Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- ### BEGIN INIT INFO
- # Provides: rc.firewall
- # Required-Start: $syslog
- # Required-Stop: $syslog
- # Default-Start: 2 3 4 5
- # Default-Stop: 0 1 6
- ### END INIT INFO
- #::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
- # [---::NOM - VERSION - DATE::---]
- # rc.firewall.sh - 0.2 - 25/09/2012
- # JoShua Sign_
- # [---::DESCRIPTIF::---]
- # Script de configuration automatique de firewall
- # Ce script est destine à mettre en place un firewall de base
- # [---::PARAMETRES::---]
- # Ce script prend en parametres :
- # start
- # stop
- # restart
- # status
- #
- # [---::RETOUR::---]
- # Ce script ne renvoit aucune valeur
- #
- # [---::AMELIORATIONS::---]
- # plein ^^
- # PARAMETTRES :
- #
- # Nom des cartes :
- # Laisser vide si une carte n'est pas utilisee
- #
- # Cote LAN:
- LAN=eth1
- #
- # Cote WAN:
- WAN=eth0
- #
- # - Ouverture des ports
- #
- # Specifiez le port à ouvrir (tcp par defaut)
- # Facultativement vous pouvez specifier un protocole :
- # par exemple : 80 ou 53/tcp ou 53/udp
- #
- LAN_PORTS='22 443 80 3306 123/udp 137/udp 138/udp 139 445 8022 10000'
- WAN_PORTS='22 123/udp 4000'
- #
- # La redirection des ports WAN
- #
- # Un connection entrant du WAN sur le port 6060 peut en fait etre
- # rediriger vers le LAN sur le poste 192.168.0.10 port 80
- # On defini donc : WAN_PORT/LAN_PC:LOCAL_PORT
- LAN_REDIRECT='8022/172.16.254.3:22'
- #WAN_REDIRECT='20/129.10.0.6:20 21/129.10.0.6:21 80/129.10.0.6:80 443/129.10.0.9:443 25/129.10.0.9:25 993/129.10.0.9:993 90/129.10.0.6:90 100/129.10.1.1:80'
- WAN_REDIRECT='4000/10.0.0.35:22'
- # Nating spécifique :
- #NATING_LAN2WAN='10.0.0.30#172.16.254.0/24 10.0.0.20#172.16.254.0/24 10.0.0.10#172.16.254.0/24 10.0.0.22#172.16.254.0/24'
- #NATING_WAN2LAN='172.16.254.0/24#10.0.0.30 172.16.254.0/24#10.0.0.20 172.16.254.0/24#10.0.0.10 172.16.254.0/24#10.0.0.22'
- NATING_LAN2WAN='10.0.0.0/23#172.16.254.0/24'
- NATING_WAN2LAN='172.16.254.0/24#10.0.0.0/23'
- #
- # Sous reseaux locaux auquels il faut repondre
- #
- # Indiquer sous la forme suivante
- #ROUTES="192.168.1.0/255.255.255.0/129.10.0.254 129.10.0.0/255.255.0.0/192.168.1.254"
- # reseau/masque/routeur
- # ainsi le forwarding est active entre le reseau local et les autres sous-reseaux
- # les routes sont crees vers les bon routeurs
- #ROUTES="192.168.1.0/255.255.255.0/129.10.200.254 192.168.2.0/255.255.255.0/129.10.200.254"
- # Activation du forwarding (si il y a des route c'est implicite)
- FORWARDING="1"
- #
- # Activation du masquerading pour utiliser comme passerelle
- # attention le FROWARDING est du coup automatiquement active
- #
- #LAN_MASQUERADE="1"
- #
- # 1 = Activer les regles pour proxy transparent
- # 0 = Pas de proxy Tansparent
- #
- #
- #PROXY_HTTP="1"
- #
- # Precisez le port du proxy
- #
- # PROXY_PORT="8080"
- #
- # DNS Serveurs
- #
- #OPEN_DNS="194.2.0.20 194.2.0.50"
- #
- # Reponse au ping depuis le LAN oui / non
- #
- ICMP_RESPONSE_CARDS="$LAN $WAN"
- #
- # Conserver les connexions existantes
- #
- KEEP_ACTIVES_CONN="1"
- #
- # ====================
- # FIN DES PARAMETRES
- # ====================
- GRIS="\033[40m\033[1;30m"
- ROUG="\033[40m\033[1;31m"
- VERT="\033[40m\033[1;32m"
- JAUN="\033[40m\033[1;33m"
- BLEU="\033[40m\033[1;34m"
- FUSH="\033[40m\033[1;35m"
- CIAN="\033[40m\033[1;36m"
- BLAN="\033[40m\033[1;37m"
- FIN="\033[0m"
- ## Liste des interface disponibles, sans la boucle locale:
- all_interfaces=$(ip a | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v "^lo$")
- for interface in $all_interfaces
- do
- ifconf=$(ifconfig $interface | grep -i -E "inet ad+r:")
- if [ "$ifconf" != "" ]; then
- address=$(ifconfig $interface | grep -i -E "inet ad+r:" | cut -d: -f2 | cut -d" " -f1)
- broadcast=$(ifconfig $interface | grep -i -E "inet ad+r:" | cut -d: -f3 | cut -d" " -f1)
- netmask=$(ifconfig $interface | grep -i -E "inet ad+r:" | cut -d: -f4 | cut -d" " -f1)
- gateway=$(netstat -rn | grep $interface | grep UG | awk '{print $2}')
- network=$(netstat -rn | grep $interface | grep -F "$netmask" | awk '{print $1}')
- if [ "$interface" == "$LAN" ]; then
- LAN=$interface
- LAN_ADDRESS=$address
- LAN_NETMASK=$netmask
- LAN_GATEWAY=$gateway
- LAN_NETWORK=$network
- LAN_BRDCAST=$broadcast
- elif [ "$interface" == "$WAN" ]; then
- WAN=$interface
- WAN_ADDRESS=$address
- WAN_NETMASK=$netmask
- WAN_GATEWAY=$gateway
- WAN_NETWORK=$network
- WAN_BRDCAST=$broadcast
- fi
- fi
- done
- bandeau_start()
- {
- echo ""
- echo -e " $BLEU-------------------------------------------$FIN "
- echo -e " $VERT-------> Firewall script by JoSh_ <-------$FIN "
- echo -e " $BLEU-------------------------------------------$FIN "
- echo ""
- }
- init_variables()
- {
- # Creation des variables locales !
- echo -e "\033[40m\033[1;33m -> Variables :$FIN"
- if [ "$LAN" != "" ]
- then
- echo " - Carte LAN : $LAN"
- echo " IP : $LAN_ADDRESS"
- echo " Masque : $LAN_NETMASK"
- echo " Reseau : $LAN_NETWORK"
- echo " Broadcast : $LAN_BRDCAST"
- echo " Passerelle : $LAN_GATEWAY"
- fi
- if [ "$WAN" != "" ]
- then
- echo " "
- echo " - Carte WAN : $WAN"
- echo " IP : $WAN_ADDRESS"
- echo " NetMask : $WAN_NETMASK"
- echo " Reseau : $WAN_NETWORK"
- echo " Broadcast : $WAN_BRDCAST"
- echo " Passerelle : $WAN_GATEWAY"
- fi
- echo " "
- }
- init_modules()
- {
- modprobe=/sbin/modprobe
- modules_liste="ipt_state ipt_LOG ip_conntrack ip_conntrack_ftp ip_nat_ftp"
- for module in $modules_liste
- do
- $modprobe $module || echo -e "$ROUGE -> Impossible de charger le module : $FIN $JAUN$module$FIN"
- done
- }
- init_rules()
- {
- if [ "$1" == "ACCEPT" ]
- then
- COLOR=$VERT
- else
- COLOR=$ROUG
- fi
- echo -e "$JAUN -> Init des regles par default : $FIN $COLOR$1$FIN"
- iptables -F INPUT
- iptables -F FORWARD
- iptables -F OUTPUT
- iptables -t filter -F
- iptables -t filter -X
- iptables -t filter -P INPUT $1
- iptables -t filter -P FORWARD ACCEPT
- iptables -t filter -P OUTPUT ACCEPT
- iptables -t nat -F
- iptables -t nat -X
- iptables -t nat -P PREROUTING ACCEPT
- iptables -t nat -P OUTPUT ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t mangle -P PREROUTING ACCEPT
- iptables -t mangle -P INPUT ACCEPT
- iptables -t mangle -P FORWARD ACCEPT
- iptables -t mangle -P OUTPUT ACCEPT
- iptables -t mangle -P POSTROUTING ACCEPT
- echo -e "$JAUN -> Boucle Locale lo :$FIN$VERT ACCEPT$FIN"
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- iptables -A FORWARD -i lo -j ACCEPT
- iptables -A FORWARD -o lo -j ACCEPT
