load_sgfw

1. IPTS="/usr/sbin/iptables-save"
2. IPTR="/usr/sbin/iptables-restore"
3.  
4. INET_IFACE="eth1"
5. INET_NET="192.168.231.0/24"
6. INET_ADDRESS="192.168.231.165" #eth1 address
7.  
8. LOCAL_IFACE="eth0"
9. LOCAL_IP="192.168.112.112"
10. LOCAL_NET="192.168.112.0/24"
11. LOCAL_BCAST="192.168.112.255"
12.  
13. VPN_IFACE="tun+"
14. VPN_LOC_IP="192.168.26.1"
15. VPN_NET="192.168.26.0/24"
16. VPN_BCAST="192.168.26.255"
17.  
18. HOME_NET="192.168.114.0/24"
19. DSA_NET="192.168.18.0/24"
20.  
21. STARGAZE="192.168.112.112"
22. MODEM="192.168.231.117"
23.  
24. DISK_IFACE="eth2"
25. DISK_IP="192.168.113.113"
26. DISK_NET="192.168.113.0/24"
27. DISK_BCAST="192.168.113.255"
28.  
29. if [ "$1" = "save" ]; then
30. echo -n "Saving firewall to /etc/sysconfig/iptables ... "
31. $IPTS > /etc/sysconfig/iptables
32. echo "done"
33. exit 0
34. elif [ "$1" = "restore" ]; then
35. echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
36. $IPTR < /etc/sysconfig/iptables
37. echo "done"
38. exit 0
39. fi
40.  
41. echo "Loading kernel modules ..."
42. /sbin/modprobe ip_tables
43. /sbin/modprobe ip_conntrack
44. /sbin/modprobe ip_nat_ftp
45. /sbin/modprobe ip_conntrack_ftp
46. /sbin/modprobe ip_conntrack_irc
47. echo "Configuring /proc"
48. if [ "$SYSCTL" = "" ]
49. then
50. echo "1" > /proc/sys/net/ipv4/ip_forward
51. else
52. $SYSCTL net.ipv4.ip_forward="1"
53. fi
54. if [ "$SYSCTL" = "" ]
55. then
56. echo "1" > /proc/sys/net/ipv4/tcp_syncookies
57. else
58. $SYSCTL net.ipv4.tcp_syncookies="1"
59. fi
60. if [ "$SYSCTL" = "" ]
61. then
62. echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
63. else
64. $SYSCTL net.ipv4.conf.all.rp_filter="1"
65. fi
66. if [ "$SYSCTL" = "" ]
67. then
68. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
69. else
70. $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
71. fi
72. if [ "$SYSCTL" = "" ]
73. then
74. echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
75. else
76. $SYSCTL net.ipv4.conf.all.accept_source_route="0"
77. fi
78. if [ "$SYSCTL" = "" ]
79. then
80. echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
81. else
82. $SYSCTL net.ipv4.conf.all.secure_redirects="1"
83. fi
84. if [ "$SYSCTL" = "" ]
85. then
86. echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
87. else
88. $SYSCTL net.ipv4.conf.all.log_martians="1"
89. fi
90.  
91. echo "loading iptables rules"
92. iptables-restore -v <<-EOF;
93.  
94. # Generated by iptables-save v1.4.14 on Sat Aug 1 14:27:00 2015
95. *mangle
96. :PREROUTING ACCEPT [766:1016065]
97. :INPUT ACCEPT [760:1014007]
98. :FORWARD ACCEPT [6:2058]
99. :OUTPUT ACCEPT [484:46782]
100. :POSTROUTING ACCEPT [490:48840]
101. COMMIT
102. # Completed on Sat Aug 1 14:27:00 2015
103.  
104. # Generated by iptables-save v1.4.14 on Sat Aug 1 14:27:00 2015
105. *nat
106. :PREROUTING ACCEPT [2:102]
107. :INPUT ACCEPT [0:0]
108. :OUTPUT ACCEPT [0:0]
109. :POSTROUTING ACCEPT [0:0]
110. :tcp_prebound - [0:0]
111. :udp_prebound - [0:0]
112. -A PREROUTING -p udp -i $INET_IF -j udp_prebound
113. -A PREROUTING -p tcp -i $INET_IF -j tcp_prebound
114.  
115. -A POSTROUTING -o $INET_IF -j MASQUERADE
116.  
117. -A tcp_prebound -j RETURN
118. -A udp_prebound -j RETURN
119. COMMIT
120. # Completed on Sat Aug 1 14:27:00 2015
121.  
122. # Generated by iptables-save v1.4.14 on Sat Aug 1 14:27:00 2015
123. *filter
124. :INPUT DROP [2:102]
125. :FORWARD DROP [0:0]
126. :OUTPUT ACCEPT [469:45085]
127. :bad_packets - [0:0]
128. :icmp_packets - [0:0]
129. :tcp_fwdbound - [0:0]
130. :tcp_inbound - [0:0]
131. :tcp_infwdbound - [0:0]
132. :tcp_vpnbound - [0:0]
133. :udp_fwdbound - [0:0]
134. :udp_inbound - [0:0]
135. :udp_infwdbound - [0:0]
136. :udp_vpnbound - [0:0]
137.  
138.  
139. -A INPUT -i lo -j ACCEPT
140. -A INPUT -m conntrack --ctstate INVALID -j bad_packets
141. -A INPUT -d 224.0.0.1/32 -j DROP
142. -A INPUT -i $INET_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
143. -A INPUT -i $VPN_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
144. -A INPUT -s $LOCAL_NET -i $LOCAL_IF -j ACCEPT
145. -A INPUT -d $LOCAL_BCAST -i $LOCAL_IF -j ACCEPT
146. -A INPUT -i $LOCAL_IF -p icmp -j ACCEPT
147. -A INPUT -i $DISK_IF -j ACCEPT
148. -A INPUT -s $VPN_NET -i $VPN_IF -p tcp -j tcp_vpnbound
149. -A INPUT -s $HOME_NET -i $VPN_IF -p tcp -j tcp_vpnbound
150. -A INPUT -s $DSA_NET -i $VPN_IF -p tcp -j tcp_vpnbound
151. -A INPUT -s $VPN_NET -i $VPN_IF -p udp -j udp_vpnbound
152. -A INPUT -s $HOME_NET -i $VPN_IF -p udp -j udp_vpnbound
153. -A INPUT -s $DSA_NET -i $VPN_IF -p udp -j udp_vpnbound
154. -A INPUT -d $VPN_BCAST -i $VPN_IF -j ACCEPT
155. -A INPUT -i $VPN_IF -p icmp -j ACCEPT
156. -A INPUT -i $INET_IF -p tcp -j tcp_inbound
157. -A INPUT -i $INET_IF -p udp -j udp_inbound
158. -A INPUT -i $INET_IF -p icmp -j icmp_packets
159. -A INPUT -m limit --limit 3/min --limit-burst 3 -j ULOG --ulog-prefix "INPUT packet died: "
160.  
161. -A FORWARD -i $INET_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
162. -A FORWARD -i $VPN_IF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
163. -A FORWARD -i $LOCAL_IF -p tcp -j tcp_fwdbound
164. -A FORWARD -i $DISK_IF -j ACCEPT
165. -A FORWARD -i $LOCAL_IF -p udp -j udp_fwdbound
166. -A FORWARD -i $LOCAL_IF -j ACCEPT
167. -A FORWARD -s $VPN_NET -i $VPN_IF -p tcp -j tcp_vpnbound
168. -A FORWARD -s $HOME_NET -i $VPN_IF -p tcp -j tcp_vpnbound
169. -A FORWARD -s $DSA_NET -i $VPN_IF -p tcp -j tcp_vpnbound
170. -A FORWARD -s $VPN_NET -i $VPN_IF -p udp -j udp_vpnbound
171. -A FORWARD -s $HOME_NET -i $VPN_IF -p udp -j udp_vpnbound
172. -A FORWARD -s $DSA_NET -i $VPN_IF -p udp -j udp_vpnbound
173. -A FORWARD -i $VPN_IF -p icmp -j icmp_packets
174. -A FORWARD -i $INET_IF -p tcp -j tcp_infwdbound
175. -A FORWARD -i $INET_IF -p udp -j udp_infwdbound
176. -A FORWARD -i $INET_IF -p icmp -j icmp_packets
177. -A FORWARD -m limit --limit 3/min --limit-burst 3 -j ULOG --ulog-prefix "FORWARD packet died: "
178.  
179. -A OUTPUT -m conntrack --ctstate INVALID -j DROP
180.  
181. -A bad_packets -j ULOG --ulog-prefix "Invalid packet: "
182. -A bad_packets -j DROP
183. -A bad_packets -j RETURN
184.  
185. -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
186. -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
187. -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
188. -A icmp_packets -p icmp -m icmp --icmp-type 9 -j ACCEPT
189. -A icmp_packets -j RETURN
190.  
191. -A tcp_fwdbound -j RETURN
192.  
193. -A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
194. -A tcp_inbound -p tcp -m tcp --dport 51237 -j ACCEPT
195. -A tcp_inbound -p tcp -m multiport --dports 34567:34569 -j ACCEPT
196. -A tcp_inbound -j RETURN
197.  
198. -A tcp_infwdbound -j RETURN
199.  
200. -A tcp_vpnbound -p tcp -m multiport --dports 80,8080,10000,6600,38000,22,51237,53 -j ACCEPT
201. -A tcp_vpnbound -p tcp -m multiport --dports 3389:3391,3395,5901,5801,139,445,34122:34128 -j ACCEPT
202. -A tcp_vpnbound -j RETURN
203.  
204. -A udp_fwdbound -j RETURN
205.  
206. -A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
207. -A udp_inbound -p udp -m multiport --dports 137,138 -j DROP
208. -A udp_inbound -p udp -m multiport --dports 34567:34569 -j ACCEPT
209. -A udp_inbound -p udp -m udp --dport 1194 -j ACCEPT
210. -A udp_inbound -s $MODEM -p udp -m udp --dport 123 -j ACCEPT
211. -A udp_inbound -j RETURN
212.  
213. -A udp_infwdbound -j RETURN
214.  
215. -A udp_vpnbound -p udp -m udp --dport 53 -j ACCEPT
216. -A udp_vpnbound -p udp -m multiport --dports 137,139,445 -j ACCEPT
217. -A udp_vpnbound -j RETURN
218.  
219. COMMIT
220. # Completed on Sat Aug 1 14:27:00 2015
221.  
222. EOF