Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Firewall_rules

By: a guest on Mar 6th, 2013  |  syntax: Bash  |  size: 4.75 KB  |  views: 69  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #!/bin/bash
  2. #
  3. # This file contains the Firewall rules
  4. # and the functions to be called by the init script.
  5. # DO NOT RUN THIS FILE DIRECTLY
  6. #
  7. ########################
  8. ###                                      ###
  9. ### GLOBAL VARIABLES ###
  10. ###                                      ###
  11. ########################
  12. #
  13. DEFAULT_POLICY='ACCEPT'
  14. GATEWAYINT='eth0'
  15. LOG_FILE='/var/log/firewall/firewall.log'
  16. DEFAULT_CHAINS='INPUT OUTPUT FORWARD'
  17. CUSTOM_CHAINS='WORKSTATIONS WINSERVERS DMZNETWORK DEVNETWORK'
  18. #
  19. #########################
  20. ###                                       ###
  21. ### NETWORK VARIABLES ###
  22. ###                                       ###
  23. #########################
  24. #
  25. ### WORKSTATIONS ###
  26. #
  27. WSINTERFACE='eth1'
  28. WSNETWORK='10.123.0.0/18'
  29. WSMERCHANDISE='10.123.1.0/24'
  30. WSCOMPLIANCE='10.123.2.0/24'
  31. WSCUSTSUPPORT='10.123.3.0/24'
  32. WSDEVDESIGN='10.123.4.0/24'
  33. WSFULFILLMENT='10.123.5.0/24'
  34. WSIT='10.123.6.0/24'
  35. WSBIZDEV='10.123.7.0/24'
  36. WSLEGAL_HR_PR='10.123.9.0/24'
  37. WSMARKETING='10.123.11.0/24'
  38. WSACCOUNTING='10.123.12.0/24'
  39. #
  40. ### WINSERVERS ###
  41. #
  42. WININTERFACE='eth2'
  43. WINNETWORK='10.123.64.0/18'
  44. VPN_AUTH='10.123.70.0/24'
  45. VPN_GENERAL='10.123.71.0/24'
  46. #
  47. ### DMZNETWORK ###
  48. #
  49. DMZINTERFACE='eth3'
  50. DMZNETWORK='10.123.128.0/18'
  51. #
  52. ### DEVNETWORK ###
  53. #
  54. DEVINTERFACE='eth4'
  55. DEVNETWORK='10.123.192.0/18'
  56. ICINGA='10.123.203.2'
  57. CACTI='10.123.203.4'
  58. #
  59. ### ATLNETWORK ###
  60. #
  61. ATLNETWORK='10.13.0.0/16'
  62. ATLNETWORK_VPN='10.14.0.0/24'
  63. #
  64. ######################
  65. ###                                ###
  66. ### IPTABLES RULES ###
  67. ###                                ###
  68. ######################
  69. #
  70. ### INITIALIZE ALL CHAINS ###
  71. #
  72. all() {
  73. input
  74. output
  75. forward
  76. workstations
  77. winservers
  78. devnetwork
  79. dmznetwork
  80. }
  81. #
  82. ### INPUT CHAIN ###
  83. #
  84. input() {
  85. iptables -A INPUT -p all -i lo -j ACCEPT -m comment --comment "ALLOW LOCALHOST"
  86. iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED"
  87. iptables -A INPUT -p tcp -s $WSIT --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW IT to SSH"
  88. iptables -A INPUT -p all -j LOG --log-level warning --log-prefix "INPUT: "
  89. iptables -A INPUT -p all -j $DEFAULT_POLICY
  90. }
  91. #
  92. ### OUTPUT CHAIN ###
  93. #
  94. ouput() {
  95. iptables -A OUTPUT -p all -j LOG --log-level warning --log-prefix "OUTPUT: "
  96. iptables -A OUTPUT -p all -j $DEFAULT_POLICY
  97. }
  98. #
  99. ### FORWARD CHAIN ###
  100. #
  101. forward() {
  102. iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED"
  103. iptables -A FORWARD -o $WSINTERFACE -j WORKSTATIONS -m comment --comment "Forward TO:WORKSTATIONS"
  104. iptables -A FORWARD -o $WININTERFACE -j WINSERVERS -m comment --comment "Forward TO:WINSERVERS"
  105. iptables -A FORWARD -o $DMZINTERFACE -j DMZNETWORK -m comment --comment "Forward TO:DMZNETWORK"
  106. iptables -A FORWARD -o $DEVINTERFACE -j DEVNETWORK -m comment --comment "Forward TO:DEVNETOWRK"
  107. iptables -A forward -p all -j LOG --log-level warning --log-prefix "FORWARD: "
  108. iptables -A FORWARD -p all -j $DEFAULT_POLICY
  109. }
  110. #
  111. ### WORKSTAIONS CHAIN ###
  112. #
  113. workstations() {
  114. iptables -N WORKSTATIONS
  115.  
  116. iptables -A WORKSTATIONS -p all -j LOG --log-level warning --log-prefix "WORKSTATIONS: "
  117. iptables -A WORKSTATIONS -p all -j $DEFAULT_POLICY
  118. }
  119. #
  120. ### WINSERVERS CHAIN ###
  121. #
  122. winservers() {
  123. iptables -N WINSERVERS
  124.  
  125. iptables -A WINSERVERS -p all -j LOG --log-level warning --log-prefix "WINSERVERS: "
  126. iptables -A WINSERVERS -p all -j $DEFAULT_POLICY
  127. }
  128. #
  129. ### DEVNETWORK CHAIN ###
  130. #
  131. devnetwork() {
  132. iptables -N DEVNETWORK
  133.  
  134. iptables -A DEVNETWORK -p icmp -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ICMP"
  135. iptables -A DEVNETWORK -p all -s $ATLNETWORK -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ATLNETWORK"
  136. iptables -A DEVNETWORK -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW HTTP/HTTPS"
  137. iptables -A DEVNETWORK -p udp -m multiport --dports 53 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW DNS"
  138. iptables -A DEVNETWORK -p all -j LOG --log-level warning --log-prefix "DEVNETWORK: "
  139. iptables -A DEVNETWORK -p all -j $DEFAULT_POLICY
  140. }
  141. #
  142. ### DMZNETWORK CHAIN ###
  143. #
  144. dmznetwork() {
  145. iptables -N DMZNETWORK
  146. iptables -A DMZNETWORK -p all -s $ICINGA -m  state --state NEW -j ACCEPT -m comment --comment "ALLOW ICINGA"
  147. iptables -A DMZNETWORK -p all -s $CACTI -m  state --state NEW -j ACCEPT -m comment --comment "ALLOW CACTI"
  148. iptables -A DMZNETWORK -p all -j LOG --log-level warning --log-prefix "DMZNETWORK: "
  149. iptables -A DMZNETWORK -p all -j $DEFAULT_POLICY
  150. }
  151. #
  152. ### Main Logic ###
  153. #
  154. case "$1" in
  155.         all)
  156.         all
  157.         ;;
  158.         input)
  159.         input
  160.         ;;
  161.     output)
  162.         output
  163.         ;;
  164.         forward)
  165.         forward
  166.         ;;
  167.         workstations)
  168.         workstations
  169.         ;;
  170.         winservers)
  171.         winservers
  172.         ;;
  173.         devnetwork)
  174.         devnetwork
  175.         ;;
  176.         dmznetwork)
  177.         dmznetwork
  178.         ;;
  179.         *)
  180.                 echo
  181.                 ;;
  182. esac
  183. exit 0