#!/bin/bash
#
# This file contains the Firewall rules
# and the functions to be called by the init script.
# DO NOT RUN THIS FILE DIRECTLY
#
########################
### ###
### GLOBAL VARIABLES ###
### ###
########################
#
DEFAULT_POLICY='ACCEPT'
GATEWAYINT='eth0'
LOG_FILE='/var/log/firewall/firewall.log'
DEFAULT_CHAINS='INPUT OUTPUT FORWARD'
CUSTOM_CHAINS='WORKSTATIONS WINSERVERS DMZNETWORK DEVNETWORK'
#
#########################
### ###
### NETWORK VARIABLES ###
### ###
#########################
#
### WORKSTATIONS ###
#
WSINTERFACE='eth1'
WSNETWORK='10.123.0.0/18'
WSMERCHANDISE='10.123.1.0/24'
WSCOMPLIANCE='10.123.2.0/24'
WSCUSTSUPPORT='10.123.3.0/24'
WSDEVDESIGN='10.123.4.0/24'
WSFULFILLMENT='10.123.5.0/24'
WSIT='10.123.6.0/24'
WSBIZDEV='10.123.7.0/24'
WSLEGAL_HR_PR='10.123.9.0/24'
WSMARKETING='10.123.11.0/24'
WSACCOUNTING='10.123.12.0/24'
#
### WINSERVERS ###
#
WININTERFACE='eth2'
WINNETWORK='10.123.64.0/18'
VPN_AUTH='10.123.70.0/24'
VPN_GENERAL='10.123.71.0/24'
#
### DMZNETWORK ###
#
DMZINTERFACE='eth3'
DMZNETWORK='10.123.128.0/18'
#
### DEVNETWORK ###
#
DEVINTERFACE='eth4'
DEVNETWORK='10.123.192.0/18'
ICINGA='10.123.203.2'
CACTI='10.123.203.4'
#
### ATLNETWORK ###
#
ATLNETWORK='10.13.0.0/16'
ATLNETWORK_VPN='10.14.0.0/24'
#
######################
### ###
### IPTABLES RULES ###
### ###
######################
#
### INITIALIZE ALL CHAINS ###
#
all() {
input
output
forward
workstations
winservers
devnetwork
dmznetwork
}
#
### INPUT CHAIN ###
#
input() {
iptables -A INPUT -p all -i lo -j ACCEPT -m comment --comment "ALLOW LOCALHOST"
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED"
iptables -A INPUT -p tcp -s $WSIT --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW IT to SSH"
iptables -A INPUT -p all -j LOG --log-level warning --log-prefix "INPUT: "
iptables -A INPUT -p all -j $DEFAULT_POLICY
}
#
### OUTPUT CHAIN ###
#
ouput() {
iptables -A OUTPUT -p all -j LOG --log-level warning --log-prefix "OUTPUT: "
iptables -A OUTPUT -p all -j $DEFAULT_POLICY
}
#
### FORWARD CHAIN ###
#
forward() {
iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED"
iptables -A FORWARD -o $WSINTERFACE -j WORKSTATIONS -m comment --comment "Forward TO:WORKSTATIONS"
iptables -A FORWARD -o $WININTERFACE -j WINSERVERS -m comment --comment "Forward TO:WINSERVERS"
iptables -A FORWARD -o $DMZINTERFACE -j DMZNETWORK -m comment --comment "Forward TO:DMZNETWORK"
iptables -A FORWARD -o $DEVINTERFACE -j DEVNETWORK -m comment --comment "Forward TO:DEVNETOWRK"
iptables -A forward -p all -j LOG --log-level warning --log-prefix "FORWARD: "
iptables -A FORWARD -p all -j $DEFAULT_POLICY
}
#
### WORKSTAIONS CHAIN ###
#
workstations() {
iptables -N WORKSTATIONS
iptables -A WORKSTATIONS -p all -j LOG --log-level warning --log-prefix "WORKSTATIONS: "
iptables -A WORKSTATIONS -p all -j $DEFAULT_POLICY
}
#
### WINSERVERS CHAIN ###
#
winservers() {
iptables -N WINSERVERS
iptables -A WINSERVERS -p all -j LOG --log-level warning --log-prefix "WINSERVERS: "
iptables -A WINSERVERS -p all -j $DEFAULT_POLICY
}
#
### DEVNETWORK CHAIN ###
#
devnetwork() {
iptables -N DEVNETWORK
iptables -A DEVNETWORK -p icmp -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ICMP"
iptables -A DEVNETWORK -p all -s $ATLNETWORK -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ATLNETWORK"
iptables -A DEVNETWORK -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW HTTP/HTTPS"
iptables -A DEVNETWORK -p udp -m multiport --dports 53 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW DNS"
iptables -A DEVNETWORK -p all -j LOG --log-level warning --log-prefix "DEVNETWORK: "
iptables -A DEVNETWORK -p all -j $DEFAULT_POLICY
}
#
### DMZNETWORK CHAIN ###
#
dmznetwork() {
iptables -N DMZNETWORK
iptables -A DMZNETWORK -p all -s $ICINGA -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ICINGA"
iptables -A DMZNETWORK -p all -s $CACTI -m state --state NEW -j ACCEPT -m comment --comment "ALLOW CACTI"
iptables -A DMZNETWORK -p all -j LOG --log-level warning --log-prefix "DMZNETWORK: "
iptables -A DMZNETWORK -p all -j $DEFAULT_POLICY
}
#
### Main Logic ###
#
case "$1" in
all)
all
;;
input)
input
;;
output)
output
;;
forward)
forward
;;
workstations)
workstations
;;
winservers)
winservers
;;
devnetwork)
devnetwork
;;
dmznetwork)
dmznetwork
;;
*)
echo
;;
esac
exit 0