Firewall script for broadband

Brad Chapman kakadu@earthlink.net
Fri, 27 Jul 2001 08:09:07 -0400 

This is a multi-part message in MIME format.
--------------050602000208080706070204
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Mrs. Allen,

   (thud)

   I forgot to attach it in my earlier e-mail. Here it is.

Brad

Lindsay Allen wrote:

> On Thu, 26 Jul 2001, Brad Chapman wrote:
> 
>> Mrs. Allen,
>> 
>>    Okeydoke. New script - fixes the DNAT misunderstanding, SNAT's 
>> everything and
>> does ESTABLISHED,RLEATED in and NEW,ESTABLISHED,RELATED out in the 
>> FORWARD chain.
>> 
>> Nothing else changed.
>> 
>> Brad
>> 
>> P.S.: Perth, Western Australia? I've been there! Great city, huh?
> 
> 
> Yes, Perth has a lot going for it.  Next time come and look me up!  
> 
> Can I have a copy of the script as it now stands, please?  I'm still a
> beginner.
> 
> Lindsay
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Lindsay Allen   <allen@cleo.murdoch.edu.au>    Perth, Western Australia
> voice +61 8 9316 2486, 0403 272 564   32.0125S 115.8445E   Debian Linux
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> 
> 
> 


--------------050602000208080706070204
Content-Type: text/plain;
 name="firewall"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="firewall"

#!/bin/sh
#
# This script contains the complete netfilter firewall
# for this network. This firewall is designed to be run
# 24 hours a day for full protection.
#
# chkconfig: 2345 11 92
# description:  Contains the complete netfilter \
#		firewall for this network.

export PATH=$PATH:/usr/local/bin:/usr/local/sbin
[ ! -f `which iptables` ] && exit 1

TABLE=
CHAIN=
RETVAL=
SCAN_FLAGS="SYN,RST RST"
DADDR=192.168.1.1/255.255.255.0
SADDR=

STATE1=ESTABLISHED
STATE2=ESTABLISHED,RELATED
STATE3=NEW,ESTABLISHED
STATE4=NEW,ESTABLISHED,RELATED

# Now, see how we were called
case "$1" in
	start)
		echo -n "Loading netfilter firewall: "
	
		# Load any required modules
		echo -n "modules "
		
		modprobe ip_conntrack
		modprobe ip_conntrack_ftp
		modprobe iptable_filter
		modprobe iptable_mangle
		modprobe iptable_nat
		modprobe ip_nat_ftp
		modprobe ipt_limit
		modprobe ipt_state
		modprobe ipt_LOG
#		modprobe ipt_TCPMSS
		modprobe ipt_TOS
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# filter table
		TABLE=filter
		echo -n "$TABLE "

		CHAIN=INPUT		
		iptables -t $TABLE -P $CHAIN DROP

		iptables -t $TABLE -A $CHAIN -p ip	-i eth0 -d 192.168.1.1 	-j ACCEPT #1
		iptables -t $TABLE -A $CHAIN -p ip	-i lo	-d 127.0.0.1	-j ACCEPT #2

		iptables -t $TABLE -A $CHAIN -p tcp	-i eth1 --source-port 25 	-m state --state $STATE1 -j ACCEPT #3
		iptables -t $TABLE -A $CHAIN -p tcp	-i eth1 --destination-port 25 	-m state --state $STATE3 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p tcp	-i eth1 --source-port 53 	-m state --state $STATE1 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p tcp	-i eth1 --destination-port 53	-m state --state $STATE3 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p udp	-i eth1 --source-port 53 	-m state --state $STATE1 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p udp	-i eth1 --destination-port 53	-m state --state $STATE3 -j ACCEPT #8
		
		iptables -t $TABLE -A $CHAIN -p icmp	-i eth1 --icmp-type redirect	-m limit --limit 2/s -j LOG # --drop #9
		iptables -t $TABLE -A $CHAIN -p icmp	-i eth1 --icmp-type ! redirect 	-j ACCEPT #10
		
