#!/bin/bash IPT=/usr/sbin/iptables # Path to iptables firewall_up() { #----------------------------# # FUNCTIONS # #----------------------------# # This section defines the basic functions your firewall will provide. You will most # likely want to keep the default settings for PROC_TWEAKS, BASIC PROTECTION, ICMP_TRAFFIC, # and TOS_TWEAKS. There are options for two different forms of NAT. The standard SNAT # function should be enabled if you have a static (or semi-static) IP address assigned by your # ISP. The MASQ NAT is a specialized form of SNAT called masquerading and should be enabled # if you have a non-static IP assigned by your ISP. These two forms of NAT are mutually # exclusive and cannot both be enabled. Trying to enable both the SNAT and MASQ options # will result in neither being enabled. The last option called BANNED_IPS is for enabling # a list of IPs which you do not wish to allow through the firewall in any case. To enable # this function, give the full path & filename of the text file which contains the list. # This text file must contain one IP address per line or this function will not work. WANIFACE=eth0 # WAN interface designation (to internet) LANIFACE=eth0 # LAN interface designation (to hub/switch) LAN=85.214.73.215 PROC_TWEAKS=ON # ON, OFF Turn OFF only for troubleshooting! BASIC_PROTECTION=ON # ON, OFF Basic protective ruleset. Turn OFF only for troubleshooting! IANA_RESERVED=ON # ON, OFF Deny all IANA reserved address spaces ICMP_TRAFFIC=LIMIT # ON, LIMIT, OFF (Sets flow of ICMP traffic. LIMIT is recommended) TOS_TWEAKS=ON # ON, OFF Packet mangling to improve network performance in and out SNAT=OFF # ON, OFF Standard one to many SNAT for static WAN side IPs MASQ=OFF # ON, OFF Masquerading SNAT for non-static WAN side IPs #BANNED_IPS=/etc/fw_bann # NONE, PATH Full path & filename of the text file containing the banned IP list BANNED_IPS=NONE #----------------------------# # SERVICES # #----------------------------# # This seciton defines the host services which you wish to allow through the firewall. # The sole exception to this is the SQUID option. When enabled, this will transparently # redirect local http traffic to the Squid Proxy. # # When you set a service to ON, the firewall will allow access to the standard ports for # that service on the system running this firewall. If you wish to allow access to another # system on your LAN running this host service, list the IP address of that system as the # configuration option instead of ON or OFF. The firewall will then automaticly port # forward the standard port(s) for that service to the IP address listed. SNMP=OFF SAMBA=OFF WEBMIN=OFF FTP=OFF # ON, OFF, IP File Transfer Protocol SSH=ON # ON, OFF, IP Secure Shell SMTP=OFF # ON, OFF, IP Simple Mail Transfer Protocol DNS=OFF # ON, OFF, IP Domain Name Service TFTP=OFF # ON, OFF, IP Trivial File Transfer Protocol HTTP=ON AUTH=OFF # ON, OFF, IP Authentication Service POP3=OFF # ON, OFF, IP Post Office Protcol version 3 NNTP=OFF # ON, OFF, IP Network News Transfer Protocol NTP=OFF # ON, OFF, IP Network Time Protocol IMAP4=OFF # ON, OFF, IP Interim Mail Access Protocol version 4 LDAP=OFF # ON, OFF, IP Lightweight Directory Access Protocol SSL=OFF # ON, OFF, IP Secure Sockets Layer SQUID=OFF # ON, OFF, IP Transparent redirect Squid Web Proxy Cache # If there are other incoming ports which you wish to allow and are not listed in the options # above, add them to the following variables below. Ports should be seperated by a space # unless you wish to specify a range. To specify a range you should seperate the port range # with a colon. Here is an example to illustrate: TCP_PORTS="22 53 80 4000:4100 5000" TCP_PORTS="OFF" # OFF, PORTS UDP_PORTS="OFF" # OFF, PORTS #----------------------------# # AUTOCONFIG # #----------------------------# WANIP=`ifconfig $WANIFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` WANMASK=`ifconfig $WANIFACE | grep Mask | cut -d : -f 