iptable script

#!/bin/bash
### BEGIN INIT INFO
# Provides:       rc.firewall
# Required-Start: $syslog
# Required-Stop:  $syslog
# Default-Start:  2 3 4 5
# Default-Stop:   0 1 6
### END INIT INFO
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
# [---::NOM - VERSION - DATE::---]
# rc.firewall.sh - 0.2 - 25/09/2012
# JoShua Sign_

# [---::DESCRIPTIF::---]
# Script de configuration automatique de firewall
# Ce script est destine à mettre en place un firewall de base

# [---::PARAMETRES::---]
# Ce script prend en parametres :
# start
# stop
# restart
# status
#

# [---::RETOUR::---]
# Ce script ne renvoit aucune valeur
#

# [---::AMELIORATIONS::---]
# plein ^^


# PARAMETTRES :
#
# Nom des cartes :
# Laisser vide si une carte n'est pas utilisee
#
# Cote LAN:
LAN=eth1
#
# Cote WAN:
WAN=eth0


#
# - Ouverture des ports
#
# Specifiez le port à ouvrir (tcp par defaut)
# Facultativement vous pouvez specifier un protocole :
# par exemple : 80 ou 53/tcp ou 53/udp
#
LAN_PORTS='22 443 80 3306 123/udp 137/udp 138/udp 139 445 8022 10000'
WAN_PORTS='22 123/udp 4000'

#
# La redirection des ports WAN
#
# Un connection entrant du WAN sur le port 6060 peut en fait etre
# rediriger vers le LAN sur le poste 192.168.0.10 port 80
# On defini donc : WAN_PORT/LAN_PC:LOCAL_PORT
LAN_REDIRECT='8022/172.16.254.3:22'
#WAN_REDIRECT='20/129.10.0.6:20 21/129.10.0.6:21 80/129.10.0.6:80 443/129.10.0.9:443 25/129.10.0.9:25 993/129.10.0.9:993 90/129.10.0.6:90 100/129.10.1.1:80'
WAN_REDIRECT='4000/10.0.0.35:22'

# Nating spécifique :
#NATING_LAN2WAN='10.0.0.30#172.16.254.0/24 10.0.0.20#172.16.254.0/24 10.0.0.10#172.16.254.0/24 10.0.0.22#172.16.254.0/24'
#NATING_WAN2LAN='172.16.254.0/24#10.0.0.30 172.16.254.0/24#10.0.0.20 172.16.254.0/24#10.0.0.10 172.16.254.0/24#10.0.0.22'
NATING_LAN2WAN='10.0.0.0/23#172.16.254.0/24'
NATING_WAN2LAN='172.16.254.0/24#10.0.0.0/23'

#
# Sous reseaux locaux auquels il faut repondre
#
# Indiquer sous la forme suivante
#ROUTES="192.168.1.0/255.255.255.0/129.10.0.254 129.10.0.0/255.255.0.0/192.168.1.254"
#           reseau/masque/routeur
# ainsi le forwarding est active entre le reseau local et les autres sous-reseaux
# les routes sont crees vers les bon routeurs
#ROUTES="192.168.1.0/255.255.255.0/129.10.200.254 192.168.2.0/255.255.255.0/129.10.200.254"

# Activation du forwarding (si il y a des route c'est implicite)
FORWARDING="1"

#
# Activation du masquerading pour utiliser comme passerelle
# attention le FROWARDING est du coup automatiquement active
#
#LAN_MASQUERADE="1"

