webrink: rc.firewall dual nic gateway Linux

Monday, October 17, 2005

rc.firewall dual nic gateway Linux

#!/bin/bash
#
# rc.firewall This shell script takes care of iptables
#
# chkconfig: 2345 99 99
# description: setup iptables dual homed as a gateway
# processname: rc.firewall
# config: /etc/init.d/rc.firewall
#
# karl@webmedianow.com
# Last Modified: Mon Oct 17 18:57:04 PDT 2005

#################################################
DATE=`/bin/date --iso`

EXT_DEV="eth0"
INT_DEV="eth1"

EXT_IP=`ifconfig $EXT_DEV |grep 'inet addr'| awk '{print $2}'|sed -e
"s/addr\://"`
INT_IP=`ifconfig $INT_DEV |grep 'inet addr'| awk '{print $2}'|sed -e
"s/addr\://"`

BCAST_EXT_DEV=`ifconfig | grep -A 1 $EXT_DEV | awk '/Bcast/ { print $3
}' | sed -e s/Bcast://`
BMASK_EXT_DEV=`ifconfig | grep -A 1 $EXT_DEV | awk '/Mask/ { print $4 }'
| sed -e s/Mask://`

BCAST_INT_DEV=`ifconfig | grep -A 1 $INT_DEV | awk '/Bcast/ { print $3
}' | sed -e s/Bcast://`
BMASK_INT_DEV=`ifconfig | grep -A 1 $INT_DEV | awk '/Mask/ { print $4 }'
| sed -e s/Mask://`

EXT_NET="$BCAST_EXT_DEV/$BMASK_EXT_DEV"
INT_NET="$BCAST_INT_DEV/$BMASK_INT_DEV"

#################################################
echo "wan side = $EXT_DEV: $EXT_IP Network: $EXT_NET"
echo "lan side = $INT_DEV: $INT_IP Network: $INT_NET"
#################################################
#Known Hosts

ROUTER="192.168.0.1"
WORKSTATION1="10.0.0.33"
OFFICE=""

#################################################
UNIVERSE="0.0.0.0"
PRIVPORTS="1024:65535"

PREROUTE22="$WORKSTATION1"
ALLOWPING="$INT_NET $ROUTER"
ALLOWDNS_INT_DEV="$INT_NET"
ALLOWSSH_INT_DEV="$INT_NET"
ALLOWDHCP_INT_DEV="$INT_NET"

#################################################
## Flush Rulesets and Zero out counter
flush() {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
/sbin/iptables -Z
/sbin/iptables -t nat -F POSTROUTING
}

#################################################
## Define Variables in /proc/sys/net
proc() {
#echo "#Disabling IP Spoofing attacks."
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "#Don't respond to broadcast pings (Smurf-Amplifier-Protection)"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo "#Block source routing"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#echo "#Kill timestamps"
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
#echo "#Enable SYN Cookies"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#echo "#Kill redirects"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#echo "#Enable bad error message protection"
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo "#Log martians (packets with impossible addresses)"
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#echo "#Set out local port range"
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#echo "#Reduce DoS'ing ability by reducing timeouts"
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
#echo "#ECN disabled (some Cisco equipment do not work with this enabled)"
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "sysctl options set."
}

####################################################################################
router() {
echo "Routing enabled for this server"
echo "1" > /proc/sys/net/ipv4/ip_forward
}

####################################################################################
norouter() {
echo "Routing disabled for this server"
echo "0" > /proc/sys/net/ipv4/ip_forward
}

#################################################
## Define Default DROP Policies
default_policy() {
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
}

####################################################################
## Define User Chains
user_chains() {
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG --log-tcp-options --log-ip-options
--log-prefix '[IPTABLES DROP] : '
/sbin/iptables -A LOGDROP -j DROP

/sbin/iptables -N LOGACCEPT
/sbin/iptables -A LOGACCEPT -j LOG --log-tcp-options --log-ip-options
--log-prefix '[IPTABLES ACCEPT] : '
/sbin/iptables -A LOGACCEPT -j ACCEPT
}

####################################################################
##Default Ruleset
default_rules() {
##Allow Loopback Interface access
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -o $EXT_DEV -s $INT_NET -m state --state NEW
-j ACCEPT

## Allow pings from $ALLOWPING
for ALLOWPING in $ALLOWPING; do
echo "ALLOWPING $ALLOWPING"
/sbin/iptables -A INPUT --source $ALLOWPING -p icmp -m state --state
NEW -j ACCEPT
done

##Allow SSH Connections
for ALLOWSSH_INT_DEV in $ALLOWSSH_INT_DEV; do
echo "ALLOWSSH_INT_DEV(ssh port 22, tcp) $ALLOWSSH_INT_DEV -i $INT_DEV"
/sbin/iptables -A INPUT -i $INT_DEV -p tcp --source
$ALLOWSSH_INT_DEV --destination-port 22 -j ACCEPT
done

## allow dns querries from $ALLOWDNS_INT_DEV
for ALLOWDNS_INT_DEV in $ALLOWDNS_INT_DEV; do
echo "ALLOWDNS_INT_DEV(domain port 53, udp) $ALLOWDNS_INT_DEV -i
$INT_DEV"
/sbin/iptables -A INPUT -i $INT_DEV --source $ALLOWDNS_INT_DEV
--protocol udp --destination-port domain -j ACCEPT
done

#bootps 67/tcp # BOOTP server
#bootps 67/udp
#bootpc 68/tcp # BOOTP client
#bootpc 68/udp
if [ ${ALLOWDHCP_INT_DEV} ]; then
## allow dhcp querries from $ALLOWDHCP_INT_DEV
for ALLOWDHCP_INT_DEV in $ALLOWDHCP_INT_DEV; do
echo "ALLOWDHCP_INT_DEV(dhcp port 67,68, tcp,udp) $ALLOWDHCP_INT_DEV
-i $INT_DEV"
/sbin/iptables -A INPUT -i $INT_DEV -p tcp --source
$ALLOWDHCP_INT_DEV --destination-port bootps -j ACCEPT
/sbin/iptables -A INPUT -i $INT_DEV -p udp --source
$ALLOWDHCP_INT_DEV --destination-port bootps -j ACCEPT
/sbin/iptables -A INPUT -i $INT_DEV -p tcp --source
$ALLOWDHCP_INT_DEV --destination-port bootps -j ACCEPT
/sbin/iptables -A INPUT -i $INT_DEV -p udp --source
$ALLOWDHCP_INT_DEV --destination-port bootps -j ACCEPT
done
fi

}

####################################################################
## Set up IP Masquerading/FTP connection tracking
default_nat() {
/sbin/iptables -t nat -A POSTROUTING -o $EXT_DEV -j SNAT --to $EXT_IP
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

##redirect outbound port 80 to 198.172.205.2:80
#echo "#redirect outbound 80 to 198.172.205.2:80"
#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT
--to 198.172.205.2:80

## NAT/PREROUTE
if [ ${PREROUTE22} ]; then
echo "RULE_22: PreRoute inbound port 22 on $EXT_DEV to $PREROUTE22"
/sbin/iptables -t nat -A PREROUTING -i $EXT_DEV -p tcp --sport
1024:65535 -d $EXT_IP --dport 22 -j DNAT --to-destination $PREROUTE22
/sbin/iptables -A FORWARD -i $EXT_DEV -o $INT_DEV -p tcp --sport
1024:65535 -d $PREROUTE22 --dport 22 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
fi

}

####################################################################
default_logging() {

## Log Drop Packets
/sbin/iptables -A INPUT -j LOG --log-tcp-options --log-ip-options
--log-prefix '[IPTABLES DROP] : '
/sbin/iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options
--log-prefix '[IPTABLES DROP] : '
/sbin/iptables -A OUTPUT -j LOG --log-tcp-options --log-ip-options
--log-prefix '[IPTABLES DROP] : '

/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j DROP

}

####################################################################
stop() {
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT

/sbin/iptables -t nat --policy PREROUTING ACCEPT
/sbin/iptables -t nat --policy OUTPUT ACCEPT
/sbin/iptables -t nat --policy POSTROUTING ACCEPT

/sbin/iptables -t mangle --policy PREROUTING ACCEPT
/sbin/iptables -t mangle --policy OUTPUT ACCEPT

/sbin/iptables --flush
/sbin/iptables -t nat --flush
/sbin/iptables -t mangle --flush

/sbin/iptables --delete-chain
/sbin/iptables -t nat --delete-chain
/sbin/iptables -t mangle --delete-chain

/sbin/iptables --zero
}

####################################################################
case "$1" in
stop)
norouter
stop
echo "iptables stopped"
;;
*)
flush
proc
router
default_policy
user_chains
default_rules
default_nat
default_logging
echo "wan side = $EXT_DEV: $EXT_IP Network: $EXT_NET"
echo "lan side = $INT_DEV: $INT_IP Network: $INT_NET"
echo "$0 Done. $DATE Base config initiated."
;;
esac
#EOF

# posted by WebRink @ 7:04 PM

Comments: Post a Comment

<< Home

webrink

Monday, October 17, 2005

rc.firewall dual nic gateway Linux

About Me

Links

archives