Advertisement
synthnassizer

load_sgfw

Aug 1st, 2015
283
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.87 KB | None | 0 0
  1. IPTS="/usr/sbin/iptables-save"
  2. IPTR="/usr/sbin/iptables-restore"
  3.  
  4. INET_IFACE="eth1"
  5. INET_NET="192.168.231.0/24"
  6. INET_ADDRESS="192.168.231.165" #eth1 address
  7.  
  8. LOCAL_IFACE="eth0"
  9. LOCAL_IP="192.168.112.112"
  10. LOCAL_NET="192.168.112.0/24"
  11. LOCAL_BCAST="192.168.112.255"
  12.  
  13. VPN_IFACE="tun+"
  14. VPN_LOC_IP="192.168.26.1"
  15. VPN_NET="192.168.26.0/24"
  16. VPN_BCAST="192.168.26.255"
  17.  
  18. HOME_NET="192.168.114.0/24"
  19. DSA_NET="192.168.18.0/24"
  20.  
  21. STARGAZE="192.168.112.112"
  22. MODEM="192.168.231.117"
  23.  
  24. DISK_IFACE="eth2"
  25. DISK_IP="192.168.113.113"
  26. DISK_NET="192.168.113.0/24"
  27. DISK_BCAST="192.168.113.255"
  28.  
  29. if [ "$1" = "save" ]; then
  30. echo -n "Saving firewall to /etc/sysconfig/iptables ... "
  31. $IPTS > /etc/sysconfig/iptables
  32. echo "done"
  33. exit 0
  34. elif [ "$1" = "restore" ]; then
  35. echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
  36. $IPTR < /etc/sysconfig/iptables
  37. echo "done"
  38. exit 0
  39. fi
  40.  
  41. echo "Loading kernel modules ..."
  42. /sbin/modprobe ip_tables
  43. /sbin/modprobe ip_conntrack
  44. /sbin/modprobe ip_nat_ftp
  45. /sbin/modprobe ip_conntrack_ftp
  46. /sbin/modprobe ip_conntrack_irc
  47. echo "Configuring /proc"
  48. if [ "$SYSCTL" = "" ]
  49. then
  50. echo "1" > /proc/sys/net/ipv4/ip_forward
  51. else
  52. $SYSCTL net.ipv4.ip_forward="1"
  53. fi
  54. if [ "$SYSCTL" = "" ]
  55. then
  56. echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  57. else
  58. $SYSCTL net.ipv4.tcp_syncookies="1"
  59. fi
  60. if [ "$SYSCTL" = "" ]
  61. then
  62. echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
  63. else
  64. $SYSCTL net.ipv4.conf.all.rp_filter="1"
  65. fi
  66. if [ "$SYSCTL" = "" ]
  67. then
  68. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  69. else
  70. $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
  71. fi
  72. if [ "$SYSCTL" = "" ]
  73. then
  74. echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
  75. else
  76. $SYSCTL net.ipv4.conf.all.accept_source_route="0"
  77. fi
  78. if [ "$SYSCTL" = "" ]
  79. then
  80. echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
  81. else
  82. $SYSCTL net.ipv4.conf.all.secure_redirects="1"
  83. fi
  84. if [ "$SYSCTL" = "" ]
  85. then
  86. echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
  87. else
  88. $SYSCTL net.ipv4.conf.all.log_martians="1"
  89. fi
  90.  
  91. echo "loading iptables rules"
  92. iptables-restore -v <<-EOF;
  93.  
  94. # Generated by iptables-save v1.4.14 on Sat Aug 1 14:27:00 2015
  95. *mangle
  96. :PREROUTING ACCEPT [766:1016065]
  97. :INPUT ACCEPT [760:1014007]
  98. :FORWARD ACCEPT [6:2058]
  99. :OUTPUT ACCEPT [484:46782]
  100. :POSTROUTING ACCEPT [490:48840]
  101. COMMIT
  102. # Completed on Sat Aug 1 14:27:00 2015
  103.  
  104. # Generated by iptables-save v1.4.14 on Sat Aug 1 14:27:00 2015
  105. *nat
  106. :PREROUTING ACCEPT [2:102]
  107. :INPUT ACCEPT [0:0]
  108. :OUTPUT ACCEPT [0:0]
  109. :POSTROUTING ACCEPT [0:0]
  110. :tcp_prebound - [0:0]
  111. :udp_prebound - [0:0]
  112. -A PREROUTING -p udp -i $INET_IF -j udp_prebound
  113. -A PREROUTING -p tcp -i $INET_IF -j tcp_prebound
  114.  
  115. -A POSTROUTING -o $INET_IF -j MASQUERADE
  116.  
  117. -A tcp_prebound -j RETURN
  118. -A udp_prebound -j RETURN
  119. COMMIT
  120. # Completed on Sat Aug 1 14:27:00 2015
  121.  
  122. # Generated by iptables-save v1.4.14 on Sat Aug 1 14:27:00 2015
  123. *filter
  124. :INPUT DROP [2:102]
  125. :FORWARD DROP [0:0]
  126. :OUTPUT ACCEPT [469:45085]
  127. :bad_packets - [0:0]
  128. :icmp_packets - [0:0]
  129. :tcp_fwdbound - [0:0]
  130. :tcp_inbound - [0:0]
  131. :tcp_infwdbound - [0:0]
  132. :tcp_vpnbound - [0:0]
  133. :udp_fwdbound - [0:0]
  134. :udp_inbound - [0:0]
  135. :udp_infwdbound - [0:0]
  136. :udp_vpnbound - [0:0]
  137.  
  138.  
  139. -A INPUT -i lo -j ACCEPT
  140. -A INPUT -m conntrack --ctstate INVALID -j bad_packets
  141. -A INPUT -d 224.0.0.1/32 -j DROP
  142. -A INPUT -i $INET_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  143. -A INPUT -i $VPN_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  144. -A INPUT -s $LOCAL_NET -i $LOCAL_IF -j ACCEPT
  145. -A INPUT -d $LOCAL_BCAST -i $LOCAL_IF -j ACCEPT
  146. -A INPUT -i $LOCAL_IF -p icmp -j ACCEPT
  147. -A INPUT -i $DISK_IF -j ACCEPT
  148. -A INPUT -s $VPN_NET -i $VPN_IF -p tcp -j tcp_vpnbound
  149. -A INPUT -s $HOME_NET -i $VPN_IF -p tcp -j tcp_vpnbound
  150. -A INPUT -s $DSA_NET -i $VPN_IF -p tcp -j tcp_vpnbound
  151. -A INPUT -s $VPN_NET -i $VPN_IF -p udp -j udp_vpnbound
  152. -A INPUT -s $HOME_NET -i $VPN_IF -p udp -j udp_vpnbound
  153. -A INPUT -s $DSA_NET -i $VPN_IF -p udp -j udp_vpnbound
  154. -A INPUT -d $VPN_BCAST -i $VPN_IF -j ACCEPT
  155. -A INPUT -i $VPN_IF -p icmp -j ACCEPT
  156. -A INPUT -i $INET_IF -p tcp -j tcp_inbound
  157. -A INPUT -i $INET_IF -p udp -j udp_inbound
  158. -A INPUT -i $INET_IF -p icmp -j icmp_packets
  159. -A INPUT -m limit --limit 3/min --limit-burst 3 -j ULOG --ulog-prefix "INPUT packet died: "
  160.  
  161. -A FORWARD -i $INET_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  162. -A FORWARD -i $VPN_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  163. -A FORWARD -i $LOCAL_IF -p tcp -j tcp_fwdbound
  164. -A FORWARD -i $DISK_IF -j ACCEPT
  165. -A FORWARD -i $LOCAL_IF -p udp -j udp_fwdbound
  166. -A FORWARD -i $LOCAL_IF -j ACCEPT
  167. -A FORWARD -s $VPN_NET -i $VPN_IF -p tcp -j tcp_vpnbound
  168. -A FORWARD -s $HOME_NET -i $VPN_IF -p tcp -j tcp_vpnbound
  169. -A FORWARD -s $DSA_NET -i $VPN_IF -p tcp -j tcp_vpnbound
  170. -A FORWARD -s $VPN_NET -i $VPN_IF -p udp -j udp_vpnbound
  171. -A FORWARD -s $HOME_NET -i $VPN_IF -p udp -j udp_vpnbound
  172. -A FORWARD -s $DSA_NET -i $VPN_IF -p udp -j udp_vpnbound
  173. -A FORWARD -i $VPN_IF -p icmp -j icmp_packets
  174. -A FORWARD -i $INET_IF -p tcp -j tcp_infwdbound
  175. -A FORWARD -i $INET_IF -p udp -j udp_infwdbound
  176. -A FORWARD -i $INET_IF -p icmp -j icmp_packets
  177. -A FORWARD -m limit --limit 3/min --limit-burst 3 -j ULOG --ulog-prefix "FORWARD packet died: "
  178.  
  179. -A OUTPUT -m conntrack --ctstate INVALID -j DROP
  180.  
  181. -A bad_packets -j ULOG --ulog-prefix "Invalid packet: "
  182. -A bad_packets -j DROP
  183. -A bad_packets -j RETURN
  184.  
  185. -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
  186. -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
  187. -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
  188. -A icmp_packets -p icmp -m icmp --icmp-type 9 -j ACCEPT
  189. -A icmp_packets -j RETURN
  190.  
  191. -A tcp_fwdbound -j RETURN
  192.  
  193. -A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
  194. -A tcp_inbound -p tcp -m tcp --dport 51237 -j ACCEPT
  195. -A tcp_inbound -p tcp -m multiport --dports 34567:34569 -j ACCEPT
  196. -A tcp_inbound -j RETURN
  197.  
  198. -A tcp_infwdbound -j RETURN
  199.  
  200. -A tcp_vpnbound -p tcp -m multiport --dports 80,8080,10000,6600,38000,22,51237,53 -j ACCEPT
  201. -A tcp_vpnbound -p tcp -m multiport --dports 3389:3391,3395,5901,5801,139,445,34122:34128 -j ACCEPT
  202. -A tcp_vpnbound -j RETURN
  203.  
  204. -A udp_fwdbound -j RETURN
  205.  
  206. -A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
  207. -A udp_inbound -p udp -m multiport --dports 137,138 -j DROP
  208. -A udp_inbound -p udp -m multiport --dports 34567:34569 -j ACCEPT
  209. -A udp_inbound -p udp -m udp --dport 1194 -j ACCEPT
  210. -A udp_inbound -s $MODEM -p udp -m udp --dport 123 -j ACCEPT
  211. -A udp_inbound -j RETURN
  212.  
  213. -A udp_infwdbound -j RETURN
  214.  
  215. -A udp_vpnbound -p udp -m udp --dport 53 -j ACCEPT
  216. -A udp_vpnbound -p udp -m multiport --dports 137,139,445 -j ACCEPT
  217. -A udp_vpnbound -j RETURN
  218.  
  219. COMMIT
  220. # Completed on Sat Aug 1 14:27:00 2015
  221.  
  222. EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement