Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- IP=`which ip`
- # Сценарий предназначен для настройки маршрутизации и
- # межсетевого экрана на маршрутизаторе офисной сети.
- # Для запуска переименуйте сценарий в rc.firewall
- # и дайте права доступа 755
- # LAN/INET Configuration
- # Приведите в соответствие с настройками ваших сетей
- # следующие семь параметров!
- LAN_IFACE=eth0
- LAN_IP=192.168.1.22
- LAN_IP_RANGE=192.168.1.0/24
- LAN_BCAST_ADRESS=192.168.1.255/24
- LAN2_IP=192.168.2.22
- LAN2_IP_RANGE=192.168.2.0/24
- LAN2_BCAST_ADRESS=192.168.2.255/24
- INET_IFACE=eth1
- STATIC_IP=192.168.100.1
- #echo $STATIC_IP
- LO_IFACE=lo
- LOCALHOST_IP=127.0.0.1
- PPP0_IFACE=ppp0
- PPP0_IP=$($IP addr show $PPP0_IFACE | grep inet | cut -f6 -d ' ')
- echo $PPP0_IP
- #PPP1_IP=0.0.0.0
- #PPP1_IFACE=ppp1
- # IPTables Configuration.
- IPTABLES="/usr/sbin/iptables"
- IPSET="/usr/sbin/ipset"
- # Required modules
- /sbin/modprobe ip_tables
- #/sbin/modprobe ip_nat
- /sbin/modprobe ip_conntrack
- /sbin/modprobe iptable_filter
- /sbin/modprobe iptable_mangle
- /sbin/modprobe iptable_nat
- /sbin/modprobe ipt_LOG
- /sbin/modprobe ipt_limit
- /sbin/modprobe ipt_state
- #/sbin/modprobe nf_tproxy_core
- # Non-Required modules
- /sbin/modprobe ipt_owner
- /sbin/modprobe ipt_REJECT
- /sbin/modprobe ipt_MASQUERADE
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_conntrack_irc
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ip_nat_irc
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp
- # Clear ALL rules
- $IPTABLES -F
- $IPTABLES -X
- $IPTABLES -t nat -F
- $IPSET -X
- #----------------------------------------------------------------------------------------------------------
- ## Create new ip sets
- $IPSET -N whitelist bitmap:ip,mac range $LAN_IP_RANGE
- $IPSET -N whitelistd bitmap:ip,mac range $LAN_IP_RANGE
- #$IPSET -N whitelist macipmap --network $LAN_IP_RANGE
- $IPSET -N ipwhite iphash
- ## Set ip sets
- # Whitelist
- for i in $(cat /home/scripts/iplist/ipmac.lst | cut -d '#' -f 1)
- do
- if [ ! a"$i" == a ]; then
- $IPSET add whitelist $i #
- fi
- done
- for i in $(cat /home/scripts/iplist/ipmac_dubles.lst | cut -d '#' -f 1)
- do
- if [ ! a"$i" == a ]; then
- $IPSET add whitelistd $i #
- fi
- done
- for i in $(cat /home/scripts/iplist/ip.lst | cut -d '#' -f 1)
- do
- if [ ! a"$i" == a ]; then
- $IPSET add ipwhite $i #
- fi
- done
- # Set default policies for the INPUT, FORWARD and OUTPUT chains
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- # Create chain for bad tcp packets
- $IPTABLES -N bad_tcp_packets
- # Create separate chains for ICMP, TCP and UDP to traverse
- $IPTABLES -N allowed
- $IPTABLES -N icmp_packets
- $IPTABLES -N tcp_packets
- $IPTABLES -N udpincoming_packets
- #$IPTABLES -N fwtraf
- $IPTABLES -N fw_allow
- # bad_tcp_packets chain
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "Bad TCP packet: "
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- # TCP sync rules
- $IPTABLES -A allowed -p TCP --syn -j ACCEPT
- $IPTABLES -A allowed -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A allowed -p TCP -j DROP
- # ICMP rules
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
- # TCP rules
- #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
- #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
- #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
- #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
- #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
- #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3690 -j allowed
- $IPTABLES -A fw_allow -j ACCEPT
- $IPTABLES -A fw_allow -m connlimit --connlimit-above 15 -j DROP
- # UDP ports
- #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
- #----------------------------------------------------------------------------------------------------------
- # PREROUTING chain
- #$IPTABLES -t nat -A PREROUTING -p tcp -s 83.237.192.219 --dport 3389 -j DNAT --to 10.0.0.4
- #$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.1.12
- #$IPTABLES -t nat -A PREROUTING -p tcp -j DNAT --to-destination 10.0.0.69
- # ********* Redirect to SQUID **********
- #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3129
- #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 21 -j REDIRECT --to-port 3129
- #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE ! -d 192.168.1.22 -m set --match-set whitelist src,src -p tcp -m multiport --dport 80,2080,2082,8080 -j REDIRECT --to-port 3129
- #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE ! -d 192.168.1.22 -m set --match-set whitelistd src,src -p tcp -m multiport --dport 80,2080,2082,8080 -j REDIRECT --to-port 3129
- #$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE ! -d 192.168.1.22 -p tcp -m multiport --dport 21,25,80,110,443,563,1025,5190,2080,2082,8080,10000 -j TPROXY --on-port 3129
- #$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -p tcp -m multiport --dport 21,25,80,110,443,563,1025,5190,2080,2082,8080,10000 -j TPROXY --on-port 3129
- # POSTROUTING chain
- #$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
- $IPTABLES -t nat -A POSTROUTING -o $PPP0_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $PPP0_IP
- # FORWARD chain
- #$IPTABLES -A FORWARD -j LOG --log-level debug --log-prefix "IPT FORWARD packet died: "
- #$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level notice --log-prefix "New not syn:"
- #$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
- $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # Block out DHCP servers
- $IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 67 -j DROP
- $IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 68 -j DROP
- # Accept only for white listed adresses
- $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelist src,src -j fw_allow
- $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelistd src,src -j fw_allow
- #$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set ! --match-set whitelist src,src -j LOG --log-level notice --log-prefix "IPT not WHITELIST request: "
- $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set ipwhite src -j fw_allow
- #$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set ! --match-set ipwhite src -j LOG --log-level notice --log-prefix "IPT not IPWHITE request: "
- #$IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT
- #$IPTABLES -A FORWARD -i $PPP0_IFACE -j ACCEPT
- #$IPTABLES -A FORWARD -i $PPP1_IFACE -j ACCEPT
- $IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "
- # INPUT chain
- #$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level notice --log-prefix "New not syn:"
- #$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
- $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
- $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
- $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
- $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d 255.255.255.255 -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_IP -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -m set --match-set whitelist src -d $LAN_IP -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -m set ! --match-set whitelist src -d $LAN_IP -j DROP
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $STATIC_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN2_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $PPP1_IP -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "
- # OUTPUT chain
- #$IPTABLES -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level notice --log-prefix "New not syn:"
- #$IPTABLES -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
- $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
- #$IPTABLES -A OUTPUT -p ALL -s $PPP1_IP -j ACCEPT
- $IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement