Firewall Iptables FSE 2002

#!/bin/sh

# make me executable (chmod a+x rc.firewall ) and run me on boot

#
# djweis@sjdjweis.com
# iptables firewall script
# this script is meant to be run once per boot
# the rules will be double added if you try to run it twice
# if you need to add another rule during runtime, change the
# -A to a -I to add it to the top of the list of rules
# if you use -A it will go at the end after the reject rule 
#

# interface definitions
BAD_IFACE=eth2

DMZ_IFACE=eth1
DMZ_ADDR=217.141.200.131/32

GOOD_IFACE=eth3
GOOD_ADDR=10.0.0.0/16

MASQ_SERVER=217.141.200.130
#FTP_SERVER=x.x.x.100
#MAIL_SERVER=x.x.x.99
#MAIL_SERVER_INTERNAL=192.168.1.3

# testing
set -x

ip route del 217.141.200.131/32 dev $BAD_IFACE
ip route del 217.141.200.131/32 dev $DMZ_IFACE
ip route add 217.141.200.129/32 dev $BAD_IFACE
ip route add 217.141.200.131/32 dev $DMZ_IFACE

# instradamento dei subnet interni
# cancella tutto
ip route del 10.0.3.0/24 via 10.0.1.2
ip route del 10.0.2.0/24 via 10.0.1.3
# aggiungi di nuovo
ip route add 10.0.3.0/24 via 10.0.1.2
ip route add 10.0.2.0/24 via 10.0.1.3

# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/$BAD_IFACE/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/proxy_arp

# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# flush all rules in the filter table
iptables -F -t nat
iptables -F

# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -X good-dmz
iptables -X bad-dmz
iptables -X good-bad
iptables -X dmz-good
iptables -X dmz-bad
iptables -X bad-good
iptables -X icmp-acc
iptables -X good-good
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
iptables -N good-good

# marchia i pacchetti su cui vogliamo fare shaping
iptables -A FORWARD -s 10.0.1.3 --set-mark 7 -j MARK

# accept related packets
#iptables -A FORWARD -p tcp -d 217.141.200.131/32 -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to-source $MASQ_SERVER
# mail server masqing
#iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
#iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
#iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT

# set which addresses jump to which chains
iptables -A FORWARD -i $GOOD_IFACE -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -i $GOOD_IFACE -o $BAD_IFACE -j good-bad

iptables -A FORWARD -i $GOOD_IFACE -o $GOOD_IFACE -j good-good

iptables -A FORWARD -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good

iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good

# drop anything that doesn't fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP

# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp -i ! $BAD_IFACE --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP

# from internal to dmz
#iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
#iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
#iptables -A good-dmz -p udp --dport domain -j ACCEPT
#iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport 9673 -j ACCEPT
iptables -A good-dmz -p tcp --dport 8080 -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
#iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
#iptables -A good-dmz -p tcp --dport auth -j ACCEPT
#iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
#iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP

# from external to dmz
#iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
#iptables -A bad-dmz -p udp --dport domain -j ACCEPT
#iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
#iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
#iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP

# from internal to external
iptables -A good-bad -m state --state NEW -j ACCEPT
iptables -A good-bad -j REJECT
#iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ

# from good to better
iptables -A good-good -s 10.0.1.253 -j ACCEPT
iptables -A good-good -j REJECT

# from dmz to internal
iptables -A dmz-good -p tcp ! --syn --sport 9673 -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport 8080 -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p udp --dport 53 -j ACCEPT
#iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP

# from dmz to external
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP

# from external to internal
#iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT

# rules for this machine itself
iptables -X bad-if
iptables -X dmz-if
iptables -X good-if
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if

# set up the jumps to each chain
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if

# external iface
iptables -A bad-if -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A bad-if -p tcp --dport ssh -j ACCEPT
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j LOG --log-prefix "bad-if "
iptables -A bad-if -j DROP

# dmz iface
#iptables -A dmz-if -p tcp --dport ssh -j ACCEPT
iptables -A dmz-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT

# internal iface
iptables -A good-if -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A good-if -p tcp --dport ssh -j ACCEPT
#iptables -A good-if -p tcp --dport 7700 -j ACCEPT
#iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
#iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP

# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1