root

1. #!/bin/bash -e
2. # chkconfig: 345 90 10
3. # description: Starts and Stops Firewall for a NAT Router
4. #
5.  
6. #Variablen
7. LAN_INTERFACE="eth1"
8. WAN_INTERFACE="ppp0"
9. LAN_IP="192.168.100.254"
10. LAN_RANGE="192.168.100.0/24"
11. LAN_BCAST="192.168.100.255"
12. MODEM_IP="192.168.200.1"
13. IPTABLES="/sbin/iptables"
14. iMODPROBE="/sbin/modprobe"
15.  
16. start() {
17. echo -n $"Starting firewall ..."
18.  
19. # Flush Any Existing Rules or Chains
20. # Reset Default Policies
21. $IPTABLES -P INPUT ACCEPT
22. $IPTABLES -P FORWARD ACCEPT
23. $IPTABLES -P OUTPUT ACCEPT
24. $IPTABLES -t nat -P PREROUTING ACCEPT
25. $IPTABLES -t nat -P POSTROUTING ACCEPT
26. $IPTABLES -t nat -P OUTPUT ACCEPT
27. $IPTABLES -t mangle -P PREROUTING ACCEPT
28. $IPTABLES -t mangle -P OUTPUT ACCEPT
29.  
30. # Flush all rules
31. $IPTABLES -F
32. $IPTABLES -t nat -F
33. $IPTABLES -t mangle -F
34.  
35. # Erase all non-default chains
36. $IPTABLES -X
37. $IPTABLES -t nat -X
38. $IPTABLES -t mangle -X
39.  
40. # Filter Table
41. # Set Policies
42. $IPTABLES -P INPUT DROP
43. $IPTABLES -P FORWARD DROP
44. $IPTABLES -P OUTPUT DROP
45.  
46. # Allow all on localhost interface "lo"
47. $IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
48. $IPTABLES -A OUTPUT -p ALL -o lo -j ACCEPT
49.  
50. # Allow from localnet
51. $IPTABLES -A INPUT -p ALL -i $LAN_INTERFACE -s $LAN_RANGE -j ACCEPT
52. $IPTABLES -A OUTPUT -p ALL -o $LAN_INTERFACE -j ACCEPT
53.  
54. # Output to internet
55. $IPTABLES -A OUTPUT -p ALL -o $WAN_INTERFACE -j ACCEPT
56.  
57. # Input from internet
58. # DNS
59. for DNS in $(cut -d ' ' -f 2 /etc/resolv.conf)
60. do
61. $IPTABLES -A INPUT -i $WAN_INTERFACE -s $DNS -j ACCEPT
62. done
63.  
64. # Accept Established Connection
65. $IPTABLES -A INPUT -p ALL -i $WAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
66.  
67. # Routing
68. #$IPTABLES -A FORWARD -o eth0 -i $LAN_INTERFACE -s $LAN_RANGE -m conntrack --ctstate NEW -j ACCEPT
69. $IPTABLES -A FORWARD -o $WAN_INTERFACE -i $LAN_INTERFACE -s $LAN_RANGE -m conntrack --ctstate NEW -j ACCEPT
70. $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
71. #$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
72. $IPTABLES -t nat -A POSTROUTING -o $WAN_INTERFACE -j MASQUERADE
73.  
74. # in den logs meldungen der Fritzbox nicht anzeigen
75. $IPTABLES -A INPUT -s $MODEM_IP -j DROP
76. # den Rest logen
77. $IPTABLES -A INPUT -j LOG --log-level 6 --log-prefix "FIREWALL:input"
78.  
79. echo -n $"... done"
80. exit 0
81. }
82.  
83. stop() {
84. echo -n $"Stoping firewall ..."
85.  
86. # Flush Any Existing Rules or Chains
87. # Reset Default Policies
88. $IPTABLES -P INPUT ACCEPT
89. $IPTABLES -P FORWARD ACCEPT
90. $IPTABLES -P OUTPUT ACCEPT
91. $IPTABLES -t nat -P PREROUTING ACCEPT
92. $IPTABLES -t nat -P POSTROUTING ACCEPT
93. $IPTABLES -t nat -P OUTPUT ACCEPT
94. $IPTABLES -t mangle -P PREROUTING ACCEPT
95. $IPTABLES -t mangle -P OUTPUT ACCEPT
96.  
97. # Flush all rules
98. $IPTABLES -F
99. $IPTABLES -t nat -F
100. $IPTABLES -t mangle -F
101.  
102. # Erase all non-default chains
103. $IPTABLES -X
104. $IPTABLES -t nat -X
105. $IPTABLES -t mangle -X
106.  
107. echo -n $"... done"
108. exit 0
109. }
110.  
111. restart() {
112. $0 stop
113. $0 start
114. }
115.  
116. help() {
117.  
118. #prints a short help
119.  
120. cat << HELP
121.  
122. This Script starts/stops an Iptables-Based Firewall
123.  
124. Usage: firewall {start|stop|restart|help}
125. Example: ./firewall restart
126.  
127. check the Firewall-Rules with
128. iptables --list
129.  
130. HELP
131. exit 0
132. }
133.  
134. case "$1" in
135. start) start ;;
136. stop) stop ;;
137. restart) restart ;;
138. help) help ;;
139. *) echo $"Usage : $0 {start|stop|restart|help}" ;;
140. esac
141. exit 0