4` WANBCAST=`ifconfig $WANIFACE | grep inet | cut -d : -f 3 | cut -d \ -f 1` LANIP=`ifconfig $LANIFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` LANMASK=`ifconfig $LANIFACE | grep Mask | cut -d : -f 4` LANBCAST=`ifconfig $LANIFACE | grep inet | cut -d : -f 3 | cut -d \ -f 1` echo "WAN IP:" $WANIP echo "LAN IP:" $LANIP ################################################################################### # FLUSH TABLES & SET POLICIES # ################################################################################### # Flush rules in the filter & nat tables if [ -f $IPT ]; then CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for TABLE in $CHAINS; do $IPT -t $TABLE -F; done; $IPT -F for TABLE in $CHAINS; do $IPT -t $TABLE -X; done; $IPT -X for TABLE in $CHAINS; do $IPT -t $TABLE -Z; done; $IPT -Z fi CHAINS="INPUT FORWARD OUTPUT" for TABLE in $CHAINS do $IPT -P $TABLE ACCEPT done CHAINS="PREROUTING POSTROUTING OUTPUT" for TABLE in $CHAINS; do $IPT -t nat -P $TABLE ACCEPT; done CHAINS="PREROUTING OUTPUT" for TABLE in $CHAINS; do $IPT -t mangle -P $TABLE ACCEPT; done rm -f /var/lock/subsys/iptables # Set policies to drop in the filter table $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Set policies in the nat table $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT # Set policies in the mangle table $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT ################################################################################### # EXPLOIT PROTECTION & TWEAKS # ################################################################################### #-----------------------------------------# # Proc Tweaks # #-----------------------------------------# function PROC_TWEAKS { # Disable logging of misc TCP conntracking if [ -e /proc/sys/net/ipv4/netfilter ]; then for x in /proc/sys/net/ipv4/netfilter/ip_ct_tcp_log_*; do echo 0 > $x; done fi # Disable proxy arp (needed to be enabled for DMZ) if [ -e /proc/sys/net/ipv4/conf/all/proxy_arp ]; then echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp fi # Enable bogus error message protection if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # Enable support for spoof and DOS protection # Enable TCP SYN Cookie Protection if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi # Enable source address verification to prevent spoofing if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for x in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $x; done fi # Disable source routed packets to help prevent access to LAN if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for x in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $x; done fi # Disable TCP Explicit Congestion Notification Support if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi # Disable ICMP redirects (needed for transparent proxy) if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects fi # Disable acceptance of ICMP redirects to avoid malicious routing changes if [ -e /proc/sys/net/ipv4/conf/$WANIFACE/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/$WANIFACE/accept_redirects fi if [ -e /proc/sys/net/ipv4/conf/$WANIFACE/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/$WANIFACE/send_redirects fi # Accept redirects only from gateways in the default gateways list if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects fi # Ignore broadcast ICMP echo requests to prevent becoming a Smurf attack amplifier if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # Drop the ECN flag in tcp-packets if [ -e /proc/sys/net/ipv4/tcp_ecn ];then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi # Adjust connection tracking timeout value # Default=600 (600 seconds or 10 minutes) if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout fi # Increase maximum limit of connections to track (default=2048) if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then echo "13001" > /proc/sys/net/ipv4/ip_conntrack_max fi # Disable Log packets