Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash -e
- # chkconfig: 345 90 10
- # description: Starts and Stops Firewall for a NAT Router
- #
- #Variablen
- LAN_INTERFACE="eth1"
- WAN_INTERFACE="ppp0"
- LAN_IP="192.168.100.254"
- LAN_RANGE="192.168.100.0/24"
- LAN_BCAST="192.168.100.255"
- MODEM_IP="192.168.200.1"
- IPTABLES="/sbin/iptables"
- iMODPROBE="/sbin/modprobe"
- start() {
- echo -n $"Starting firewall ..."
- # Flush Any Existing Rules or Chains
- # Reset Default Policies
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -t nat -P PREROUTING ACCEPT
- $IPTABLES -t nat -P POSTROUTING ACCEPT
- $IPTABLES -t nat -P OUTPUT ACCEPT
- $IPTABLES -t mangle -P PREROUTING ACCEPT
- $IPTABLES -t mangle -P OUTPUT ACCEPT
- # Flush all rules
- $IPTABLES -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -F
- # Erase all non-default chains
- $IPTABLES -X
- $IPTABLES -t nat -X
- $IPTABLES -t mangle -X
- # Filter Table
- # Set Policies
- $IPTABLES -P INPUT DROP
- $IPTABLES -P FORWARD DROP
- $IPTABLES -P OUTPUT DROP
- # Allow all on localhost interface "lo"
- $IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -o lo -j ACCEPT
- # Allow from localnet
- $IPTABLES -A INPUT -p ALL -i $LAN_INTERFACE -s $LAN_RANGE -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -o $LAN_INTERFACE -j ACCEPT
- # Output to internet
- $IPTABLES -A OUTPUT -p ALL -o $WAN_INTERFACE -j ACCEPT
- # Input from internet
- # DNS
- for DNS in $(cut -d ' ' -f 2 /etc/resolv.conf)
- do
- $IPTABLES -A INPUT -i $WAN_INTERFACE -s $DNS -j ACCEPT
- done
- # Accept Established Connection
- $IPTABLES -A INPUT -p ALL -i $WAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Routing
- #$IPTABLES -A FORWARD -o eth0 -i $LAN_INTERFACE -s $LAN_RANGE -m conntrack --ctstate NEW -j ACCEPT
- $IPTABLES -A FORWARD -o $WAN_INTERFACE -i $LAN_INTERFACE -s $LAN_RANGE -m conntrack --ctstate NEW -j ACCEPT
- $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- #$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- $IPTABLES -t nat -A POSTROUTING -o $WAN_INTERFACE -j MASQUERADE
- # in den logs meldungen der Fritzbox nicht anzeigen
- $IPTABLES -A INPUT -s $MODEM_IP -j DROP
- # den Rest logen
- $IPTABLES -A INPUT -j LOG --log-level 6 --log-prefix "FIREWALL:input"
- echo -n $"... done"
- exit 0
- }
- stop() {
- echo -n $"Stoping firewall ..."
- # Flush Any Existing Rules or Chains
- # Reset Default Policies
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -t nat -P PREROUTING ACCEPT
- $IPTABLES -t nat -P POSTROUTING ACCEPT
- $IPTABLES -t nat -P OUTPUT ACCEPT
- $IPTABLES -t mangle -P PREROUTING ACCEPT
- $IPTABLES -t mangle -P OUTPUT ACCEPT
- # Flush all rules
- $IPTABLES -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -F
- # Erase all non-default chains
- $IPTABLES -X
- $IPTABLES -t nat -X
- $IPTABLES -t mangle -X
- echo -n $"... done"
- exit 0
- }
- restart() {
- $0 stop
- $0 start
- }
- help() {
- #prints a short help
- cat << HELP
- This Script starts/stops an Iptables-Based Firewall
- Usage: firewall {start|stop|restart|help}
- Example: ./firewall restart
- check the Firewall-Rules with
- iptables --list
- HELP
- exit 0
- }
- case "$1" in
- start) start ;;
- stop) stop ;;
- restart) restart ;;
- help) help ;;
- *) echo $"Usage : $0 {start|stop|restart|help}" ;;
- esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement