Advertisement
Guest User

rc.firewall.no_trust

a guest
Aug 17th, 2014
419
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.94 KB | None
  1. #!/bin/sh
  2.  
  3. IP=`which ip`
  4.  
  5. # Сценарий предназначен для настройки маршрутизации и
  6. # межсетевого экрана на маршрутизаторе офисной сети.
  7. # Для запуска переименуйте сценарий в rc.firewall
  8. # и дайте права доступа 755
  9.  
  10. # LAN/INET Configuration
  11. # Приведите в соответствие с настройками ваших сетей
  12. # следующие семь параметров!
  13. LAN_IFACE=eth0
  14. LAN_IP=192.168.1.22
  15. LAN_IP_RANGE=192.168.1.0/24
  16. LAN_BCAST_ADRESS=192.168.1.255/24
  17.  
  18. LAN2_IP=192.168.2.22
  19. LAN2_IP_RANGE=192.168.2.0/24
  20. LAN2_BCAST_ADRESS=192.168.2.255/24
  21.  
  22. INET_IFACE=eth1
  23. STATIC_IP=192.168.100.1
  24. #echo $STATIC_IP
  25. LO_IFACE=lo
  26. LOCALHOST_IP=127.0.0.1
  27.  
  28. PPP0_IFACE=ppp0
  29. PPP0_IP=$($IP addr show $PPP0_IFACE | grep inet | cut -f6 -d ' ')
  30. echo $PPP0_IP
  31. #PPP1_IP=0.0.0.0
  32. #PPP1_IFACE=ppp1
  33.  
  34. # IPTables Configuration.
  35. IPTABLES="/usr/sbin/iptables"
  36. IPSET="/usr/sbin/ipset"
  37.  
  38. # Required modules
  39. /sbin/modprobe ip_tables
  40. #/sbin/modprobe ip_nat
  41. /sbin/modprobe ip_conntrack
  42. /sbin/modprobe iptable_filter
  43. /sbin/modprobe iptable_mangle
  44. /sbin/modprobe iptable_nat
  45. /sbin/modprobe ipt_LOG
  46. /sbin/modprobe ipt_limit
  47. /sbin/modprobe ipt_state
  48. #/sbin/modprobe nf_tproxy_core
  49.  
  50. # Non-Required modules
  51. /sbin/modprobe ipt_owner
  52. /sbin/modprobe ipt_REJECT
  53. /sbin/modprobe ipt_MASQUERADE
  54. /sbin/modprobe ip_conntrack_ftp
  55. /sbin/modprobe ip_conntrack_irc
  56. /sbin/modprobe ip_nat_ftp
  57. /sbin/modprobe ip_nat_irc
  58.  
  59. echo 1 > /proc/sys/net/ipv4/ip_forward
  60. echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp
  61.  
  62. # Clear ALL rules
  63. $IPTABLES -F
  64. $IPTABLES -X
  65. $IPTABLES -t nat -F
  66. $IPSET -X
  67. #----------------------------------------------------------------------------------------------------------
  68. ## Create new ip sets
  69. $IPSET -N whitelist bitmap:ip,mac range $LAN_IP_RANGE
  70. $IPSET -N whitelistd bitmap:ip,mac range $LAN_IP_RANGE
  71. #$IPSET -N whitelist macipmap --network $LAN_IP_RANGE
  72. $IPSET -N ipwhite iphash
  73. ## Set ip sets
  74. # Whitelist
  75. for i in $(cat /home/scripts/iplist/ipmac.lst | cut -d '#' -f 1)
  76. do
  77.     if [ ! a"$i" == a ]; then
  78.         $IPSET add whitelist $i    #                  
  79.     fi
  80. done
  81.  
  82. for i in $(cat /home/scripts/iplist/ipmac_dubles.lst | cut -d '#' -f 1)
  83. do
  84.     if [ ! a"$i" == a ]; then
  85.         $IPSET add whitelistd $i    #                  
  86.     fi
  87. done
  88.  
  89. for i in $(cat /home/scripts/iplist/ip.lst | cut -d '#' -f 1)
  90. do
  91.     if [ ! a"$i" == a ]; then
  92.         $IPSET add ipwhite $i     #                    
  93.     fi
  94. done
  95.  
  96. # Set default policies for the INPUT, FORWARD and OUTPUT chains
  97. $IPTABLES -P INPUT DROP
  98. $IPTABLES -P OUTPUT DROP
  99. $IPTABLES -P FORWARD DROP
  100.  
  101. # Create chain for bad tcp packets
  102. $IPTABLES -N bad_tcp_packets
  103.  
  104. # Create separate chains for ICMP, TCP and UDP to traverse
  105. $IPTABLES -N icmp_packets
  106. $IPTABLES -N inet_tcp_packets
  107. $IPTABLES -N udpincoming_packets
  108. #$IPTABLES -N fwtraf
  109. $IPTABLES -N in_packets
  110. $IPTABLES -N out_packets
  111. $IPTABLES -N fw_packets
  112. $IPTABLES -N fw_allowed
  113.  
  114. # bad_tcp_packets chain
  115. $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
  116. $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "Bad TCP packet: "
  117. $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  118.  
  119. # TCP sync rules
  120. $IPTABLES -A allowed -p TCP --syn -j ACCEPT
  121. $IPTABLES -A allowed -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  122. $IPTABLES -A allowed -p TCP -j DROP
  123.  
  124. # ICMP rules
  125. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
  126. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
  127. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
  128. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
  129. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
  130.  
  131. # Inet TCP rules
  132. #$IPTABLES -A inet_tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
  133. #$IPTABLES -A inet_tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
  134. #$IPTABLES -A inet_tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
  135. #$IPTABLES -A inet_tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
  136. #$IPTABLES -A inet_tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
  137. #$IPTABLES -A inet_tcp_packets -p TCP -s 0/0 --dport 3690 -j allowed
  138.  
  139. # Forward rules
  140. $IPTABLES -A fw_allowed -j ACCEPT
  141. $IPTABLES -A fw_allowed -m connlimit --connlimit-above 15 -j DROP
  142.  
  143. # Block out DHCP servers
  144. $IPTABLES -A fw_packets -p ALL -i $LAN_IFACE --dport 67 -j DROP
  145. $IPTABLES -A fw_packets -p ALL -i $LAN_IFACE --dport 68 -j DROP
  146.  
  147. $IPTABLES -A fw_packets -p ALL -i $LAN_IFACE -m set --match-set whitelist src,src -j fw_allowed
  148. $IPTABLES -A fw_packets -p ALL -i $LAN_IFACE -m set --match-set whitelistd src,src -j fw_allowed
  149. $IPTABLES -A fw_packets -p ALL -i $LAN_IFACE -m set --match-set ipwhite src -j fw_allowed
  150.  
  151. # Local input rules
  152. $IPTABLES -A in_packets -p ALL -s 0/0 --dport 22 -j ACCEPT
  153. $IPTABLES -A in_packets -p ALL -s 0/0 --dport 53 -j ACCEPT
  154. #$IPTABLES -A in_packets -p ALL -s 0/0 --dport 3128 -j ACCEPT
  155. $IPTABLES -A in_packets -p TCP -s 0/0 --dport 10000 -j ACCEPT
  156.  
  157. # Local output rules
  158. $IPTABLES -A out_packets -p ALL -j ACCEPT # while no problem, no rules
  159.  
  160. # UDP ports
  161. #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
  162.  
  163. #----------------------------------------------------------------------------------------------------------
  164.  
  165. # PREROUTING chain
  166. #$IPTABLES -t nat -A PREROUTING -p tcp -s 83.237.192.219 --dport 3389 -j DNAT --to 10.0.0.4
  167. #$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to  192.168.1.12
  168. #$IPTABLES -t nat -A PREROUTING -p tcp -j DNAT --to-destination  10.0.0.69
  169.  
  170. # ********* Redirect to SQUID **********
  171. #$IPTABLES -t nat -A PREROUTING  -i $LAN_IFACE ! -d 192.168.1.22 -m set --match-set whitelist src,src -p tcp -m multiport --dport 80,2080,2082,8080 -j REDIRECT --to-port 3129
  172.  
  173.  
  174. # POSTROUTING chain
  175. $IPTABLES -t nat -A POSTROUTING -o $PPP0_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $PPP0_IP
  176. #$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
  177.  
  178.  
  179. # FORWARD chain
  180. $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
  181. $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  182.  
  183.  
  184. # Block out DHCP servers
  185. $IPTABLES -A FORWARD -p udp -i $INET_IFACE --dport 67 -j DROP
  186. $IPTABLES -A FORWARD -p udp -i $INET_IFACE --dport 68 -j DROP
  187.  
  188. $IPTABLES -A FORWARD -p ALL -j fw_packets
  189.  
  190. $IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "
  191.  
  192.  
  193. # INPUT chain
  194.  
  195. $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
  196. $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
  197. $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
  198. $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
  199. $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  200.  
  201. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j in_packets
  202.  
  203. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
  204. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
  205. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN2_IP -j ACCEPT
  206. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
  207.  
  208.  
  209. $IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
  210. $IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
  211.  
  212.  
  213. $IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "
  214.  
  215.  
  216. # OUTPUT chain
  217. $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
  218. $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
  219. $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j out_packets
  220. $IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j out_packets
  221. $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
  222. $IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
  223. $IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "
Advertisement
RAW Paste Data Copied
Advertisement