WikiStart: rc.firewall

File rc.firewall, 6.6 KB (added by monga, 13 years ago)
Line 
1#!/bin/sh
2#
3# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
4#
5# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
6#
7# This program is free software; you can redistribute it and/or modify
8# it under the terms of the GNU General Public License as published by
9# the Free Software Foundation; version 2 of the License.
10#
11# This program is distributed in the hope that it will be useful,
12# but WITHOUT ANY WARRANTY; without even the implied warranty of
13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14# GNU General Public License for more details.
15#
16# You should have received a copy of the GNU General Public License
17# along with this program or from the site that you downloaded it
18# from; if not, write to the Free Software Foundation, Inc., 59 Temple
19# Place, Suite 330, Boston, MA 02111-1307 USA
20#
21
22###########################################################################
23#
24# 1. Configuration options.
25#
26
27###########################################################################
28#
29# Local Area Network configuration.
30#
31# your LAN's IP range and localhost IP. /24 means to only use the first 24
32# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
33#
34
35LAN_IP="192.168.0.2"
36LAN_IP_RANGE="192.168.0.0/16"
37LAN_BCAST_ADRESS="192.168.255.255"
38LAN_IFACE="eth1"
39
40###########################################################################
41#
42# Localhost Configuration.
43#
44
45LO_IFACE="lo"
46LO_IP="127.0.0.1"
47
48###########################################################################
49#
50# Internet Configuration.
51#
52
53INET_IP="194.236.50.155"
54INET_IFACE="eth0"
55
56###########################################################################
57#
58# IPTables Configuration.
59#
60
61IPTABLES="/usr/sbin/iptables"
62
63###########################################################################
64#
65# 2. Module loading.
66#
67
68#
69# Needed to initially load modules
70#
71/sbin/depmod -a
72
73#
74# Adds some iptables targets like LOG, REJECT and MASQUARADE.
75#
76/sbin/modprobe ip_conntrack
77/sbin/modprobe ip_tables
78/sbin/modprobe iptable_filter
79/sbin/modprobe iptable_mangle
80/sbin/modprobe iptable_nat
81/sbin/modprobe ipt_LOG
82#/sbin/modprobe ipt_REJECT
83#/sbin/modprobe ipt_MASQUERADE
84
85#
86# Support for owner matching
87#
88#/sbin/modprobe ipt_owner
89
90#
91# Support for connection tracking of FTP and IRC.
92#
93#/sbin/modprobe ip_conntrack_ftp
94#/sbin/modprobe ip_conntrack_irc
95
96
97###########################################################################
98#
99# 3. /proc set up.
100#
101# Enable ip_forward if you have two or more networks, including the
102# Internet, that needs forwarding of packets through this box. This is
103# critical since it is turned off as default in Linux.
104#
105
106echo "1" > /proc/sys/net/ipv4/ip_forward
107
108#
109# Dynamic IP users:
110#
111#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
112
113###########################################################################
114#
115# 4. IPTables rules set up.
116#
117# Set default policies for the INPUT, FORWARD and OUTPUT chains.
118#
119
120$IPTABLES -P INPUT DROP
121$IPTABLES -P OUTPUT DROP
122$IPTABLES -P FORWARD DROP
123
124#
125# bad_tcp_packets chain
126#
127# Take care of bad TCP packets that we don't want.
128#
129
130$IPTABLES -N bad_tcp_packets
131$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
132--log-prefix "New not syn:"
133$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
134
135#
136# Do some checks for obviously spoofed IP's
137#
138
139$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
140$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
141$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
142
143#
144# Enable simple IP Forwarding and Network Address Translation
145#
146
147$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
148
149#
150# Bad TCP packets we don't want
151#
152
153$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
154
155#
156# Accept the packets we actually want to forward
157#
158
159$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
160$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
161$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
162--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
163
164#
165# Create separate chains for ICMP, TCP and UDP to traverse
166#
167
168$IPTABLES -N icmp_packets
169$IPTABLES -N tcp_packets
170$IPTABLES -N udpincoming_packets
171
172#
173# The allowed chain for TCP connections
174#
175
176$IPTABLES -N allowed
177$IPTABLES -A allowed -p TCP --syn -j ACCEPT
178$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
179$IPTABLES -A allowed -p TCP -j DROP
180
181#
182# ICMP rules
183#
184
185# Changed rules totally
186$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
187$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
188
189#
190# TCP rules
191#
192
193$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
194$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
195$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
196$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
197
198#
199# UDP ports
200#
201
202# nondocumented commenting out of these rules
203#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
204#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
205$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
206$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
207
208##########################
209# INPUT chain
210#
211# Bad TCP packets we don't want.
212#
213
214$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
215
216#
217# Rules for incoming packets from the internet.
218#
219
220$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
221$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
222$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
223
224#
225# Rules for special networks not part of the Internet
226#
227
228$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
229$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
230$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
231$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
232$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
233$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
234-j ACCEPT
235$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
236--log-level DEBUG --log-prefix "IPT INPUT packet died: "
237
238###############################
239# OUTPUT chain
240#
241#
242# Bad TCP packets we don't want.
243#
244
245$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
246
247#
248# Special OUTPUT rules to decide which IP's to allow.
249#
250
251$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
252$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
253$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
254
255#
256# Log weird packets that don't match the above.
257#
258
259$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
260--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "