rc.firewall

1. # cat /etc/rc.d/rc.firewall
2. #!/bin/sh
3.  
4. # Сценарий предназначен для настройки маршрутизации и
5. # межсетевого экрана на маршрутизаторе офисной сети.
6. # Для запуска переименуйте сценарий в rc.firewall
7. # и дайте права доступа 755
8.  
9. # LAN/INET Configuration
10. # Приведите в соответствие с настройками ваших сетей
11. # следующие семь параметров!
12. LAN_IFACE=eth0
13. LAN_IP=192.168.1.44
14. LAN_IP_RANGE=192.168.1.0/24
15. LAN_BCAST_ADRESS=192.168.1.255/24
16. LAN2_IP=192.168.2.44
17. LAN2_IP_RANGE=192.168.2.0/24
18. LAN2_BCAST_ADRESS=192.168.2.255/24
19.  
20. INET_IFACE=eth1
21. /sbin/dhclient $INET_IFACE
22. STATIC_IP=$(ifconfig $INET_IFACE | grep inet | cut -f2 -d ':' | cut -f10 -d ' ')
23. STATIC_BCAST_ADRESS=$(ifconfig $INET_IFACE | grep inet | cut -f2 -d ':' | cut -f16 -d ' ')
24. #STATIC_IP=172.26.34.226  #  tmp for 22
25. #STATIC_BCAST_ADRESS=172.26.34.224
26.  
27. LO_IFACE=lo
28. LOCALHOST_IP=127.0.0.1
29.  
30. #PPP0_IP=0.0.0.0
31. #PPP0_IFACE=ppp0
32. #PPP1_IP=0.0.0.0
33. #PPP1_IFACE=ppp1
34.  
35. # IPTables Configuration.
36. IPTABLES="/usr/sbin/iptables"
37. IPSET="/usr/sbin/ipset"
38.  
39. # Required modules
40. /sbin/modprobe ip_tables
41. /sbin/modprobe ip_conntrack
42. /sbin/modprobe iptable_filter
43. /sbin/modprobe iptable_mangle
44. /sbin/modprobe iptable_nat
45. /sbin/modprobe ipt_LOG
46. /sbin/modprobe ipt_ULOG
47. /sbin/modprobe ipt_NFLOG
48. /sbin/modprobe ipt_limit
49. /sbin/modprobe ipt_state
50. #/sbin/modprobe nf_tproxy_core
51.  
52. # Non-Required modules
53. /sbin/modprobe ipt_owner
54. /sbin/modprobe ipt_REJECT
55. /sbin/modprobe ipt_MASQUERADE
56. /sbin/modprobe ip_conntrack_ftp
57. /sbin/modprobe ip_conntrack_irc
58. /sbin/modprobe ip_nat_ftp
59. /sbin/modprobe ip_nat_irc
60.  
61. echo 1 > /proc/sys/net/ipv4/ip_forward
62. echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp
63.  
64. # Clear ALL rules
65. $IPTABLES -F
66. $IPTABLES -X
67. $IPTABLES -t nat -F
68. $IPSET -X
69. #----------------------------------------------------------------------------------------------------------
70. ## Create new ip sets
71. $IPSET -N whitelist bitmap:ip,mac range $LAN_IP_RANGE
72. $IPSET -N whitelistd bitmap:ip,mac range $LAN_IP_RANGE
73. #$IPSET -N whitelist macipmap --network $LAN_IP_RANGE
74. $IPSET -N ipwhite iphash
75. ## Set ip sets
76. # Whitelist
77. for i in $(cat /home/scripts/iplist/ipmac.lst | cut -d '#' -f 1)
78. do
79.     if [ ! a"$i" == a ]; then
80.         $IPSET add whitelist $i
81.     fi
82. done
83.  
84. for i in $(cat /home/scripts/iplist/ip.lst | cut -d '#' -f 1)
85. do
86.     if [ ! a"$i" == a ]; then
87.         $IPSET add ipwhite $i
88.     fi
89. done
90. # Whitelist
91. for i in $(cat /home/scripts/iplist/ipmac_dubles.lst | cut -d '#' -f 1)
92. do
93.     if [ ! a"$i" == a ]; then
94.         $IPSET add whitelistd $i
95.     fi
96. done
97.  
98.  
99. # Set default policies for the INPUT, FORWARD and OUTPUT chains
100. $IPTABLES -P INPUT DROP
101. $IPTABLES -P OUTPUT DROP
102. $IPTABLES -P FORWARD DROP
103.  
104. # Create chain for bad tcp packets
105. $IPTABLES -N bad_tcp_packets
106.  
107. # Create separate chains for ICMP, TCP and UDP to traverse
108. $IPTABLES -N allowed
109. $IPTABLES -N icmp_packets
110. $IPTABLES -N tcp_packets
111. $IPTABLES -N udpincoming_packets
112. #$IPTABLES -N fwtraf
113. # Create chain for allowed FORWARD packets
114. $IPTABLES -N fw_allow
115.  
116. # bad_tcp_packets chain
117. $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
118. $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "IPT: bad TCP packet: "
119. $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
120.  
121. # TCP sync rules
122. $IPTABLES -A allowed -p TCP --syn -j ACCEPT
123. $IPTABLES -A allowed -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
124. $IPTABLES -A allowed -p TCP -j DROP
125.  
126. # ICMP rules
127. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
128. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
129. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
130. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
131. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
132.  
133. # TCP rules
134. #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
135. #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
136. #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
137. #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
138. #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
139. #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3690 -j allowed
140. $IPTABLES -A fw_allow -j NFLOG --nflog-threshold 30 --nflog-group 1 --nflog-prefix "ALLOWED"
141. $IPTABLES -A fw_allow -j ACCEPT
142.  
143. # UDP ports
144. $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
145.  
146. #----------------------------------------------------------------------------------------------------------
147.  
148. # PREROUTING chain
149. #$IPTABLES -t nat -A PREROUTING -p tcp -s 83.237.192.219 --dport 3389 -j DNAT --to 10.0.0.4
150. #$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to  192.168.1.12
151. #$IPTABLES -t nat -A PREROUTING -p tcp -j DNAT --to-destination  10.0.0.69
152.  
153. # ********* Redirect to SQUID **********
154.  
155. #$IPTABLES -t nat -A PREROUTING  -i $LAN_IFACE ! -d 192.168.1.44 -p tcp -m multiport --dport 80,2080,2082,8080 -j REDIRECT --to-port 3129
156.  
157.  
158.  
159. # POSTROUTING chain
160. $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
161.  
162. # FORWARD chain
163. #$IPTABLES -A FORWARD -j LOG --log-level debug --log-prefix "IPT FORWARD packet died: "
164. #$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level notice --log-prefix "New not syn:"
165. #$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
166. $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
167. $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
168.  
169. # Block outside DHCP
170. $IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 67 -j DROP
171. $IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 68 -j DROP
172. # Accept only for white listed adresses
173. $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelist src,src -j fw_allow
174. $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelistd src,src -j fw_allow
175. $IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set ipwhite src -j fw_allow
176.  
177.  
178. #$IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT
179. #$IPTABLES -A FORWARD -i $PPP0_IFACE -j ACCEPT
180. #$IPTABLES -A FORWARD -i $PPP1_IFACE -j ACCEPT
181. $IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "
182.  
183. # INPUT chain
184. #$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level notice --log-prefix "New not syn:"
185. #$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
186. $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
187. $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
188. $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
189. $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
190. $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
191. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d 255.255.255.255 -j ACCEPT
192. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
193. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
194. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_BCAST_ADRESS -j ACCEPT
195. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_IP -j ACCEPT
196. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $STATIC_IP -j ACCEPT
197. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
198. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
199. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN2_IP -j ACCEPT
200. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
201. #$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
202. #$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
203. #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $PPP1_IP -j ACCEPT
204. #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
205. $IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "
206.  
207. # OUTPUT chain
208. $IPTABLES -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level notice --log-prefix "New not syn:"
209. $IPTABLES -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
210. $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
211. $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
212. $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
213. $IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j ACCEPT
214. $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
215. #$IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
216. #$IPTABLES -A OUTPUT -p ALL -s $PPP1_IP -j ACCEPT
217. $IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "