Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- ### BEGIN INIT INFO
- # Provides: firewall
- # Required-Start: $remote_fs $syslog
- # Required-Stop: $remote_fs $syslog
- # Default-Start: 2 3 4 5
- # Default-Stop: 0 1 6
- # Short-Description: firewall for armitage vpn container
- ### END INIT INFO
- # firewall Start iptables firewall
- # chkconfig: 2345 08 92
- # description: Starts, stops and saves iptables firewall
- IPT="/sbin/iptables"
- VPN_IF="tun+"
- VPN_NET="10.10.5.0/24"
- LAN_IF="eth0"
- LAN_NET="10.10.0.0/24"
- LAN_GW="10.10.0.1"
- AVA_LAN="10.10.0.51"
- THIS_HOST="10.10.0.53"
- success() {
- echo -n "...success"
- }
- failure() {
- echo -n "...failure"
- }
- ipv4_settings() {
- echo -n "Firewall: Setting valid settings for ipv4 in kernel"
- # Drop ICMP echo-request messages sent to broadcast or multicast addresses
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- # Drop source routed packets
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
- # Enable TCP SYN cookie protection from SYN floods
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- # Don't accept ICMP redirect messages
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
- # Don't send ICMP redirect messages
- echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
- # Enable source address spoofing protection
- echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
- # Log packets with impossible source addresses
- echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
- # Disable logging of bogus responses to broadcast frames
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- success ; echo
- }
- purge() {
- echo -n "Firewall: Purging and allowing all traffic"
- "$IPT" -P OUTPUT ACCEPT
- "$IPT" -P FORWARD ACCEPT
- "$IPT" -P INPUT ACCEPT
- "$IPT" -F
- "$IPT" -t nat -F
- success ; echo
- }
- setup() {
- echo -n "Firewall: Setting default policies to DROP, ACCEPT on ESTABLISHED, RELATED"
- "$IPT" -P INPUT DROP
- "$IPT" -P FORWARD DROP
- "$IPT" -I INPUT -j ACCEPT -i lo
- ipv4_settings
- # incoming vpn
- "$IPT" -A INPUT -p udp --destination-port 11942 -d "$THIS_HOST" -j ACCEPT
- # incoming ssh
- "$IPT" -A INPUT -p tcp --destination-port 22 -d "$THIS_HOST" -j ACCEPT
- # incoming established from Internet/LAN to VPN
- "$IPT" -A FORWARD -i "$LAN_IF" -o "$VPN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT
- # forward from VPN to Internet/LAN
- "$IPT" -A FORWARD -s "$VPN_NET" -o "$LAN_IF" -j ACCEPT
- # NAT outgoing VPN to LAN/Internet
- "$IPT" -t nat -A POSTROUTING -s "$VPN_NET" -o "$LAN_IF" -j MASQUERADE
- # reject new requests FORWARD from lan/Internet to VPN
- "$IPT" -I FORWARD -i "$LAN_IF" -o "$VPN_IF" -m state --state NEW -j REJECT
- # reject VPN to LAN except for DNS
- "$IPT" -I FORWARD -i "$VPN_IF" -o "$LAN_IF" -d "$LAN_NET" -m state --state NEW -j REJECT
- "$IPT" -I OUTPUT -o "$VPN_IF" -d "$LAN_NET" -m state --state NEW -j REJECT
- # allow DNS from VPN to GW
- "$IPT" -I FORWARD -p udp --destination-port 53 -i "$VPN_IF" -o "$LAN_IF" -d "$LAN_GW" -m state --state NEW -j ACCEPT
- # allow SSH from VPN to Ava
- "$IPT" -I FORWARD -p tcp --destination-port 22 -i "$VPN_IF" -o "$LAN_IF" -d "$AVA_LAN" -m state --state NEW -j ACCEPT
- success ; echo
- echo -n "Inserting (in the top) check on SYN, XMAS, NULL, DROP invalid packets"
- # Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
- "$IPT" -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
- "$IPT" -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP
- # Incoming malformed XMAS packets drop them:
- "$IPT" -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
- "$IPT" -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
- # Incoming malformed NULL packets:
- "$IPT" -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
- "$IPT" -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
- # DROP INVALID
- "$IPT" -I INPUT -m state --state INVALID -j DROP
- "$IPT" -I FORWARD -m state --state INVALID -j DROP
- success ; echo
- }
- case "$1" in
- start)
- echo "Starting firewall..."
- purge
- setup
- ;;
- stop)
- echo "Stopping firewall..."
- purge
- ;;
- restart)
- $0 stop
- $0 start
- ;;
- status)
- "$IPT" -n -L
- ;;
- *)
- echo "Usage: $0 <start|stop|restart|status>"
- ;;
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement