Firewall rc-script for redhat or lfs systems

Aus Bits'n'Bugs Wiki
Wechseln zu: Navigation, Suche
#!/bin/sh
#
# apu netfilter config script
# (C) and written by BeF <dr.bef@gmx.net> & Fry
#
# include functions from lfs
. /etc/init.d/functions


### programs ###
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
SED="sed"
IFCONFIG="ifconfig"
GREP="grep"
LSMOD="lsmod"
IPTABLES_CMD="iptables"
IPTABLES=IPTABLES_FUNC
CHECK=true


### ips ###
EXT_NET="192.168.100.0/24"	# network of external device
EXT_DEV=eth0			# external device name
EXT_GW="192.168.100.1"		# IP of next gateway on external device 
INT_NET="192.168.23.0/24"	# network of internal device
INT_DEV=eth1			# internal device name
# determine the IPs of the internal and external interface
EXT_IP=`$IFCONFIG $EXT_DEV |$GREP "inet addr" |$SED -e "s/.*inet addr://" -e "s/\\s*Bcast.*//"`
INT_IP=`$IFCONFIG $INT_DEV |$GREP "inet addr" |$SED -e "s/.*inet addr://" -e "s/\\s*Bcast.*//"`
# some important IPs for NAT
WEBSERVER_IP=192.168.23.35
SSHSERVER_IP=192.168.23.34
SSHSERVER2_IP=192.168.23.10
BEFS_RECHNER=192.168.23.98


### functions ###
IPTABLES_FUNC()
{
  $IPTABLES_CMD $* || CHECK="false"
}


# rule functions
# called by
#	rule_xxx <tcp|udp> <port> [afected network] 
rule_out()
{
  source_net=""
  [ "$3" != "" ] && source_net="-s $3"
  $IPTABLES -A OUTPUT -p $1 --dport $2 -j ACCEPT
  $IPTABLES -A INPUT -p $1 --sport $2 $source_net -j ACCEPT
}
rule_in()
{
  source_net=""
  [ "$3" != "" ] && source_net="-s $3"
  $IPTABLES -A OUTPUT -p $1 --sport $2 -j ACCEPT
  $IPTABLES -A INPUT -p $1 --dport $2 $source_net -j ACCEPT
}



### rc code ###
case "$1" in
start)
###############


### ipchains/tables modules & forward ###
[ "`$LSMOD |$GREP ipchains`" != "" ]&& rmmod ipchains
echo 1 >/proc/sys/net/ipv4/ip_forward
### basic rule configuration ###
# flush
$IPTABLES -F
$IPTABLES -F -t nat
# policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT DROP


### MASQ ###
# masquerade nach aussen: von apu nach internet -> source addr immer apu
#$IPTABLES -t nat -A POSTROUTING -o $EXT_DEV -j MASQUERADE
# masquerade nach innen: von apu nach 192.168.23.0/24 -> source addr apu
# aber nicht wenn ziel-host die sun ist!
#$IPTABLES -t nat -A POSTROUTING -o $INT_DEV -d ! $SSHSERVER_IP -j MASQUERADE


### specific rule configuration for INPUT/OUTPUT ###
# ping in
#$IPTABLES -A INPUT -p icmp --icmp-type echo-request -s $INT_NET -j ACCEPT
#$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -d $INT_NET -j ACCEPT
#$IPTABLES -A INPUT -p icmp --icmp-type echo-request -s $EXT_NET -j ACCEPT
#$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -d $EXT_NET -j ACCEPT
# let ping from road warriors and from world to bitsnbugs.myip.org 
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# ping out
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT


# ssh
#rule_in tcp 22 $INT_NET
# for vpn !!!
rule_in tcp 22
rule_out tcp 22 
# mail
rule_out tcp 25
rule_in tcp 25
# dns
rule_out udp 53
rule_in  udp 53
# www out
rule_out tcp 80
# ftp out
rule_out tcp 21
# telnet out
rule_out tcp 23
# dhcp
rule_in udp 67
# proxy
#rule_in tcp 8889
### IPSEC SECTION ###
# isakmp/ike
rule_in udp 500
rule_out udp 500
# esp
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -p 50 -j ACCEPT
# icmp
$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
# fragments
$IPTABLES -I FORWARD -f -j ACCEPT
$IPTABLES -A INPUT -f -j ACCEPT
$IPTABLES -A OUTPUT -f -j ACCEPT


### specific rule configuration for FORWARD ###
### statefull firewall ###
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -i $EXT_DEV -j DROP
### allow incoming active ftp-traffic
$IPTABLES -I FORWARD -i eth0 -p tcp --sport 20 -j ACCEPT


### disable irc for michi :-) ###
# $IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 6667 -j DROP
### loadproc gibt done aus
echo -n "starting firewall"; loadproc $CHECK;


### NAT SECTION ###
# www
$IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 80 -j DNAT --to $WEBSERVER_IP:80
$IPTABLES -I FORWARD -i eth0 -p tcp -d $WEBSERVER_IP --dport 80 -j ACCEPT
# www zu befs rechner an port 768
#$IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 768 -j DNAT --to $BEFS_RECHNER:80
#$IPTABLES -I FORWARD -i eth0 -p tcp -d $BEFS_RECHNER --dport 80 -j ACCEPT
# ssh
$IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 22 -j DNAT --to $SSHSERVER_IP:22
$IPTABLES -I FORWARD -i eth0 -p tcp -d $SSHSERVER_IP --dport 22 -j ACCEPT
# telnet
$IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 767 -j DNAT --to $SSHSERVER_IP:767
$IPTABLES -I FORWARD -i eth0 -p tcp -d $SSHSERVER_IP --dport 767 -j ACCEPT
# ssh zur bsd-kiste
$IPTABLES -t nat -A PREROUTING -i $EXT_DEV -p tcp -d $EXT_IP --dport 766 -j DNAT --to $SSHSERVER2_IP:22
$IPTABLES -I FORWARD -i eth0 -p tcp -d $SSHSERVER2_IP --dport 766 -j ACCEPT


############
;;
stop)
############


# flush
$IPTABLES -F
$IPTABLES -F -t nat
# policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# disable forwarding
echo 0 >/proc/sys/net/ipv4/ip_forward


echo -n "shutting down firewall"; loadproc $CHECK;
##################
;;
restart)
$0 stop
$0 start
;;
*)
echo "USAGE: $0 {start|stop|restart}"
exit 1
esac
####################### END #########################
exit 0
Meine Werkzeuge