24'
30. WSCOMPLIANCE='10.123.2.0/24'
31. WSCUSTSUPPORT='10.123.3.0/24'
32. WSDEVDESIGN='10.123.4.0/24'
33. WSFULFILLMENT='10.123.5.0/24'
34. WSIT='10.123.6.0/24'
35. WSBIZDEV='10.123.7.0/24'
36. WSLEGAL_HR_PR='10.123.9.0/24'
37. WSMARKETING='10.123.11.0/24'
38. WSACCOUNTING='10.123.12.0/24'
39. #
40. ### WINSERVERS ###
41. #
42. WININTERFACE='eth2'
43. WINNETWORK='10.123.64.0/18'
44. VPN_AUTH='10.123.70.0/24'
45. VPN_GENERAL='10.123.71.0/24'
46. #
47. ### DMZNETWORK ###
48. #
49. DMZINTERFACE='eth3'
50. DMZNETWORK='10.123.128.0/18'
51. #
52. ### DEVNETWORK ###
53. #
54. DEVINTERFACE='eth4'
55. DEVNETWORK='10.123.192.0/18'
56. ICINGA='10.123.203.2'
57. CACTI='10.123.203.4'
58. #
59. ### ATLNETWORK ###
60. #
61. ATLNETWORK='10.13.0.0/16'
62. ATLNETWORK_VPN='10.14.0.0/24'
63. #
64. ######################
65. ###                ###
66. ### IPTABLES RULES ###
67. ###                ###
68. ######################
69. #
70. ### INITIALIZE ALL CHAINS ###
71. #
72. all() {
73. input
74. output
75. forward
76. workstations
77. winservers
78. devnetwork
79. dmznetwork
80. }
81. #
82. ### INPUT CHAIN ###
83. #
84. input() {
85. iptables -A INPUT -p all -i lo -j ACCEPT -m comment --comment "ALLOW LOCALHOST"
86. iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED"
87. iptables -A INPUT -p tcp -s $WSIT --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW IT to SSH"
88. iptables -A INPUT -p all -j LOG --log-level warning --log-prefix "INPUT: "
89. iptables -A INPUT -p all -j $DEFAULT_POLICY
90. }
91. #
92. ### OUTPUT CHAIN ###
93. #
94. ouput() {
95. iptables -A OUTPUT -p all -j LOG --log-level warning --log-prefix "OUTPUT: "
96. iptables -A OUTPUT -p all -j $DEFAULT_POLICY
97. }
98. #
99. ### FORWARD CHAIN ###
100. #
101. forward() {
102. iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED"
103. iptables -A FORWARD -o $WSINTERFACE -j WORKSTATIONS -m comment --comment "Forward TO:WORKSTATIONS"
104. iptables -A FORWARD -o $WININTERFACE -j WINSERVERS -m comment --comment "Forward TO:WINSERVERS"
105. iptables -A FORWARD -o $DMZINTERFACE -j DMZNETWORK -m comment --comment "Forward TO:DMZNETWORK"
106. iptables -A FORWARD -o $DEVINTERFACE -j DEVNETWORK -m comment --comment "Forward TO:DEVNETOWRK"
107. iptables -A forward -p all -j LOG --log-level warning --log-prefix "FORWARD: "
108. iptables -A FORWARD -p all -j $DEFAULT_POLICY
109. }
110. #
111. ### WORKSTAIONS CHAIN ###
112. #
113. workstations() {
114. iptables -N WORKSTATIONS
115.  
116. iptables -A WORKSTATIONS -p all -j LOG --log-level warning --log-prefix "WORKSTATIONS: "
117. iptables -A WORKSTATIONS -p all -j $DEFAULT_POLICY
118. }
119. #
120. ### WINSERVERS CHAIN ###
121. #
122. winservers() {
123. iptables -N WINSERVERS
124.  
125. iptables -A WINSERVERS -p all -j LOG --log-level warning --log-prefix "WINSERVERS: "
126. iptables -A WINSERVERS -p all -j $DEFAULT_POLICY
127. }
128. #
129. ### DEVNETWORK CHAIN ###
130. #
131. devnetwork() {
132. iptables -N DEVNETWORK
133.  
134. iptables -A DEVNETWORK -p icmp -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ICMP"
135. iptables -A DEVNETWORK -p all -s $ATLNETWORK -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ATLNETWORK"
136. iptables -A DEVNETWORK -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW HTTP/HTTPS"
137. iptables -A DEVNETWORK -p udp -m multiport --dports 53 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW DNS"
138. iptables -A DEVNETWORK -p all -j LOG --log-level warning --log-prefix "DEVNETWORK: "
139. iptables -A DEVNETWORK -p all -j $DEFAULT_POLICY
140. }
141. #
142. ### DMZNETWORK CHAIN ###
143. #
144. dmznetwork() {
145. iptables -N DMZNETWORK
146. iptables -A DMZNETWORK -p all -s $ICINGA -m  state --state NEW -j ACCEPT -m comment --comment "ALLOW ICINGA"
147. iptables -A DMZNETWORK -p all -s $CACTI -m  state --state NEW -j ACCEPT -m comment --comment "ALLOW CACTI"
148. iptables -A DMZNETWORK -p all -j LOG --log-level warning --log-prefix "DMZNETWORK: "
149. iptables -A DMZNETWORK -p all -j $DEFAULT_POLICY
150. }
151. #
152. ### Main Logic ###
153. #
154. case "$1" in
155.     all)
156.         all
157.         ;;
158.     input)
159.         input
160.         ;;
161.     output)
162.         output
163.         ;;
164.     forward)
165.         forward
166.         ;;
167.     workstations)
168.         workstations
169.         ;;
170.     winservers)
171.         winservers
172.         ;;
173.     devnetwork)
174.         devnetwork
175.         ;;
176.     dmznetwork)
177.         dmznetwork
178.         ;;
179.     *)
180.         echo
181.         ;;
182. esac
183. exit 0