#!/bin/sh### BEGIN INIT INFO# Provides: firewall# Required-Start: $remote_f

1. #!/bin/sh
2.  
3. ### BEGIN INIT INFO
4. # Provides: firewall
5. # Required-Start: $remote_fs $syslog
6. # Required-Stop: $remote_fs $syslog
7. # Default-Start: 2 3 4 5
8. # Default-Stop: 0 1 6
9. # Short-Description: firewall for armitage vpn container
10. ### END INIT INFO
11.  
12. # firewall Start iptables firewall
13. # chkconfig: 2345 08 92
14. # description: Starts, stops and saves iptables firewall
15.  
16. IPT="/sbin/iptables"
17.  
18. VPN_IF="tun+"
19. VPN_NET="10.10.5.0/24"
20.  
21. LAN_IF="eth0"
22. LAN_NET="10.10.0.0/24"
23. LAN_GW="10.10.0.1"
24.  
25. AVA_LAN="10.10.0.51"
26.  
27. THIS_HOST="10.10.0.53"
28.  
29. success() {
30. echo -n "...success"
31. }
32.  
33. failure() {
34. echo -n "...failure"
35. }
36.  
37.  
38. ipv4_settings() {
39. echo -n "Firewall: Setting valid settings for ipv4 in kernel"
40. # Drop ICMP echo-request messages sent to broadcast or multicast addresses
41. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
42.  
43. # Drop source routed packets
44. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
45.  
46. # Enable TCP SYN cookie protection from SYN floods
47. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
48.  
49. # Don't accept ICMP redirect messages
50. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
51.  
52. # Don't send ICMP redirect messages
53. echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
54.  
55. # Enable source address spoofing protection
56. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
57.  
58. # Log packets with impossible source addresses
59. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
60.  
61. # Disable logging of bogus responses to broadcast frames
62. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
63.  
64. success ; echo
65. }
66. purge() {
67. echo -n "Firewall: Purging and allowing all traffic"
68. "$IPT" -P OUTPUT ACCEPT
69. "$IPT" -P FORWARD ACCEPT
70. "$IPT" -P INPUT ACCEPT
71. "$IPT" -F
72. "$IPT" -t nat -F
73. success ; echo
74. }
75.  
76. setup() {
77. echo -n "Firewall: Setting default policies to DROP, ACCEPT on ESTABLISHED, RELATED"
78. "$IPT" -P INPUT DROP
79. "$IPT" -P FORWARD DROP
80. "$IPT" -I INPUT -j ACCEPT -i lo
81.  
82. ipv4_settings
83.  
84. # incoming vpn
85. "$IPT" -A INPUT -p udp --destination-port 11942 -d "$THIS_HOST" -j ACCEPT
86. # incoming ssh
87. "$IPT" -A INPUT -p tcp --destination-port 22 -d "$THIS_HOST" -j ACCEPT
88.  
89. # incoming established from Internet/LAN to VPN
90. "$IPT" -A FORWARD -i "$LAN_IF" -o "$VPN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT
91.  
92. # forward from VPN to Internet/LAN
93. "$IPT" -A FORWARD -s "$VPN_NET" -o "$LAN_IF" -j ACCEPT
94.  
95. # NAT outgoing VPN to LAN/Internet
96. "$IPT" -t nat -A POSTROUTING -s "$VPN_NET" -o "$LAN_IF" -j MASQUERADE
97.  
98. # reject new requests FORWARD from lan/Internet to VPN
99. "$IPT" -I FORWARD -i "$LAN_IF" -o "$VPN_IF" -m state --state NEW -j REJECT
100.  
101. # reject VPN to LAN except for DNS
102. "$IPT" -I FORWARD -i "$VPN_IF" -o "$LAN_IF" -d "$LAN_NET" -m state --state NEW -j REJECT
103. "$IPT" -I OUTPUT -o "$VPN_IF" -d "$LAN_NET" -m state --state NEW -j REJECT
104.  
105. # allow DNS from VPN to GW
106. "$IPT" -I FORWARD -p udp --destination-port 53 -i "$VPN_IF" -o "$LAN_IF" -d "$LAN_GW" -m state --state NEW -j ACCEPT
107.  
108. # allow SSH from VPN to Ava
109. "$IPT" -I FORWARD -p tcp --destination-port 22 -i "$VPN_IF" -o "$LAN_IF" -d "$AVA_LAN" -m state --state NEW -j ACCEPT
110.  
111. success ; echo
112.  
113. echo -n "Inserting (in the top) check on SYN, XMAS, NULL, DROP invalid packets"
114. # Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
115. "$IPT" -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
116. "$IPT" -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP
117.  
118. # Incoming malformed XMAS packets drop them:
119. "$IPT" -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
120. "$IPT" -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
121.  
122. # Incoming malformed NULL packets:
123. "$IPT" -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
124. "$IPT" -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
125.  
126. # DROP INVALID
127. "$IPT" -I INPUT -m state --state INVALID -j DROP
128. "$IPT" -I FORWARD -m state --state INVALID -j DROP
129. success ; echo
130. }
131.  
132. case "$1" in
133. start)
134. echo "Starting firewall..."
135. purge
136. setup
137. ;;
138. stop)
139. echo "Stopping firewall..."
140. purge
141. ;;
142. restart)
143. $0 stop
144. $0 start
145. ;;
146. status)
147. "$IPT" -n -L
148. ;;
149. *)
150. echo "Usage: $0 <start|stop|restart|status>"
151. ;;
152. esac