- # permet de substituer SPARE par BDDAPP (si spare HS il faut activer cela, ça evite de changer tous les tableaux requeteurs)
- iptables -A PREROUTING -t nat -p tcp -i $LAN -s 0.0.0.0/0 -d 172.16.254.5 --dport 3306 -j DNAT --to 172.16.254.4
- }
- open_ports()
- {
- if [ "$LAN" != "" ]; then
- echo -n -e "$JAUN -> Ouverture des ports pour : $FIN$ROUG $LAN$FIN :"
- #
- # OUVERTURE DES PORTS POUR LE LAN
- for portproto in $LAN_PORTS
- do
- port=`echo "$portproto" | cut -d "/" -f1`
- proto=`echo "$portproto" | cut -d "/" -f2 -s`
- if [ "$proto" = "" ]
- then
- proto="tcp"
- fi
- echo -n -e "$BLEU $port/$proto$FIN"
- iptables -A INPUT -i $LAN -p $proto --dport $port -j ACCEPT
- iptables -A OUTPUT -o $LAN -p $proto --sport $port -j ACCEPT
- done
- echo ""
- fi
- if [ "$WAN" != "" ]; then
- echo -n -e "$JAUN -> Ouverture des ports pour : $FIN$ROUG $WAN$FIN :"
- for portproto in $WAN_PORTS
- do
- port=`echo "$portproto" | cut -d "/" -f1`
- proto=`echo "$portproto" | cut -d "/" -f2 -s`
- if [ "$proto" = "" ]
- then
- proto="tcp"
- fi
- echo -n -e "$BLEU $port/$proto$FIN"
- iptables -A INPUT -i $WAN -p $proto --dport $port -j ACCEPT
- iptables -A OUTPUT -o $WAN -p $proto --sport $port -j ACCEPT
- done
- echo ""
- fi
- }
- fw_main()
- {
- #
- # DNS Communication
- #
- if [ "$OPEN_DNS" != "" -a "$WAN" != "" ]
- then
- for srvdns in $OPEN_DNS
- do
- echo -e "$JAUN -> Activation du DNS sur WAN : $FIN$VERT$srvdns $FIN"
- iptables -A INPUT -i $WAN -p udp -s $srvdns --sport 53 -j ACCEPT
- iptables -A OUTPUT -o $WAN -p udp -d $srvdns --dport 53 -j ACCEPT
- done
- fi
- if [ "$ROUTES" != "" ]
- then
- echo -e "$JAUN -> Activation du routage $FIN"
- for reseaux in $ROUTES
- do
- rezo=`echo "$reseaux" | cut -d "/" -f1`
- mask=`echo "$reseaux" | cut -d "/" -f2`
- gw=`echo "$reseaux" | cut -d "/" -f3 -s`
- echo -e " $VERT $LAN_NETWORK/$LAN_NETMASK $FIN$BLEU<- $gw ->$FIN$FUSH $rezo/$mask $FIN"
- route add -net $rezo netmask $mask gw $gw
- done
- FORWARDING="1"
- fi
- # ACTIVATION DU PROXY TRENSPARENT POUR LES LANS
- if [ "$FORWARDING" = "1" ]
- then
- echo -e "$JAUN -> Activation du forwarding $FIN"
- echo "1" > /proc/sys/net/ipv4/ip_forward
- echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
- fi
- #
- # ACTIVATION DU PROXY TRENSPARENT POUR LES LANS
- if [ "$PROXY_HTTP" = "1" ]
- then
- echo -n -e "\033[40m\033[1;33m -> Activation du Poxy HTTP Transparent sur $FIN$BLEU$LAN_ADDRESS:$PROXY_PORT$FIN$JAUNE pour $FIN$VERT$rezo/$mask $FIN"
- iptables -t nat -A PREROUTING -i $LAN -p tcp -d! $LAN_ADDRESS --dport 80 -j REDIRECT --to-port $PROXY_PORT
- echo ""
- fi
- #
- # MASQUERADING POUR LES LANS
- if [ "$LAN_MASQUERADE" = "1" ]
- then
- echo -n -e "\033[40m\033[1;33m -> Activation du MASQUERADE pour$FIN$VERT $WAN:$WAN_ADDRESS $FIN"
- # Si ip Publique non statique
- # iptables -t nat -A POSTROUTING -o $WAN -s $rezo/$mask -j MASQUERADE
- # Sinon si Ip publique statique plus performant:
- iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $WAN_ADDRESS
- echo ""
- fi
- #
- # CONSERVATION DES CONNECTIONS ACTIVES
- # pratique pour maintenance en cours
- if [ "$KEEP_ACTIVES_CONN" = "1" ]
- then
- echo -e "$JAUN -> Conservation des connection Actives...$FIN"
- iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
- fi
- #
- # Redirection de ports
- #
- if [ "$WAN_REDIRECT" != "" ]
- then
- echo -e "$JAUN -> Redirection des ports sur :$FIN $ROUG $WAN $FIN"
- for redir in $WAN_REDIRECT
- do
- src=`echo "$redir" | cut -d "/" -f1`
- dest=`echo "$redir" | cut -d "/" -f2 -s`
- echo -e " $ROUG $WAN_ADDRESS:$src $FIN $BLEU vers $FIN $VERT $dest $FIN"
- iptables -A PREROUTING -t nat -p tcp -i $WAN -s 0.0.0.0/0 -d $WAN_ADDRESS --dport $src -j DNAT --to $dest
- done
- fi
- if [ "$LAN_REDIRECT" != "" ]
- then
- echo -e "$JAUN -> Redirection des ports :$FIN $VERT $LAN $FIN"
- for redir in $LAN_REDIRECT
- do
- src=`echo "$redir" | cut -d "/" -f1`
- dest=`echo "$redir" | cut -d "/" -f2 -s`
- echo -e " $ROUG $LAN_ADDRESS:$src $FIN $BLEU vers $FIN $VERT $dest $FIN"
- iptables -A PREROUTING -t nat -p tcp -i $LAN -s 0.0.0.0/0 -d $LAN_ADDRESS --dport $src -j DNAT --to $dest
- done
- fi
- # Nating du LAN vers le WAN
- # NATING_LAN2WAN=10.0.0.30#172.16.254.0/24
- # NATING_WAN2LAN=172.16.254.0/24#10.0.0.30
- # TODO ajouter la prise en charge du port spécifique
- if [ "$NATING_LAN2WAN" != "" ]
- then
- echo -e "$JAUN -> Nating sur la pate : $FIN $ROUG $WAN $FIN"
- for redir in $NATING_LAN2WAN
- do
- src=`echo "$redir" | cut -d "#" -f1`
- dest=`echo "$redir" | cut -d "#" -f2 -s`
- echo -e " $ROUG ($WAN_ADDRESS)$src $FIN $BLEU --> $FIN $VERT $dest $FIN"
- iptables -t nat -A POSTROUTING -o $WAN -s $src -d $dest -j SNAT --to-source $WAN_ADDRESS
- done
- fi
- # Nating du WAN vers le LAN
- if [ "$NATING_WAN2LAN" != "" ]
- then
- echo -e "$JAUN -> Nating sur la pate : $FIN $VERT $LAN $FIN"
- for redir in $NATING_WAN2LAN
- do
- src=`echo "$redir" | cut -d "#" -f1`
- dest=`echo "$redir" | cut -d "#" -f2 -s`
- echo -e " $ROUG ($LAN_ADDRESS)$src $FIN $BLEU --> $FIN $VERT $dest $FIN"
- iptables -t nat -A POSTROUTING -o $LAN -s $src -d $dest -j SNAT --to-source $LAN_ADDRESS
- done
- fi
- if [ "$ICMP_RESPONSE_CARDS" != "" ]
- then
- echo -n -e "$JAUN -> Reponse au ping sur : $FIN"
- for carte in $ICMP_RESPONSE_CARDS
- do
- echo -e -n "$BLEU $carte $FIN"
- for type in 0 8 11
- do
- iptables -A INPUT -i $carte -p ICMP --icmp-type $type -j ACCEPT
- iptables -A OUTPUT -o $carte -p ICMP --icmp-type $type -j ACCEPT
- done
- done
- echo ""
- fi
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -j ACCEPT
- }
- kernel_tweaks()
- {
- echo -e "$JAUN -> Set kernel networking tweaks $FIN"
- echo "1" > /proc/sys/net/ipv4/ip_dynaddr
- echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
- echo "0" > /proc/sys/net/ipv4/tcp_timestamps
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
- echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
- echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
- echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
- echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
- echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
- echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
- echo "0" > /proc/sys/kernel/printk
- if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
- echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- fi
- if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- fi
- }
- dos_protect()
- {
- echo -e "$JAUN -> Enabling reduction of the DoS'ing ability $FIN"
- echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
- echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
- echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
- echo "0" > /proc/sys/net/ipv4/tcp_sack
- echo "64" > /proc/sys/net/ipv4/ip_default_ttl
- #echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
- if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
- echo -e "$JAUN -> Enabling ECN (Explicit Congestion Notification) $FIN"
- echo "0" > /proc/sys/net/ipv4/tcp_ecn
- fi
- }
- if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then
- # if [ "$LOOSE_UDP_PATCH" == "1" ]; then
- # echo -e "$JAUN -> Enabling the LOOSE_UDP_PATCH (for some games, less secure!) $FIN"
- # echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
- # else
- echo -e "$JAUN -> Disabling the LOOSE_UDP_PATCH (more secure) $FIN"
- echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose
- # fi
- fi
- #if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
- #echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
- #fi
- #echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
- #echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
- #echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
- #echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
- #echo "0" > /proc/sys/net/ipv4/tcp_sack
- route_remover()
- {
- echo -e "$JAUN -> Destruction des routes : $FIN "
- for reseaux in $ROUTES
- do
- rezo=`echo "$reseaux" | cut -d "/" -f1`
- mask=`echo "$reseaux" | cut -d "/" -f2`
- gw=`echo "$reseaux" | cut -d "/" -f3 -s`
- echo -e " $ROUG $rezo/$mask : $gw $FIN"
- route del -net $rezo netmask $mask gw $gw
- done
- }
- bandeau_fin()
- {
- echo ""
- echo -e " \033[40m\033[1;34m---------------------------------------\033[0m "
- echo -e " \033[40m\033[1;32m---------> Firewall $1 <---------\033[0m "
- echo -e " \033[40m\033[1;34m---------------------------------------\033[0m "
- echo ""
- }
- case "$1" in
- start)
- bandeau_start
- init_variables
- init_modules
- init_rules DROP
- open_ports
- fw_main
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- bandeau_fin $1
- ;;
- stop)
- bandeau_start
- init_variables
- init_rules ACCEPT
- route_remover
- bandeau_fin $1
- ;;
- restart)
- sh $0 stop
- sleep 1
- sh $0 start
- ;;
- status)
- STATUS=""
- i=0
- COUL[1]=$FUSH
- COUL[2]=$JAUN
- COUL[3]=$VERT
- clear
- init_variables
- sleep 3
- for table in nat filter mangle
- do
- i=$(( $i + 1 ))
- ST1=`echo "\r\n $BLAN==========================================================================================================$FIN \r\n $BLAN=============>$FIN $ROUG Table $i : $table $FIN $BLAN<=============$FIN \r\n "`
- ST2=`iptables -L -n -v -t $table`
- STATUS=`echo "$STATUS \r\n $ST1 \n\r ${COUL[$i]} $ST2 $FIN"`
- done
- echo -e "$STATUS" | more
- echo -e "\r\n $BLAN==========================================================================================================$FIN \r\n"
- ;;
- *)
- bandeau_start
- init_variables
- echo "
- Usage : $0 {start|stop|restart|status}
- Si les variables affichees ci dessus sont correcte vous pouvez lancer votre firewall.
- Faites vi $0 pour editer la configuration.
- "
- ;;
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement