#!/bin/bash # # This file contains the Firewall rules # and the functions to be called by the init script. # DO NOT RUN THIS FILE DIRECTLY # ######################## ### ### ### GLOBAL VARIABLES ### ### ### ######################## # DEFAULT_POLICY='ACCEPT' GATEWAYINT='eth0' LOG_FILE='/var/log/firewall/firewall.log' DEFAULT_CHAINS='INPUT OUTPUT FORWARD' CUSTOM_CHAINS='WORKSTATIONS WINSERVERS DMZNETWORK DEVNETWORK' # ######################### ### ### ### NETWORK VARIABLES ### ### ### ######################### # ### WORKSTATIONS ### # WSINTERFACE='eth1' WSNETWORK='10.123.0.0/18' WSMERCHANDISE='10.123.1.0/24' WSCOMPLIANCE='10.123.2.0/24' WSCUSTSUPPORT='10.123.3.0/24' WSDEVDESIGN='10.123.4.0/24' WSFULFILLMENT='10.123.5.0/24' WSIT='10.123.6.0/24' WSBIZDEV='10.123.7.0/24' WSLEGAL_HR_PR='10.123.9.0/24' WSMARKETING='10.123.11.0/24' WSACCOUNTING='10.123.12.0/24' # ### WINSERVERS ### # WININTERFACE='eth2' WINNETWORK='10.123.64.0/18' VPN_AUTH='10.123.70.0/24' VPN_GENERAL='10.123.71.0/24' # ### DMZNETWORK ### # DMZINTERFACE='eth3' DMZNETWORK='10.123.128.0/18' # ### DEVNETWORK ### # DEVINTERFACE='eth4' DEVNETWORK='10.123.192.0/18' ICINGA='10.123.203.2' CACTI='10.123.203.4' # ### ATLNETWORK ### # ATLNETWORK='10.13.0.0/16' ATLNETWORK_VPN='10.14.0.0/24' # ###################### ### ### ### IPTABLES RULES ### ### ### ###################### # ### INITIALIZE ALL CHAINS ### # all() { input output forward workstations winservers devnetwork dmznetwork } # ### INPUT CHAIN ### # input() { iptables -A INPUT -p all -i lo -j ACCEPT -m comment --comment "ALLOW LOCALHOST" iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED" iptables -A INPUT -p tcp -s $WSIT --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW IT to SSH" iptables -A INPUT -p all -j LOG --log-level warning --log-prefix "INPUT: " iptables -A INPUT -p all -j $DEFAULT_POLICY } # ### OUTPUT CHAIN ### # ouput() { iptables -A OUTPUT -p all -j LOG --log-level warning --log-prefix "OUTPUT: " iptables -A OUTPUT -p all -j $DEFAULT_POLICY } # ### FORWARD CHAIN ### # forward() { iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ALLOW ESTABLISHED and RELATED" iptables -A FORWARD -o $WSINTERFACE -j WORKSTATIONS -m comment --comment "Forward TO:WORKSTATIONS" iptables -A FORWARD -o $WININTERFACE -j WINSERVERS -m comment --comment "Forward TO:WINSERVERS" iptables -A FORWARD -o $DMZINTERFACE -j DMZNETWORK -m comment --comment "Forward TO:DMZNETWORK" iptables -A FORWARD -o $DEVINTERFACE -j DEVNETWORK -m comment --comment "Forward TO:DEVNETOWRK" iptables -A forward -p all -j LOG --log-level warning --log-prefix "FORWARD: " iptables -A FORWARD -p all -j $DEFAULT_POLICY } # ### WORKSTAIONS CHAIN ### # workstations() { iptables -N WORKSTATIONS iptables -A WORKSTATIONS -p all -j LOG --log-level warning --log-prefix "WORKSTATIONS: " iptables -A WORKSTATIONS -p all -j $DEFAULT_POLICY } # ### WINSERVERS CHAIN ### # winservers() { iptables -N WINSERVERS iptables -A WINSERVERS -p all -j LOG --log-level warning --log-prefix "WINSERVERS: " iptables -A WINSERVERS -p all -j $DEFAULT_POLICY } # ### DEVNETWORK CHAIN ### # devnetwork() { iptables -N DEVNETWORK iptables -A DEVNETWORK -p icmp -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ICMP" iptables -A DEVNETWORK -p all -s $ATLNETWORK -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ATLNETWORK" iptables -A DEVNETWORK -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW HTTP/HTTPS" iptables -A DEVNETWORK -p udp -m multiport --dports 53 -m state --state NEW -j ACCEPT -m comment --comment "ALLOW DNS" iptables -A DEVNETWORK -p all -j LOG --log-level warning --log-prefix "DEVNETWORK: " iptables -A DEVNETWORK -p all -j $DEFAULT_POLICY } # ### DMZNETWORK CHAIN ### # dmznetwork() { iptables -N DMZNETWORK iptables -A DMZNETWORK -p all -s $ICINGA -m state --state NEW -j ACCEPT -m comment --comment "ALLOW ICINGA" iptables -A DMZNETWORK -p all -s $CACTI -m state --state NEW -j ACCEPT -m comment --comment "ALLOW CACTI" iptables -A DMZNETWORK -p all -j LOG --log-level warning --log-prefix "DMZNETWORK: " iptables -A DMZNETWORK -p all -j $DEFAULT_POLICY } # ### Main Logic ### # case "$1" in all) all ;; input) input ;; output) output ;; forward) forward ;; workstations) workstations ;; winservers) winservers ;; devnetwork) devnetwork ;; dmznetwork) dmznetwork ;; *) echo ;; esac exit 0