#!/bin/sh # # Created by Per Jørgensen 2006 # ------------------------------------------------------------------- # Setup the enviroment variables # ------------------------------------------------------------------- IPTABLES="/sbin/iptables" # Interfaces LO="lo" WAN="eth0" LAN="eth1" DMZ="eth2" TEST="eth3" # The IP-address for the interfaces LAN_IP="172.16.0.1" WAN_IP="`ifconfig $WAN | grep \"inet addr\" | cut -f 2 -d \":\" | cut -f 1 -d \" \"`" DMZ_IP="172.16.10.1" TEST_IP="192.168.0.1" LO_IP="127.0.0.8" # Networks LAN_NET="172.16.0.0/24" DMZ_NET="172.16.10.0/24" WAN_NET="$WAN_IP" TEST_NET="192.168.0.0/24" LO_NET="127.0.0.1/8" # The machines on the net ATLANTIS="172.16.10.10" HERCULES="172.16.0.2" MEEKO="172.16.10.20" # Hosts that allowed to connect using SSH SSHHOSTS="172.16.0.0/23 " # 172.16.0.0/23 Hjemme Netværket på x.x.0.0 & x.x.1.0 # Hosts that allowed to connect using PSQL PSQLHOSTS="212.97.132.118 " # 212.97.132.118 Shinisa Shinisha's hjemmesider # Hosts that allowed to use remote management REMOTE="195.249.32.221" # 195.249.32.221 Insatech A/S OFFICE #------------------------------------------------------------------- # Starting the scripts and write to syslog & Console # ------------------------------------------------------------------ echo "'date':FIREWALL SCRIPT Started " >> /var/log/messages echo echo "Linux Firewall at PBJ IT & Webdesign " echo "(C) Copyrigth by Per Jørgensen - 2006" echo " All rigths reserved!" echo echo "Initializing firewall with these settings:" echo "- WAN IP-address: $WAN ($WAN_IP)" echo "- LAN IP-address: $LAN ($LAN_IP)" echo "- DMZ IP-address: $DMZ ($DMZ_IP)" echo "- TEST IP-address: $TEST ($TEST_IP)" echo echo "Initiating script:" echo " Done" # --------------------------------------------------------------- # Start by loading IPTABLES modules # --------------------------------------------------------------- echo "Loading IPTABLES modules" modprobe ip_tables modprobe ip_conntrack echo " Done" # --------------------------------------------------------------- # Flush existing Connections and removing rules # --------------------------------------------------------------- echo "Flashing and zeroing the chains" $IPTABLES -F $IPTABLES -Z $IPTABLES -X echo " Done" echo # --------------------------------------------------------------- # Initialize and setup defaults rules # --------------------------------------------------------------- echo "Initialzing and setup defaults policies" # Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # IP spoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Default Policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP echo " Done" echo # -------------------------------------------------------------- # Create and flush chains # -------------------------------------------------------------- echo "Creating and flushing the chains" $IPTABLES -N wantodmz $IPTABLES -N wantolan $IPTABLES -N lantowan $IPTABLES -N lantodmz $IPTABLES -N dmztowan $IPTABLES -N dmztolan $IPTABLES -N testtowan $IPTABLES -N wantotest $IPTABLES -N lo $IPTABLES -N lan $IPTABLES -N wan $IPTABLES -N dmz $IPTABLES -N test echo " Done. Chains are made" echo ################################################################ # Setting up the INPUT chain # -------------------------------------------------------------- echo "Setting up the INPUT chain" ## DNS ## $IPTABLES -t filter -A INPUT -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A INPUT -p tcp --dport 53 -j ACCEPT ## ICMP ## $IPTABLES -t filter -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t filter -A INPUT -i $WAN -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT $IPTABLES -t filter -A INPUT -i $LAN -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT $IPTABLES -t filter -A INPUT -i $DMZ -p icmp -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $ATLANTIS -p tcp --dport 22 -j ACCEPT echo " Done. INPUT chain is up and running" echo # -------------------------------------------------------------- # Setting up the OUTPUT chain # -------------------------------------------------------------- # DNS $IPTABLES -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT # SMTP $IPTABLES -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT # Accepting the different networks $IPTABLES -t filter -A OUTPUT -p ALL -s $LAN_NET -j ACCEPT $IPTABLES -t filter -A OUTPUT -p ALL -s $DMZ_NET -j ACCEPT echo " Done. OUTPUT chain is up and running" echo ################################################################ # Setting up rules for LO interface # -------------------------------------------------------------- echo "Setting up LOCAL interface " $IPTABLES -A lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $LO -j ACCEPT $IPTABLES -A OUTPUT -o $LO -j ACCEPT echo " Done. LO is up and running" echo # -------------------------------------------------------------- # Setting up the LAN interface # -------------------------------------------------------------- echo "Setting up the LAN interface" $IPTABLES -t filter -A lan -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. LAN is up and running" echo # -------------------------------------------------------------- # Setting up the WAN interface # -------------------------------------------------------------- echo "Setting up the WAN interface" $IPTABLES -t filter -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Done. WAN is up and running" echo # -------------------------------------------------------------- # Setting up the DMZ interface # -------------------------------------------------------------- echo "Setting up the DMZ interface" $IPTABLES -t filter -A dmz -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. DMZ is up and running" echo # ------------------------------------------------------------- # Setting up the TEST Interface # ------------------------------------------------------------- echo "Setting up the TEST Interface" $IPTABLES -t filter -A test -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. WRL is up and running." echo "" echo "Setting up the TESTTOWAN chain" $IPTABLES -t filter -A testtowan -s $TEST_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Setting up WANTOTEST chain" $IPTABLES -A wantotest -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Done. TESTTOWAN & WANTOTEST is up and running." ################################################################ # Setting up rules for LANTOWAN chain # -------------------------------------------------------------- echo "Setting up the LANTOWAN chain" $IPTABLES -t filter -A lantowan -s $LAN_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. LANTOWAN chain is up and running" echo # -------------------------------------------------------------- # Setting up rules for LANTODMZ chain # -------------------------------------------------------------- echo "Setting up the LANTODMZ chain" # Accepting all connections $IPTABLES -t filter -A lantodmz -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. LANTODMZ chains is up and running" echo ################################################################ # Setting up rules for DMZTOLAN interface # -------------------------------------------------------------- echo "Setting up DMZTOLAN chain" $IPTABLES -t filter -A dmztolan -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. DMZTOLAN chain is up and running" echo # -------------------------------------------------------------- # Setting up rules for DMZTOWAN interface # -------------------------------------------------------------- echo "Setting up the DMZTOWAN chain" # Accepting only the returntraffic $IPTABLES -t filter -A dmztowan -s $DMZ_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo " Done. DMZTOWAN chain is up and running" echo ################################################################ # Setting up rules for WANTOLAN interface # -------------------------------------------------------------- echo "Setting up the WANTOLAN chains" # Accepting only returntraffic to lan $IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Done. WANTOLAN chain is up and running" echo # -------------------------------------------------------------- # Setting up rules for portforwarding for WANTODMZ # -------------------------------------------------------------- echo "Setting up FORWARDING RULES = WANTODMZ" # ATLANTIS # # SMTP _ IMAP ## $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp -m multiport --dports 25,110,143 -j DNAT --to-destination $MEEKO $IPTABLES -A wantodmz -d $MEEKO -p tcp -m multiport --dports 25,110,143 -j ACCEPT ## Atlantis ## # HTTP ## $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT --to-destination $ATLANTIS:80 $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT ## PSQL til Atlantis ## $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 5432 -j DNAT --to-destination $ATLANTIS:5432 for PSQL in $PSQLHOSTS;do $IPTABLES -A wantodmz -s $PSQL -d $ATLANTIS -p tcp --dport 5432 -j ACCEPT done # SSH ## $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT --to-destination $ATLANTIS:22 for SSH in $SSHHOSTS;do $IPTABLES -A wantodmz -s $SSH -d $ATLANTIS -p tcp --dport 22 -j ACCEPT done # Remote management ## 2217 $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 2217 -j DNAT --to-destination $ATLANTIS:2217 for REM in $REMOTE; do $IPTABLES -A wantodmz -s $REM -d $ATLANTIS -p tcp --dport 2217 -j ACCEPT done # Remote management ## Meeko $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 2218 -j DNAT --to-destination $MEEKO:2217 for REM in $REMOTE; do $IPTABLES -A wantodmz -s $REM -d $MEEKO -p tcp --dport 2217 -j ACCEPT done # Bittorrent $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp -m multiport --dports 60514,60515 -j DNAT --to-destination $MEEKO $IPTABLES -A wantodmz -d $MEEKO -p tcp -m multiport --dports 60514,60515 -j ACCEPT # Accept returntraffic $IPTABLES -A wantodmz -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Done. PORTFORWARDING is up and running" echo ################################################################ # Setting up Masquerading # -------------------------------------------------------------- echo "Setting up MASQUERADING" # From all interfaces - but not WAN $IPTABLES -t nat -A POSTROUTING -s ! $WAN_IP -j SNAT --to-source $WAN_IP echo " Done. MASQUERADING is up and running" echo ################################################################## # Activating the Chains # ---------------------------------------------------------------- echo "Activating the chains" $IPTABLES -A INPUT -i $WAN -j wan $IPTABLES -A INPUT -i $LAN -j lan $IPTABLES -A INPUT -i $DMZ -j dmz $IPTABLES -A INPUT -i $LO -j lo $IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz $IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan $IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan $IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan $IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz $IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan $IPTABLES -A FORWARD -i $TEST -o $WAN -j testtowan $IPTABLES -A FORWARD -i $WAN -o $TEST -j wantotest echo "Done. The chains are now activated" echo echo "Firewall has been setup succesfully and are now" echo " protecting your network. No garanty is given." echo echo "This script is designet by PBJ IT & Webdesign" echo " This is released under GPL licens" echo " Remember OpenSource is not nessecary FREE"