#!/bin/sh # # An example of a IPTABLES firewall with IP Masquerade # requires 2.3.x kernel or greater. # # save this as /etc/firewall # it will be called by /etc/init.d/rc.firewall # # by oldami-AT-cotse-DOT-net # created Jan 2004 from rc.firewall-2.4-stronger v0.63s # with lots of mods to make it even more restrictive # # put your configuration info here # For this example, "eth1" is external and "eth0" is internal" # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # EXTIF="ppp0" # if you are a modem user. # the external interface EXTIF="eth1" # the internal interface INTIF="eth0" # internal network and IP - this must be static INTNET="192.168.1.0/24" INTIP="192.168.1.2" INTBRO="192.168.1.255" # IPs of servers for sending and recieving mail # look at your mail client config to get these # can use DNS names, but IPs are recommended # multiple entries should be separated by spaces SMTP_SERVER="123.123.123.123" POP_SERVER="123.123.123.123 11.22.33.44" # add each port number you wish to allow out to this variable OK_PORTS="21 22 23 25 80 443 5190" # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "which iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables #IPTABLES=/usr/local/sbin/iptables # some other executables used by the script LSMOD=/sbin/lsmod GREP=/bin/grep AWK=/usr/bin/awk echo -e "\nLoading oldami firewall script\n" logger "===== config firewall using $0 =====" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Specify your Static IP address here or let the script take care of it # for you. # # If you prefer to use STATIC addresses in your firewalls, un-# out the # static example below and # out the dynamic line. If you don't care, # just leave this section alone. # # If you have a DYNAMIC IP address, the ruleset already takes care of # this for you. Please note that the different single and double quote # characters and the script MATTER. # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, # etc) on the lines for "ppp-ip" and "extip". You should also note that the # DHCP server can and will change IP addresses on you. To deal with this, # users should configure their DHCP client to re-run the rc.firewall ruleset # everytime the DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the original "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go and # get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up sccript, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # # Determine the external IP automatically: # ---------------------------------------- # EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | $AWK '{print $2}' | sed -e 's/.*://'`" # For users who wish to use STATIC IP addresses: # # out the EXTIP line above and un-# out the EXTIP line below # #EXTIP="your.static.PPP.address" echo " External IP: $EXTIP" echo " Internal Network: $INTNET" echo " Internal IP: $INTIP" echo " ---" # Setting a few other local variables # UNIVERSE="0.0.0.0/0" #====================================================================== # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" /sbin/depmod -a echo -en " Loading kernel modules: " # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then /sbin/insmod ip_tables fi #Load the IPTABLES filtering module - "iptable_filter" # # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then /sbin/insmod ip_conntrack fi #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_conntrack_ftp, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then /sbin/insmod ip_conntrack_ftp fi #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en " ip_conntrack_irc, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then /sbin/insmod ip_conntrack_irc fi #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then /sbin/insmod iptable_nat fi #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_nat_ftp" # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then /sbin/insmod ip_nat_ftp fi echo " ---" # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " ---" #========================================================================= # Clear any previous configuration # # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP. # # You CANNOT change this to REJECT as it isn't a vaild setting for a # policy. If you want REJECT, you must explictly REJECT at the end # of a giving INPUT, OUTPUT, or FORWARD chain # echo " Clearing any existing rules and setting default policy to DROP.." # flush all chains $IPTABLES -F # delete all user defined chains $IPTABLES -X # set default policy to DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP # Reset all IPTABLES counters $IPTABLES -Z #======================================================================== #Configuring specific CHAINS for later use in the ruleset # # NOTE: Some users prefer to have their firewall silently # "DROP" packets while others prefer to use "REJECT" # to send ICMP error messages back to the remote # machine. The default is "REJECT" but feel free to # change this below. # # NOTE: Without the --log-level set to "info", every single # firewall hit will goto ALL vtys. This is a very big # pain. # echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP #======================================================================== echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\n - Loading INPUT rulesets" ####################################################################### # INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid. # $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # allow all trafic from inside to the firewall $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTIP -j ACCEPT $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $INTBRO -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # external interface, from any source, for ICMP traffic is valid # # If you would like your machine to "ping" from the Internet, # enable this next line # $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS - you need this, despite what an MCSE might tell you $IPTABLES -A INPUT -i $EXTIF -p UDP --sport 53 -j ACCEPT # Allow DHCP traffic (should restrict this to only the DHCP server) $IPTABLES -A INPUT -i $EXTIF -p UDP --dport 67:68 -j ACCEPT # ignore DHCP traffic on inside net $IPTABLES -A INPUT -i $INTIF -p UDP --dport 67:68 -j DROP # Allow SSH from outside $IPTABLES -A INPUT -i $EXTIF -p TCP --dport 22 -j ACCEPT #### Add other rules here to allow other trafic in # NetUsage program needs this $IPTABLES -A INPUT -i $INTIF -p UDP --dport 32123 -j ACCEPT # Catch all rule, all other incoming is denied and logged. $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading OUTPUT rulesets" ####################################################################### # OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # note: OUTPUT rules are for this box. For controlling traffic from # other systems on the internal net, add to the FORWARD chain. # loopback interface is valid. $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # anything from this box to internal interface is allowed $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it $IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS - you need this, despite what an MSCE might tell you $IPTABLES -A OUTPUT -o $EXTIF -p UDP --dport 53 -j ACCEPT # Allow DHCP requests out $IPTABLES -A OUTPUT -o $EXTIF -p UDP --dport 67:68 -j ACCEPT # allow ICMP out $IPTABLES -A OUTPUT -o $EXTIF -p ICMP -j ACCEPT # Allow each of the allowed TCP ports to go out for PORT in $OK_PORTS do $IPTABLES -A OUTPUT -o $EXTIF -p TCP --dport $PORT -j ACCEPT done # NetUsage program needs this $IPTABLES -A OUTPUT -o $INTIF -p UDP --dport 32123 -j ACCEPT # Catch all rule, all other outgoing is denied and logged. $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ # $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # allow outgoing SMTP to each server in list for SVR in $SMTP_SERVER do $IPTABLES -A FORWARD -o $EXTIF -p TCP --dport 25 -d $SVR -j ACCEPT done # allow POP3 to each server in list for SVR in $POP_SERVER do $IPTABLES -A FORWARD -o $EXTIF -p TCP --dport 110 -d $SVR -j ACCEPT done # Allow each of the TCP ports above for PORT in $OK_PORTS do $IPTABLES -A FORWARD -o $EXTIF -p TCP --dport $PORT -j ACCEPT done # drop and log everything else $IPTABLES -A FORWARD -j drop-and-log-it ####################################################################### echo -e "\nDone.\n"