#!/bin/sh # swingfield@atl.co.nz echo "executing /etc/firewall/firewall.rc" echo "" echo -n "Setting variables................" #----------------------------------------------------------------------------- INTIF="eth0" EXTIF="eth1" #DMZIF="eth2" INTIP=`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` INTMASK=`ifconfig $INTIF | grep Mask | cut -d : -f 4` INTNET=`route |grep $INTMASK |grep $INTIF | cut -d \ -f 1`/$INTMASK EXTIP=`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` EXTMASK=`ifconfig $EXTIF | grep Mask | cut -d : -f 4` EXTNET=`route |grep $EXTMASK |grep $EXTIF | cut -d \ -f 1`/$EXTMASK #DMZIP=`ifconfig $DMZIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` #DMZMASK=`ifconfig $DMZIF | grep Mask | cut -d : -f 4` #DMZNET=`route |grep $DMZMASK |grep $DMZIF | cut -d \ -f 1`/$DMZMASK ANY="0/0" #DMZBOX="192.168.140.23" INTBOX="210.55.224.130" CITRIX="192.168.4.8" VPN="210.55.224.131" AU1="198.142.221.7" AU2="198.142.100.148" AU3="210.54.173.50" AU4="139.130.52.57" AU5="203.49.22.192/26" ROUTER="210.55.62.241" echo "..Done" echo "" echo "INTERNAL $INTIP $INTMASK" echo "EXTERNAL $EXTIP $EXTMASK" echo "DMZ $DMZIP $DMZMASK" echo "" #----------------------------------------------------------------------------- echo -n "Loading modules.................." modprobe iptable_filter modprobe ipt_REJECT modprobe iptable_mangle modprobe ipt_state modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_tables modprobe ipt_MASQUERADE modprobe ip_conntrack modprobe ip_nat_ftp modprobe ipt_LOG echo "..Done" #----------------------------------------------------------------------------- echo -n "Flushing rulesets................" iptables -F iptables -F -t nat iptables -X firewall echo "..Done" #---------------------------------------------------------------------------- echo -n "Createing chains................." iptables -N firewall iptables -A firewall -j LOG --log-level info --log-prefix "firewall:" iptables -A firewall -j DROP echo "..Done" #---------------------------------------------------------------------------- echo -n "Setting policy..................." iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT echo "..Done" #---------------------------------------------------------------------------- echo -n "Setting INPUT rules.............." iptables -A INPUT -p ALL -i $INTIF -s $INTNET -j ACCEPT iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 0 -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 3 -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 5 -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 11 -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 8 -j ACCEPT iptables -A INPUT -p TCP -s 210.48.99.0/27 --dport 22 -j ACCEPT iptables -A INPUT -p TCP -s 192.168.4.0/24 --dport 22 -j ACCEPT iptables -A INPUT -p TCP -s $ANY --dport 113 -j REJECT iptables -A INPUT -p TCP -i $INTIF --dport 139 -j DROP iptables -A INPUT -p UDP -i $INTIF --dport 138 -j DROP iptables -A INPUT -p UDP -i $INTIF --dport 137 -j DROP iptables -A INPUT -p UDP -i $INTIF --dport 68 -j DROP iptables -A INPUT -p UDP -i $INTIF --dport 67 -j DROP iptables -A INPUT -p ICMP -s $ANY -d 210.55.62.247 --icmp-type 8 -j DROP echo "..Done" #--------------------------------------------------------------------------- echo -n "Setting FORWARD rules............" #iptables -A FORWARD -s $INTNET -d $DMZNET -j ACCEPT iptables -A FORWARD -s $INTNET -d $ANY -j ACCEPT iptables -A FORWARD -s 192.168.0.0/16 -d $ANY -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d ! 