#
# 1 = Activer les regles pour proxy transparent
# 0 = Pas de proxy Tansparent
#
#
#PROXY_HTTP="1"

#
# Precisez le port du proxy
#
# PROXY_PORT="8080"

#
# DNS Serveurs
#
#OPEN_DNS="194.2.0.20 194.2.0.50"

#
# Reponse au ping depuis le LAN oui / non
#
ICMP_RESPONSE_CARDS="$LAN $WAN"

#
# Conserver les connexions existantes
#
KEEP_ACTIVES_CONN="1"

#
# ====================
#  FIN DES PARAMETRES
# ====================
GRIS="\033[40m\033[1;30m"
ROUG="\033[40m\033[1;31m"
VERT="\033[40m\033[1;32m"
JAUN="\033[40m\033[1;33m"
BLEU="\033[40m\033[1;34m"
FUSH="\033[40m\033[1;35m"
CIAN="\033[40m\033[1;36m"
BLAN="\033[40m\033[1;37m"
FIN="\033[0m"


## Liste des interface disponibles, sans la boucle locale:
all_interfaces=$(ip a | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v "^lo$")
for interface in $all_interfaces
do
        ifconf=$(ifconfig $interface | grep -i -E "inet ad+r:")

        if [ "$ifconf" != "" ]; then

        address=$(ifconfig $interface | grep -i -E "inet ad+r:" | cut -d: -f2 | cut -d" " -f1)
        broadcast=$(ifconfig $interface | grep -i -E "inet ad+r:" | cut -d: -f3 | cut -d" " -f1)
        netmask=$(ifconfig $interface | grep -i -E "inet ad+r:" | cut -d: -f4 | cut -d" " -f1)
        gateway=$(netstat -rn | grep $interface | grep UG | awk '{print $2}')
        network=$(netstat -rn | grep $interface | grep -F "$netmask" | awk '{print $1}')

                if [ "$interface" == "$LAN" ]; then
                        LAN=$interface
                        LAN_ADDRESS=$address
                        LAN_NETMASK=$netmask
                        LAN_GATEWAY=$gateway
                        LAN_NETWORK=$network
                        LAN_BRDCAST=$broadcast
                elif [ "$interface" == "$WAN" ]; then
                        WAN=$interface
                        WAN_ADDRESS=$address
                        WAN_NETMASK=$netmask
                        WAN_GATEWAY=$gateway
                        WAN_NETWORK=$network
                        WAN_BRDCAST=$broadcast
                fi
        fi
done


bandeau_start()
{
echo ""
echo -e " $BLEU-------------------------------------------$FIN "
echo -e " $VERT------->  Firewall script by JoSh_ <-------$FIN "
echo -e " $BLEU-------------------------------------------$FIN "
echo ""
}

init_variables()
{
  # Creation des variables locales !
  echo -e "\033[40m\033[1;33m -> Variables :$FIN"

  if [ "$LAN" != "" ]
  then
    echo "  - Carte LAN        : $LAN"
    echo "          IP         : $LAN_ADDRESS"
    echo "          Masque     : $LAN_NETMASK"
    echo "          Reseau     : $LAN_NETWORK"
    echo "          Broadcast  : $LAN_BRDCAST"
    echo "          Passerelle : $LAN_GATEWAY"
  fi

  if [ "$WAN" != "" ]
  then
    echo " "
    echo "  - Carte WAN        : $WAN"
    echo "          IP         : $WAN_ADDRESS"
    echo "          NetMask    : $WAN_NETMASK"
    echo "          Reseau     : $WAN_NETWORK"
    echo "          Broadcast  : $WAN_BRDCAST"
    echo "          Passerelle : $WAN_GATEWAY"
  fi
echo " "
}

init_modules()
{
modprobe=/sbin/modprobe
modules_liste="ipt_state ipt_LOG ip_conntrack ip_conntrack_ftp ip_nat_ftp"
for module in $modules_liste
do
  $modprobe $module || echo -e "$ROUGE -> Impossible de charger le module : $FIN $JAUN$module$FIN"
done
}

init_rules()
{
if [ "$1" == "ACCEPT" ]
then
COLOR=$VERT
else
COLOR=$ROUG
fi
echo -e "$JAUN -> Init des regles par default : $FIN $COLOR$1$FIN"
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT   $1
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT  ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P OUTPUT      ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING  ACCEPT
iptables -t mangle -P INPUT       ACCEPT
iptables -t mangle -P FORWARD     ACCEPT
iptables -t mangle -P OUTPUT      ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
echo -e "$JAUN -> Boucle Locale lo :$FIN$VERT ACCEPT$FIN"
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
# permet de substituer SPARE par BDDAPP (si spare HS il faut activer cela, ça evite de changer tous les tableaux requeteurs)
iptables -A PREROUTING  -t nat -p tcp -i $LAN -s 0.0.0.0/0 -d 172.16.254.5 --dport 3306 -j DNAT --to 172.16.254.4
}

open_ports()
{
if [ "$LAN" != "" ]; then
echo -n -e "$JAUN -> Ouverture des ports pour : $FIN$ROUG $LAN$FIN  :"
#
# OUVERTURE DES PORTS POUR LE LAN
    for portproto in $LAN_PORTS
    do
      port=`echo "$portproto" | cut -d "/" -f1`
      proto=`echo "$portproto" | cut -d "/" -f2 -s`
        if [ "$proto" = "" ]
        then
          proto="tcp"
        fi
      echo -n -e "$BLEU $port/$proto$FIN"
      iptables -A INPUT  -i $LAN -p $proto --dport $port -j ACCEPT
      iptables -A OUTPUT -o $LAN -p $proto --sport $port -j ACCEPT
    done
  echo ""
fi

if [ "$WAN" != "" ]; then
echo -n -e "$JAUN -> Ouverture des ports pour : $FIN$ROUG $WAN$FIN  :"
  for portproto in $WAN_PORTS
  do
    port=`echo "$portproto" | cut -d "/" -f1`
    proto=`echo "$portproto" | cut -d "/" -f2 -s`
      if [ "$proto" = "" ]
      then
        proto="tcp"
      fi
    echo -n -e "$BLEU $port/$proto$FIN"
    iptables -A INPUT  -i $WAN -p $proto --dport $port -j ACCEPT
    iptables -A OUTPUT -o $WAN -p $proto --sport $port -j ACCEPT
  done
echo ""
fi
}

fw_main()
{

#
# DNS Communication
#
if [ "$OPEN_DNS" != "" -a "$WAN" != "" ]
then
  for srvdns in $OPEN_DNS
  do
    echo -e "$JAUN -> Activation du DNS sur WAN : $FIN$VERT$srvdns $FIN"
    iptables -A INPUT  -i $WAN -p udp -s $srvdns --sport 53 -j ACCEPT
    iptables -A OUTPUT -o $WAN -p udp -d $srvdns --dport 53 -j ACCEPT
  done
fi

if [ "$ROUTES" != "" ]
then
  echo -e "$JAUN -> Activation du routage $FIN"
  for reseaux in $ROUTES
  do
    rezo=`echo "$reseaux" | cut -d "/" -f1`
    mask=`echo "$reseaux" | cut -d "/" -f2`
    gw=`echo "$reseaux" | cut -d "/" -f3 -s`
    echo -e "    $VERT $LAN_NETWORK/$LAN_NETMASK $FIN$BLEU<- $gw  ->$FIN$FUSH $rezo/$mask $FIN"
    route add -net $rezo netmask $mask gw $gw
  done
FORWARDING="1"
fi

# ACTIVATION DU PROXY TRENSPARENT POUR LES LANS
if [ "$FORWARDING" = "1" ]
then
	echo -e "$JAUN -> Activation du forwarding $FIN"
	echo "1" > /proc/sys/net/ipv4/ip_forward
	echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
fi

#
# ACTIVATION DU PROXY TRENSPARENT POUR LES LANS
if [ "$PROXY_HTTP" = "1" ]
then
  echo -n -e "\033[40m\033[1;33m -> Activation du Poxy HTTP Transparent sur $FIN$BLEU$LAN_ADDRESS:$PROXY_PORT$FIN$JAUNE pour $FIN$VERT$rezo/$mask $FIN"
  iptables -t nat -A PREROUTING -i $LAN -p tcp -d! $LAN_ADDRESS --dport 80  -j REDIRECT --to-port $PROXY_PORT
  echo ""
fi


#
# MASQUERADING POUR LES LANS
if [ "$LAN_MASQUERADE" = "1" ]
then
  echo -n -e "\033[40m\033[1;33m -> Activation du MASQUERADE pour$FIN$VERT $WAN:$WAN_ADDRESS $FIN"
# Si ip Publique non statique
#      iptables -t nat -A POSTROUTING -o $WAN -s $rezo/$mask -j MASQUERADE
# Sinon si Ip publique statique plus performant:
  iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $WAN_ADDRESS
  echo ""
fi


#
# CONSERVATION DES CONNECTIONS ACTIVES
# pratique pour maintenance en cours
if [ "$KEEP_ACTIVES_CONN" = "1" ]
then
  echo -e "$JAUN -> Conservation des connection Actives...$FIN"
  iptables -A INPUT   -m state --state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT  -m state --state ESTABLISHED -j ACCEPT
  iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
fi


#
# Redirection de ports
#
if [ "$WAN_REDIRECT" != "" ]
then
echo -e  "$JAUN -> Redirection des ports sur :$FIN $ROUG $WAN $FIN"
  for redir in $WAN_REDIRECT
  do
  src=`echo "$redir" | cut -d "/" -f1`
  dest=`echo "$redir" | cut -d "/" -f2 -s`
  echo -e "               $ROUG $WAN_ADDRESS:$src $FIN $BLEU vers $FIN $VERT $dest $FIN"
  iptables -A PREROUTING  -t nat -p tcp -i $WAN -s 0.0.0.0/0 -d $WAN_ADDRESS --dport $src -j DNAT --to $dest
  done
fi

if [ "$LAN_REDIRECT" != "" ]
then
echo -e  "$JAUN -> Redirection des ports :$FIN $VERT $LAN $FIN"
  for redir in $LAN_REDIRECT
  do
  src=`echo "$redir" | cut -d "/" -f1`
  dest=`echo "$redir" | cut -d "/" -f2 -s`
  echo -e "               $ROUG $LAN_ADDRESS:$src $FIN $BLEU vers $FIN $VERT $dest $FIN"
  iptables -A PREROUTING  -t nat -p tcp -i $LAN -s 0.0.0.0/0 -d $LAN_ADDRESS --dport $src -j DNAT --to $dest
  done
fi

# Nating du LAN vers le WAN
# NATING_LAN2WAN=10.0.0.30#172.16.254.0/24
# NATING_WAN2LAN=172.16.254.0/24#10.0.0.30
# TODO ajouter la prise en charge du port spécifique
if [ "$NATING_LAN2WAN" != "" ]
then
echo -e  "$JAUN -> Nating sur la pate : $FIN $ROUG $WAN $FIN"
  for redir in $NATING_LAN2WAN
  do
  src=`echo "$redir" | cut -d "#" -f1`
  dest=`echo "$redir" | cut -d "#" -f2 -s`
  echo -e "               $ROUG ($WAN_ADDRESS)$src $FIN $BLEU --> $FIN $VERT $dest $FIN"
  iptables -t nat -A POSTROUTING -o $WAN -s $src -d $dest -j SNAT --to-source $WAN_ADDRESS
  done
fi
# Nating du WAN vers le LAN
if [ "$NATING_WAN2LAN" != "" ]
then
echo -e  "$JAUN -> Nating sur la pate : $FIN $VERT $LAN $FIN"
  for redir in $NATING_WAN2LAN
  do
  src=`echo "$redir" | cut -d "#" -f1`
  dest=`echo "$redir" | cut -d "#" -f2 -s`
  echo -e "               $ROUG ($LAN_ADDRESS)$src $FIN $BLEU --> $FIN $VERT $dest $FIN"
  iptables -t nat -A POSTROUTING -o $LAN -s $src -d $dest -j SNAT --to-source $LAN_ADDRESS
  done
fi


if [ "$ICMP_RESPONSE_CARDS" != "" ]
then
  echo -n -e "$JAUN -> Reponse au ping sur : $FIN"
  for carte in $ICMP_RESPONSE_CARDS
  do
    echo -e -n "$BLEU $carte $FIN"
    for type in 0 8 11
    do
    iptables -A INPUT  -i $carte -p ICMP --icmp-type $type -j ACCEPT
    iptables -A OUTPUT -o $carte -p ICMP --icmp-type $type -j ACCEPT
    done
  done
  echo ""
fi


iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT

}

kernel_tweaks()
{
echo -e "$JAUN -> Set kernel networking tweaks $FIN"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/kernel/printk

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

}

dos_protect()
{
echo -e "$JAUN -> Enabling reduction of the DoS'ing ability $FIN"
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
#echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen

if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
echo -e "$JAUN -> Enabling ECN (Explicit Congestion Notification) $FIN"
echo "0" > /proc/sys/net/ipv4/tcp_ecn
fi


}

if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then
#  if [ "$LOOSE_UDP_PATCH" == "1" ]; then
#    echo -e "$JAUN -> Enabling the LOOSE_UDP_PATCH (for some games, less secure!) $FIN"
#    echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
#  else
    echo -e "$JAUN -> Disabling the LOOSE_UDP_PATCH (more secure) $FIN"
    echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose
#  fi
fi

#if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
#echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#fi


#echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
#echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
#echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
#echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
#echo "0" > /proc/sys/net/ipv4/tcp_sack


route_remover()
{
      echo -e "$JAUN -> Destruction des routes : $FIN "
      for reseaux in $ROUTES
      do
        rezo=`echo "$reseaux" | cut -d "/" -f1`
        mask=`echo "$reseaux" | cut -d "/" -f2`
        gw=`echo "$reseaux" | cut -d "/" -f3 -s`
        echo -e "    $ROUG $rezo/$mask : $gw $FIN"
        route del -net $rezo netmask $mask gw $gw
      done
}

bandeau_fin()
{
echo ""
echo -e " \033[40m\033[1;34m---------------------------------------\033[0m "
echo -e " \033[40m\033[1;32m--------->  Firewall $1   <---------\033[0m "
echo -e " \033[40m\033[1;34m---------------------------------------\033[0m "
echo ""
}

case "$1" in

    start)
    bandeau_start
    init_variables
    init_modules
    init_rules DROP
    open_ports
    fw_main
    iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    bandeau_fin $1
    ;;

    stop)
    bandeau_start
    init_variables
    init_rules ACCEPT
    route_remover
    bandeau_fin $1
    ;;

    restart)
    sh $0 stop
    sleep 1
    sh $0 start
    ;;

    status)
    STATUS=""
    i=0
    COUL[1]=$FUSH
    COUL[2]=$JAUN
    COUL[3]=$VERT
    clear
    init_variables
    sleep 3
    for table in nat filter mangle
    do
    i=$(( $i + 1 ))
    ST1=`echo "\r\n $BLAN==========================================================================================================$FIN \r\n                      $BLAN=============>$FIN  $ROUG  Table $i : $table   $FIN $BLAN<=============$FIN \r\n "`
    ST2=`iptables -L -n -v -t $table`
    STATUS=`echo "$STATUS \r\n $ST1 \n\r ${COUL[$i]} $ST2 $FIN"`
    done
    echo -e "$STATUS" | more
    echo -e "\r\n $BLAN==========================================================================================================$FIN \r\n"
    ;;

    *)
    bandeau_start
    init_variables
    echo "
    Usage :		$0 {start|stop|restart|status}

    Si les variables affichees ci dessus sont correcte vous pouvez lancer votre firewall.
    Faites vi $0 pour editer la configuration.
    "
    ;;
esac