from illegal addresses if [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/all/log_martians fi # Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # enhance backlog queue for incoming packet to disharm flooding echo 4096 >> /proc/sys/net/ipv4/tcp_max_syn_backlog # Enable timestamps if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps fi } if [ $PROC_TWEAKS = "ON" ]; then PROC_TWEAKS fi #-----------------------------------------# # Basic Protections # #-----------------------------------------# function BASIC_PROTECTION { $IPT -N ILLEGAL $IPT -F ILLEGAL # Furtive port scanner $IPT -A ILLEGAL -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Drop illegal flag combinations which also prevents most port scanning $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ALL ALL -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ALL NONE -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPT -A ILLEGAL -i $WANIFACE -p tcp --tcp-flags ACK,URG URG -j DROP # Refuse directed broadcasts used in Smurf/Fraggle type DOS attacks $IPT -A ILLEGAL -i $WANIFACE -d 255.255.255.255 -j DROP $IPT -A ILLEGAL -i $WANIFACE -d $WANBCAST -j DROP # Refuse spoofed packets pretending to be from your IP address $IPT -A ILLEGAL -i $WANIFACE -s $WANIP -d $WANIP -j DROP # Drop Fragments $IPT -A ILLEGAL -i $WANIFACE -f -j DROP # Make sure packets are associated with known connections $IPT -A ILLEGAL -i $WANIFACE -m state --state INVALID -j DROP # Make sure NEW tcp connections are SYN packets $IPT -A ILLEGAL -i $WANIFACE -p tcp ! --syn -m state --state NEW -j DROP # Refuse bogus IP ranges $IPT -A ILLEGAL -i $WANIFACE -s 255.255.255.255/32 -j DROP # Broadcast $IPT -A ILLEGAL -i $WANIFACE -s 127.0.0.0/8 -j DROP # Loopback $IPT -A ILLEGAL -i $WANIFACE -s 169.254.0.0/16 -j DROP # Link local networks $IPT -A ILLEGAL -i $WANIFACE -s 192.0.2.0/24 -j DROP # Test-net $IPT -A ILLEGAL -i $WANIFACE -s 248.0.0.0/5 -j DROP # Unallocated $IPT -A ILLEGAL -i $WANIFACE -s 10.0.0.0/8 -j DROP # Class A private (RFC 1918) $IPT -A ILLEGAL -i $WANIFACE -s 172.16.0.0/16 -j DROP # Class B private (RFC 1918) $IPT -A ILLEGAL -i $WANIFACE -s 192.168.0.0/16 -j DROP # Class C private (RFC 1918) $IPT -A ILLEGAL -i $WANIFACE -s 224.0.0.0/4 -j DROP # Class D multicast $IPT -A ILLEGAL -i $WANIFACE -s 240.0.0.0/5 -j DROP # Class E reserved $IPT -A INPUT -i $WANIFACE -p tcp -j ILLEGAL #$IPT -A INPUT -j LOG } if [ $BASIC_PROTECTION = "ON" ]; then BASIC_PROTECTION fi #-----------------------------------------# # IANA RESERVED # #-----------------------------------------# function IANA_RESERVED { # Drop IANA reserved address space (RFC1466, RFC1918, RFC3330) # This list may need to be updated from time to time. # http://www.iana.org/assignments/ipv4-address-space # Last Updated 2003-04-05 RESERVED="0 1 2 5 7 23 27 31 36 37 39 41 42 58 59 70 71 72 73 74 75 76 77 78 79 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 189 190 197 223 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255" for NET_LOOP in $RESERVED; do $IPT -A ILLEGAL -i $WANIFACE -s $NET_LOOP.0.0.0/8 -j DROP done } if [ "$IANA_RESERVED" = "ON" ]; then IANA_RESERVED fi #-----------------------------------------# # Banned List # #-----------------------------------------# function BANNED_IPS { if [ -e $BANNED_IPS ]; then $IPT -N BANNED $IPT -F BANNED while read BAN; do $IPT -A BANNED -s $BAN -j DROP done < $BANNED_IPS $IPT -A INPUT -j BANNED else echo; echo echo "The BANNED_IPS option is enabled but the actual file," echo "\"$BANNED_IPS\" cannot be found." echo "Make sure the BANNED_IPS variable includes the full" echo "path and filename or set it to NONE to disable." echo; echo fi } if [ "$BANNED_IPS" != "NONE" ]; then BANNED_IPS fi #-----------------------------------------# # TOS Tweaks # #-----------------------------------------# # (0x00) Normal-Service 0 # (0x02) Minimize-Cost 2 # (0x04) Maximize-Reliability 4 # (0x08) Maximize-Throughput 8 # (0x10) Minimize-Delay 16 function TOS_TWEAKS { $IPT -t mangle -N MANGLE_OUTPUT $IPT -t mangle -F MANGLE_OUTPUT $IPT -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8 $IPT -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8 $IPT -t mangle -N MANGLE_PREROUTING $IPT -t mangle -F MANGLE_PREROUTING $IPT -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8 $IPT -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16 $IPT -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8 $IPT -t mangle -A PREROUTING -i $LANIFACE -j MANGLE_PREROUTING $IPT -t mangle -A OUTPUT -o $WANIFACE -j MANGLE_OUTPUT #$IPT -A MANGLE -j LOG } if [ $TOS_TWEAKS = "ON" ]; then TOS_TWEAKS fi ################################################################################### # ALLOWED NETWORK TRAFFIC # ################################################################################### #----------------------------# # 1 to MANY NAT # #----------------------------# function SNAT { echo 0 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/ip_forward $IPT -t nat -A POSTROUTING -s $LAN -o $WANIFACE -j SNAT --to-source $WANIP } function MASQ { echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/ip_forward $IPT -t nat -A POSTROUTING -o $WANIFACE -j MASQUERADE } if [ $SNAT = "ON" ] && [ $MASQ = "OFF" ]; then SNAT fi if [ $SNAT = "OFF" ] && [ $MASQ = "ON" ]; then MASQ fi if [ $SNAT = "ON" ] && [ $MASQ = "ON" ]; then echo;echo echo "You cannot enable both the SNAT and MASQ options in the firewall." echo "If you have a static IP, then enable the SNAT option only. If you" echo "have a non-static IP, enable the MASQ option only. Right now, you" echo "do not have any form of NAT running. Check the CONFIGURATION" echo "section in the firewall and try again." echo;echo fi #----------------------------# # LOCAL TRAFFIC # #----------------------------# # Allow all existing connections $IPT -I INPUT 1 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -I FORWARD 1 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -I OUTPUT 1 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all LAN $IPT -I INPUT 2 -p ALL -i $LANIFACE -s $LAN -j ACCEPT $IPT -I FORWARD 2 -p ALL -i $LANIFACE -s $LAN -j ACCEPT $IPT -I OUTPUT 2 -p ALL -o $WANIFACE -j ACCEPT $IPT -I OUTPUT 3 -p ALL -o $LANIFACE -j ACCEPT #$IPT -A INPUT -j LOG # Allow localhost $IPT -A INPUT -i lo -j ACCEPT $IPT -A FORWARD -i lo -s $LAN -j ACCEPT $IPT -A OUTPUT -p ALL -o lo -j ACCEPT #----------------------------# # ICMP TRAFFIC # #----------------------------# # 0 = Echo Reply, what gets sent back after a type 8 is received here # 3 = Destination Unreachable (inbound) or Fragmentation Needed (out) # 4 = Source Quench tells sending IP to slow down its rate to destination # 8 = Echo Request used for pinging hosts, but see the caution above # 11 = Time Exceeded used for traceroute (TTL) or sometimes frag packets # 12 = Parameter Problem is some error or weirdness detected in header function ICMP_WAN { # Allow all ICMP traffic $IPT -A INPUT -i $WANIFACE -p ICMP -j ACCEPT } function ICMP_LIMIT { $IPT -N ICMP $IPT -F ICMP # Allow limited ICMP traffic $IPT -A ICMP -i $WANIFACE -p ICMP --icmp-type 3 -j ACCEPT # Destination Unreachable $IPT -A ICMP -i $WANIFACE -p ICMP --icmp-type 4 -j ACCEPT # Source Quench $IPT -A ICMP -i $WANIFACE -p ICMP --icmp-type 11 -j ACCEPT # Time Exceeded $IPT -A ICMP -i $WANIFACE -p ICMP --icmp-type 12 -j ACCEPT # Parameter Problem $IPT -A INPUT -i $WANIFACE -p icmp -j ICMP } if [ "$ICMP_TRAFFIC" = "ON" ]; then ICMP_WAN fi if [ "$ICMP_TRAFFIC" = "LIMIT" ]; then ICMP_LIMIT fi #----------------------------# # UNCOMMON PORTS # #----------------------------# if [ "$TCP_PORTS" != "OFF" ]; then $IPT -A INPUT -p tcp -i $WANIFACE --dport $TCP_PORTS -j ACCEPT fi if [ "$UDP_PORTS" != "OFF" ]; then $IPT -A INPUT -p udp -i $WANIFACE --dport $UDP_PORTS -j ACCEPT fi #------ UT2k --------- $IPT -A INPUT -p udp -i $WANIFACE --dport 7777:7800 -j ACCEPT #$IPT -A INPUT -p udp -i $WANIFACE --dport 7778 -j ACCEPT #$IPT -A INPUT -p udp -i $WANIFACE --dport 7787 -j ACCEPT $IPT -A INPUT -p tcp -i $WANIFACE --dport 28902 -j ACCEPT $IPT -A INPUT -p tcp -i $WANIFACE --dport 10001 -j ACCEPT #----------------------------# # FTP # #----------------------------# function FTP_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 20 -j ACCEPT $IPT -A INPUT -p tcp -i $WANIFACE --dport 21 -j ACCEPT } function FTP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 20 -j DNAT --to $FTP:20 $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 21 -j DNAT --to $FTP:21 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 20 -d $FTP -j ACCEPT $IPT -A FORWARD -i $WANIFACE -p tcp --dport 21 -d $FTP -j ACCEPT } if [ $FTP = "ON" ]; then FTP_WAN else if [ "$FTP" != "OFF" ]; then FTP_PORT_FORWARDING fi fi #----------------------------# # WEBMIN # #----------------------------# # $IPT -A INPUT -p tcp -i $WANIFACE --dport 10000 -j ACCEPT function WEBMIN_WAN { $IPT -A INPUT -p tcp -s 80.109.144.142 --dport 10000 -j ACCEPT $IPT -A INPUT -p tcp -s 80.109.144.140 --dport 10000 -j ACCEPT } function WEBMIN_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 10000 -j DNAT --to $WEBMIN:10000 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 10000 -j ACCEPT } if [ $WEBMIN = "ON" ]; then WEBMIN_WAN else if [ "$WEBMIN" != "OFF" ]; then WEBMIN_PORT_FORWARDING fi fi #----------------------------# # SNMP # #----------------------------# # $IPT -A INPUT -p tcp -i $WANIFACE --dport 10000 -j ACCEPT function SNMP_WAN { echo "ACCEPT EDONKEY"; $IPT -A INPUT -p udp -i $WANIFACE --dport 161 -j ACCEPT $IPT -A INPUT -p udp -i $WANIFACE --dport 162 -j ACCEPT } function SNMP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 161 -j DNAT --to $SNMP:161 $IPT -A FORWARD -i $WANIFACE -p udp --dport 161 -j ACCEPT $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 162 -j DNAT --to $SNMP:162 $IPT -A FORWARD -i $WANIFACE -p udp --dport 162 -j ACCEPT } if [ $SNMP = "ON" ]; then SNMP_WAN else if [ "$SNMP" != "OFF" ]; then SNMP_PORT_FORWARDING fi fi #----------------------------# # SSH # #----------------------------# function SSH_WAN { #$IPT -A INPUT -p tcp -s 80.109.144.142 --dport 22 -j ACCEPT #$IPT -A INPUT -p tcp -s 80.109.144.140 --dport 22 -j ACCEPT $IPT -A INPUT -p tcp -i $WANIFACE --dport 22 -j ACCEPT $IPT -A INPUT -p udp -i $WANIFACE --dport 22 -j ACCEPT } function SSH_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 22 -j DNAT --to $SSH:22 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 22 -j ACCEPT } if [ $SSH = "ON" ]; then SSH_WAN else if [ "$SSH" != "OFF" ]; then SSH_PORT_FORWARDING fi fi #----------------------------# # SAMBA # #----------------------------# function SAMBA_WAN { $IPT -A INPUT -p tcp -s $LAN --dport 135:139 -j ACCEPT $IPT -A INPUT -p udp -s $LAN --dport 135:139 -j ACCEPT #$IPT -A INPUT -p tcp -i $WANIFACE --dport 22 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 135 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 135 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 136 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 136 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 137 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 137 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 138 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 138 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 139 -j ACCEPT #$IPT -A INPUT -p tcp -i $LANIFACE --dport 139 -j ACCEPT #$IPT -A INPUT -p udp -i $LANIFACE --dport 137 -j ACCEPT #$IPT -A INPUT -p udp -i $LANIFACE --dport 137 -j ACCEPT #$IPT -A INPUT -p udp -i $LANIFACE --dport 138 -j ACCEPT #$IPT -A INPUT -p udp -i $LANIFACE --dport 138 -j ACCEPT #$IPT -A INPUT -p udp -i $LANIFACE --dport 139 -j ACCEPT #$IPT -A INPUT -p udp -i $LANIFACE --dport 139 -j ACCEPT #@{CHANGE #@CHANGE} } function SAMBA_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 135 -j DNAT --to $SAMBA:135 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 135 -j ACCEPT $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 135 -j DNAT --to $SAMBA:135 $IPT -A FORWARD -i $WANIFACE -p udp --dport 135 -j ACCEPT $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 136 -j DNAT --to $SAMBA:136 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 136 -j ACCEPT $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 136 -j DNAT --to $SAMBA:136 $IPT -A FORWARD -i $WANIFACE -p udp --dport 135 -j ACCEPT } if [ $SAMBA = "ON" ]; then SAMBA_WAN else if [ "$SAMBA" != "OFF" ]; then SAMBA_PORT_FORWARDING fi fi #----------------------------# # SMTP # #----------------------------# function SMTP_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 25 -j ACCEPT $IPT -A INPUT -p udp -i $WANIFACE --dport 25 -j ACCEPT } function SMTP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 25 -j DNAT --to $SMTP:25 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 25 -j ACCEPT } if [ $SMTP = "ON" ]; then SMTP_WAN else if [ "$SMTP" != "OFF" ]; then SMTP_PORT_FORWARDING fi fi #----------------------------# # DNS # #----------------------------# function DNS_WAN { $IPT -A INPUT -i $WANIFACE -p udp --dport 53 -s 0/0 -j ACCEPT } function DNS_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 53 -j DNAT --to $DNS:53 $IPT -A FORWARD -i $WANIFACE -p udp --dport 53 -j ACCEPT } if [ $DNS = "ON" ]; then DNS_WAN else if [ "$DNS" != "OFF" ]; then DNS_PORT_FORWARDING fi fi #----------------------------# # TFTP # #----------------------------# function TFTP_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 69 -j ACCEPT } function TFTP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 69 -j DNAT --to $TFTP:69 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 69 -j ACCEPT } if [ $TFTP = "ON" ]; then TFTP_WAN else if [ "$TFTP" != "OFF" ]; then TFTP_PORT_FORWARDING fi fi #----------------------------# # HTTP # #----------------------------# function HTTP { $IPT -A INPUT -p tcp -i $WANIFACE --dport 80 -j ACCEPT } function HTTP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 80 -j DNAT --to $HTTP:80 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 80 -j ACCEPT } if [ $HTTP = "ON" ]; then HTTP else if [ "$HTTP" != "OFF" ]; then HTTP_PORT_FORWARDING fi fi #----------------------------# # AUTH # #----------------------------# function AUTH_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 113 -j ACCEPT } function AUTH_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 113 -j DNAT --to $AUTH:113 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 113 -j ACCEPT } if [ $AUTH = "ON" ]; then AUTH_WAN else if [ "$AUTH" != "OFF" ]; then AUTH_PORT_FORWARDING fi fi #----------------------------# # POP3 # #----------------------------# function POP3_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 110 -j ACCEPT } function POP3_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 110 -j DNAT --to $POP3:110 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 110 -j ACCEPT } if [ $POP3 = "ON" ]; then POP3_WAN else if [ "$POP3" != "OFF" ]; then POP3_PORT_FORWARDING fi fi #----------------------------# # NNTP # #----------------------------# function NNTP_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 119 -j ACCEPT } function NNTP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 119 -j DNAT --to $NNTP:119 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 119 -j ACCEPT } if [ $NNTP = "ON" ]; then NNTP_WAN else if [ "$NNTP" != "OFF" ]; then NNTP_PORT_FORWARDING fi fi #----------------------------# # NTP # #----------------------------# function NTP_WAN { $IPT -A INPUT -p udp -i $WANIFACE --dport 123 -j ACCEPT } function NTP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p udp --dport 123 -j DNAT --to $NTP:123 $IPT -A FORWARD -i $WANIFACE -p udp --dport 123 -j ACCEPT } if [ $NTP = "ON" ]; then NTP_WAN else if [ "$NTP" != "OFF" ]; then NTP_PORT_FORWARDING fi fi #----------------------------# # IMAP4 # #----------------------------# function IMAP4_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 143 -j ACCEPT } function IMAP4_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 143 -j DNAT --to $IMAP4:143 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 143 -j ACCEPT } if [ $IMAP4 = "ON" ]; then IMAP4_WAN else if [ "$IMAP4" != "OFF" ]; then IMAP4_PORT_FORWARDING fi fi #----------------------------# # LDAP # #----------------------------# function LDAP_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 389 -j ACCEPT } function LDAP_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 389 -j DNAT --to $LDAP:389 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 389 -j ACCEPT } if [ $LDAP = "ON" ]; then LDAP_WAN else if [ "$LDAP" != "OFF" ]; then LDAP_PORT_FORWARDING fi fi #----------------------------# # SSL # #----------------------------# function SSL_WAN { $IPT -A INPUT -p tcp -i $WANIFACE --dport 443 -j ACCEPT } function SSL_PORT_FORWARDING { $IPT -A PREROUTING -t nat -i $WANIFACE -p tcp --dport 443 -j DNAT --to $SSL:443 $IPT -A FORWARD -i $WANIFACE -p tcp --dport 443 -j ACCEPT } if [ $SSL = "ON" ]; then SSL_WAN else if [ "$SSL" != "OFF" ]; then SSL_PORT_FORWARDING fi fi #----------------------------# # Squid Proxy # #----------------------------# function SQUID_PROXY { echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects $IPT -t nat -A PREROUTING -i $LANIFACE -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128 } function SQUID_PORT_FORWARDING { $IPT -t nat -A PREROUTING -i $LANIFACE -s $LAN -p tcp --dport 80 -j REDIRECT --to $SQUID:3128 } if [ $SQUID = "ON" ]; then SQUID_PROXY else if [ "$SQUID" != "OFF" ]; then SQUID_PORT_FORWARDING fi fi ################################################################################### # FIREWALL LOADING FUNCTIONS # ################################################################################### echo "<< SYSTEM IS PROTECTED >> All tables loaded and policies in place" } { if [ -f $IPT ]; then CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for TABLE in $CHAINS; do $IPT -t $TABLE -F; done; $IPT -F for TABLE in $CHAINS; do $IPT -t $TABLE -X; done; $IPT -X for TABLE in $CHAINS; do $IPT -t $TABLE -Z; done; $IPT -Z fi CHAINS="INPUT FORWARD OUTPUT" for TABLE in $CHAINS; do $IPT -P $TABLE ACCEPT; done CHAINS="PREROUTING POSTROUTING OUTPUT" for TABLE in $CHAINS; do $IPT -t nat -P $TABLE ACCEPT; done CHAINS="PREROUTING OUTPUT" for TABLE in $CHAINS; do $IPT -t mangle -P $TABLE ACCEPT; done echo 0 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_dynaddr rm -f /var/lock/subsys/iptables echo "<< SYSTEM IS OPEN >> All tables flushed and policies set to ACCEPT" } firewall_lock() { firewall_down CHAINS="INPUT FORWARD OUTPUT" for TABLE in $CHAINS; do $IPT -P $TABLE DROP; done CHAINS="PREROUTING POSTROUTING OUTPUT" for TABLE in $CHAINS; do $IPT -t nat -P $TABLE DROP; done CHAINS="PREROUTING OUTPUT" for TABLE in $CHAINS; do $IPT -t mangle -P $TABLE DROP; done echo "<< SYSTEM IS LOCKED DOWN >> All tables flushed and policies set to DROP" } firewall_reload() { firewall_down; firewall_up } firewall_list_all() { clear $IPT -L -v -n --line-numbers|more } firewall_list() { clear echo; echo $IPT -L INPUT -v -n --line-numbers|more echo; echo $IPT -L OUTPUT -v -n --line-numbers|more echo; echo $IPT -L FORWARD -v -n --line-numbers|more echo; echo echo " << NETWORK ADDRESS TRANSLATION >>" echo; echo $IPT -t nat -L -v -n --line-numbers|more echo; echo } firewall_mangle() { clear $IPT -L -t mangle --line-numbers|more } firewall_nat() { clear $IPT -t nat -L -v -n --line-numbers|more } firewall_traffic() { clear cat /proc/net/ip_conntrack|more } case "$1" in 'up') firewall_up ;; 'down') firewall_down ;; 'lock') firewall_lock ;; 'reload') firewall_reload ;; 'list') firewall_list ;; 'listall') firewall_list_all ;; 'mangle') firewall_mangle ;; 'nat') firewall_nat ;; 'traffic') firewall_traffic ;; *) echo "usage $0 up|down|lock|reload|list|listall|mangle|nat|traffic" esac