210.55.62.241 -o $EXTIF -j SNAT --to 210.55.62.242 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT echo "..Done" #--------------------------------------------------------------------------- echo -n "Setting OUTPUT rules............." echo "..Done" #---------------------------------------------------------------------------- echo -n "IP FORWARDING at kernel level...." echo "1" > /proc/sys/net/ipv4/ip_forward echo "..Done" echo -n "Turn on kernel ANTI SPOOFING....." echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "..Done" echo -n "Turn on SYN cookies.............." echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "..Done" #---------------------------------------------------------------------------- echo -n "EXT to INT rules................." #SNMP stuff here iptables -A FORWARD -p TCP -s $ROUTER --dport 161 -j ACCEPT iptables -A FORWARD -p UDP -s $ROUTER --dport 161 -j ACCEPT iptables -A FORWARD -p UDP -s $ROUTER --dport 162 -j ACCEPT iptables -A FORWARD -p TCP -s $ANY -d $INTBOX --dport 25 -j ACCEPT #iptables -A FORWARD -p TCP -s $ANY -d $INTBOX --dport 1723 -j ACCEPT #iptables -A FORWARD -p 47 -s $ANY -d $INTBOX -j ACCEPT iptables -A FORWARD -s $AU1 -d $INTBOX -j ACCEPT iptables -A FORWARD -s $AU2 -d $INTBOX -j ACCEPT iptables -A FORWARD -s $AU3 -d $INTBOX -j ACCEPT iptables -A FORWARD -s $AU4 -d $INTBOX -j ACCEPT iptables -A FORWARD -s $AU5 -d $INTBOX -j ACCEPT iptables -t nat -p TCP -A PREROUTING -d $EXTIP --dport 1494 -j DNAT --to $CITRIX iptables -A FORWARD -p TCP -s $AU1 -d $CITRIX --dport 1494 -j ACCEPT iptables -A FORWARD -p TCP -s $AU2 -d $CITRIX --dport 1494 -j ACCEPT iptables -A FORWARD -p TCP -s $AU3 -d $CITRIX --dport 1494 -j ACCEPT iptables -A FORWARD -p TCP -s $AU4 -d $CITRIX --dport 1494 -j ACCEPT iptables -A FORWARD -p TCP -s $AU5 -d $CITRIX --dport 1494 -j ACCEPT iptables -t nat -p UDP -A PREROUTING -d $EXTIP --dport 1604 -j DNAT --to $CITRIX iptables -A FORWARD -p UDP -s $AU1 -d $CITRIX --dport 1604 -j ACCEPT iptables -A FORWARD -p UDP -s $AU2 -d $CITRIX --dport 1604 -j ACCEPT iptables -A FORWARD -p UDP -s $AU3 -d $CITRIX --dport 1604 -j ACCEPT iptables -A FORWARD -p UDP -s $AU4 -d $CITRIX --dport 1604 -j ACCEPT iptables -A FORWARD -p UDP -s $AU5 -d $CITRIX --dport 1604 -j ACCEPT #IPSEC TO SNAPGEAR VPN SERVER iptables -A FORWARD -p ALL -s 210.55.224.132 -j ACCEPT iptables -A FORWARD -p ALL -s $VPN -j ACCEPT iptables -A FORWARD -p UDP -s $ANY -d $VPN --dport 500 -j ACCEPT iptables -A FORWARD -p 50 -s $ANY -d $VPN -j ACCEPT iptables -A FORWARD -p 51 -s $ANY -d $VPN -j ACCEPT iptables -A FORWARD -p 47 -s $ANY -d $VPN -j ACCEPT iptables -A FORWARD -p TCP -s $ANY -d $VPN --dport 1723 -j ACCEPT iptables -A FORWARD -p ICMP -s $ANY --icmp-type 0 -j ACCEPT iptables -A FORWARD -p ICMP -s $ANY --icmp-type 3 -j ACCEPT iptables -A FORWARD -p ICMP -s $ANY --icmp-type 5 -j ACCEPT iptables -A FORWARD -p ICMP -s $ANY --icmp-type 11 -j ACCEPT iptables -A FORWARD -p ICMP -s $ANY --icmp-type 8 -j ACCEPT echo "..Done" #---------------------------------------------------------------------------- iptables -A INPUT -j firewall iptables -A FORWARD -j firewall #iptables -A OUTPUT -j firewall echo "" > /var/log/firewall_rules echo "eth0=internel" >> /var/log/firewall_rules echo "eth1=external" >> /var/log/firewall_rules echo "eth2=dmz" >> /var/log/firewall_rules echo "" >> /var/log/firewall_rules iptables -L -n -v >> /var/log/firewall_rules iptables -L -n -v -t nat >> /var/log/firewall_rules cat /etc/firewall/firewall.rc > /var/log/firewall.rc