		CHAIN=FORWARD
		iptables -t $TABLE -P $CHAIN DROP
		
		iptables -t $TABLE -A $CHAIN -p tcp	-i eth1 -m state --state $STATE2 	-j ACCEPT #1
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 -m state --state $STATE4 	-j ACCEPT
		iptables -t $TABLE -A $CHAIN -p udp	-i eth1 -m state --state $STATE2	-j ACCEPT
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 -m state --state $STATE4	-j ACCEPT #4
		
		iptables -t $TABLE -A $CHAIN -p icmp	-i eth1 --icmp-type redirect -m limit --limit 2/s -j LOG # --drop #5
		iptables -t $TABLE -A $CHAIN -p icmp	-o eth1 --icmp-type redirect -m limit --limit 2/s -j LOG # --drop
		iptables -t $TABLE -A $CHAIN -p icmp	-i eth1 --icmp-type ! redirect 			  -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p icmp	-o eth1 --icmp-type ! redirect			  -j ACCEPT #8
		
#		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --tcp-flags $SCAN_FLAGS 	-j TCPMSS --clamp-mss-to-pmtu #9

		CHAIN=OUTPUT
		iptables -t $TABLE -P $CHAIN DROP

		iptables -t $TABLE -A $CHAIN -p ip	-o eth0 -s 192.168.1.1	-j ACCEPT #1
		iptables -t $TABLE -A $CHAIN -p ip	-o lo 	-s 127.0.0.1	-j ACCEPT #2

		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --source-port 25 	-m state --state $STATE1 -j ACCEPT #3
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 25 	-m state --state $STATE3 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --source-port 53 	-m state --state $STATE1 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1	--destination-port 53	-m state --state $STATE3 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --source-port 53	-m state --state $STATE1 -j ACCEPT
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --destination-port 53 	-m state --state $STATE3 -j ACCEPT #8

		iptables -t $TABLE -A $CHAIN -p icmp	-o eth1 --icmp-type redirect	-m limit --limit 2/s -j LOG # --drop #9
		iptables -t $TABLE -A $CHAIN -p icmp	-o eth1 --icmp-type ! redirect 	-j ACCEPT #10
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# nat table
		TABLE=nat
		echo -n "$TABLE "
		
		CHAIN=PREROUTING
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=OUTPUT
		iptables -t $TABLE -P $CHAIN ACCEPT

		CHAIN=POSTROUTING
		iptables -t $TABLE -P $CHAIN DROP
		
		iptables -t $TABLE -A $CHAIN -p ip	-o eth0	-s 192.168.1.1	-j ACCEPT #1
		iptables -t $TABLE -A $CHAIN -p ip	-o lo	-s 127.0.0.1	-j ACCEPT #2
		
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 			-j SNAT --to $SADDR #3	
		iptables -t $TABLE -A $CHAIN -p icmp	-o eth1 --icmp-type redirect	-m limit --limit 2/s -j LOG # --drop
		iptables -t $TABLE -A $CHAIN -p icmp	-o eth1 --icmp-type ! redirect	-j SNAT --to $SADDR #5
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# mangle table
		TABLE=mangle
		echo -n "$TABLE "
		
		CHAIN=PREROUTING
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=INPUT
		iptables -t $TABLE -P $CHAIN ACCEPT
		
		CHAIN=FORWARD
		iptables -t $TABLE -P $CHAIN ACCEPT

		CHAIN=OUTPUT
		iptables -t $TABLE -P $CHAIN DROP

		iptables -t $TABLE -A $CHAIN -p ip	-o eth0 -s 192.168.1.1 	-j ACCEPT #1
		iptables -t $TABLE -A $CHAIN -p ip	-o lo 	-s 127.0.0.1	-j ACCEPT #2
		
		iptables -t $TABLE -A $CHAIN -p tcp     -o eth1 --destination-port 22  -j TOS --set-tos 8 #3
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --destination-port 22  -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 25  -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 53  -j TOS --set-tos 16
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --destination-port 53  -j TOS --set-tos 16 #7
		
		CHAIN=POSTROUTING
		iptables -t $TABLE -P $CHAIN DROP
		
		iptables -t $TABLE -A $CHAIN -p ip	-o eth0	-s 192.168.1.1 	-j ACCEPT #1
		iptables -t $TABLE -A $CHAIN -p ip	-o lo	-s 127.0.0.1	-j ACCEPT #2
		
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 20  -j TOS --set-tos 8 #3
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 21  -j TOS --set-tos 8
		iptables -t $TABLE -A $CHAIN -p tcp     -o eth1 --destination-port 22  -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --destination-port 22  -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 25  -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 53  -j TOS --set-tos 16
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --destination-port 53  -j TOS --set-tos 16
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 80  -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 110 -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p udp	-o eth1 --destination-port 110 -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 113 -j TOS --set-tos 16
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 119 -j TOS --set-tos 4
		iptables -t $TABLE -A $CHAIN -p tcp	-o eth1 --destination-port 465 -j TOS --set-tos 4 #15

		# ----------------------------------------------------------------------------------------------------------------------- #
		echo ": done."
		
		touch /var/lock/subsys/firewall
		RETVAL=0
		;;
	stop)
		echo -n "Unloading netfilter firewall: "
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# filter table
		TABLE=filter
		echo -n "$TABLE "
		
		CHAIN=INPUT
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=FORWARD
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=OUTPUT
		iptables -t $TABLE -F $CHAIN
		
		iptables -t $TABLE -Z
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# nat table
		TABLE=nat
		echo -n "$TABLE "
		
		CHAIN=PREROUTING
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=OUTPUT
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=POSTROUTING
		iptables -t $TABLE -F $CHAIN
		
		iptables -t $TABLE -Z

		# ----------------------------------------------------------------------------------------------------------------------- #
		# mangle table
		TABLE=mangle
		echo -n "$TABLE "

		CHAIN=PREROUTING
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=INPUT
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=FORWARD
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=OUTPUT
		iptables -t $TABLE -F $CHAIN
		
		CHAIN=POSTROUTING
		iptables -t $TABLE -F $CHAIN
		
		iptables -t $TABLE -Z
		
		# ----------------------------------------------------------------------------------------------------------------------- #
		# Unload any modules we loaded
		echo -n "modules "

		modprobe -r ipt_TOS 2> /dev/null
#		modprobe -r ipt_TCPMSS 2> /dev/null
		modprobe -r ipt_LOG 2> /dev/null
		modprobe -r ipt_state 2> /dev/null
		modprobe -r ipt_limit 2> /dev/null
		modprobe -r iptable_nat 2> /dev/null
		modprobe -r iptable_mangle 2> /dev/null
		modprobe -r iptable_filter 2> /dev/null
		modprobe -r ip_nat_ftp 2> /dev/null
		modprobe -r ip_conntrack_ftp 2> /dev/null
		modprobe -r ip_conntrack 2> /dev/null

		# ----------------------------------------------------------------------------------------------------------------------- #
		echo ": done."
		
		rm -f /var/lock/subsys/firewall
		RETVAL=0
		;;
	restart)
		$0 stop
		$0 start
		
		touch /var/lock/subsys/firewall
		RETVAL=0
		;;
	list)
		[ ! `grep $2 /proc/net/ip_tables_names` ] && exit 1
		iptables -t $2 -L
		
		[ -f /var/lock/subsys/firewall ] && touch /var/lock/subsys/firewall
		RETVAL=0
		;;	
	listc)
		[ ! `grep $2 /proc/net/ip_tables_names` ] && exit 1
		iptables -t $2 -L $3
		
		[ -f /var/lock/subsys/firewall ] && touch /var/lock/subsys/firewall
		RETVAL=0
		;;
	*)
		echo "Usage: $0 {start|stop|restart|list table|listc table chain}"
		
		RETVAL=0
		;;
esac

exit $RETVAL

--------------050602000208080706070204--