source: floppyfw/scripts/firewall.ini @ 105

Revision 105, 9.7 KB checked in by root, 8 years ago (diff)

More dmz stuff. (and a patch from Brad).

Line 
1#!/bin/sh
2
3# $Id: firewall.ini,v 1.6 2005/09/25 22:15:40 thomasez Exp $
4
5# If you want the box to just act as a router, uncomment the 2 lines below
6#echo 1 > /proc/sys/net/ipv4/ip_forward
7#exit 0
8
9#
10# Firewall setup.
11#
12. /etc/config
13
14#
15# Do you want to do port forwaring to an internal server?
16# Set the server IP here and sort out the port stuff later in this file.
17#
18SERVER_IP=10.42.42.42
19
20#
21# Stopping forwarding (this script may be run during normal uptime because
22# for re-lease of HDCP or demand dialing / PPPoE.
23#
24echo "0" > /proc/sys/net/ipv4/ip_forward
25
26#
27# Overriding the /etc/config and adding additional information.
28#
29. /etc/outside.info
30. /etc/inside.info
31
32#
33# Brad suggested this:
34# And he suggested to check and maybe change the formatting.
35# We'll do that later.
36#
37echo "Starting firewall with the following config:"
38printf "\t\t   Inside\t\tOutside
39 Physical device:  %-15s\t%-15s
40  Logical device:  %-15s\t%-15s
41\t Network:  %-15s\t%-15s
42      IP Address:  %-15s\t%-15s
43\t Netmask:  %-15s\t%-15s
44       Broadcast:  %-15s\t%-15s
45\t Gateway:  %-15s\t%-15s\n"    $INSIDE_DEV             $OUTSIDE_DEV \
46                                $INSIDE_DEVICE          $OUTSIDE_DEVICE \
47                                $INSIDE_NETWORK         $OUTSIDE_NETWORK \
48                                $INSIDE_IP              $OUTSIDE_IP \
49                                $INSIDE_NETMASK         $OUTSIDE_NETMASK \
50                                $INSIDE_BROADCAST       $OUTSIDE_BROADCAST \
51                                "[None Set]"            $OUTSIDE_GATEWAY
52
53#
54# Flushing the chains.
55#
56
57iptables -F
58iptables -X
59iptables -Z
60for i in `cat /proc/net/ip_tables_names`
61  do 
62   iptables -F -t $i 
63   iptables -X -t $i 
64   iptables -Z -t $i 
65 done
66
67
68#
69# Policy for chains DROP everything
70#
71
72iptables -P INPUT DROP
73iptables -P OUTPUT DROP
74iptables -P FORWARD DROP
75
76#
77# SYN-Flooding protection
78# Looks good and nicked from a firewall script mentioned on floppyfw.something.
79# Didn't work that well..
80#
81iptables -N syn-flood
82iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
83iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
84iptables -A syn-flood -j DROP
85# Make sure NEW tcp connections are SYN packets
86iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP 
87
88
89#
90# Good old masquerading.
91#
92iptables -t nat -A POSTROUTING -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
93 
94#
95# Forwarding outside ports to an internal server.
96# This used to be the ipchains / ipmasqadm portfw commad.
97#
98# SSH:
99
100#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22
101#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT
102
103
104# Web:
105#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80
106#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
107# This rule helps the "I can't reach my web server from the inside" problem.
108#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
109
110# FTP:
111
112#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
113#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
114
115# SMTP (Internal mail server):
116#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25
117#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
118# This rule helps the "I can't reach my server from the inside" problem.
119#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 25 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
120
121#
122# Keep state and open up for outgoing connections.
123#
124iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
125iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
126iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
127
128#
129# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
130# keep it here.
131#
132iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
133
134#
135# We don't like the NetBIOS and Samba leaking..
136#
137iptables -t nat -A PREROUTING -p TCP --dport 135:139 -j DROP
138iptables -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
139iptables -t nat -A PREROUTING -p TCP --dport 445 -j DROP
140iptables -t nat -A PREROUTING -p UDP --dport 445 -j DROP
141
142
143#
144# We would like to ask for names from our floppyfw box
145#
146iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
147iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
148
149# Ping and friends.
150iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
151iptables -A INPUT  -p icmp -j ACCEPT 
152
153# And also, DHCP, but we can basically accept anything from the inside.
154iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
155iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
156# And also accept talking to ourself.
157iptables -A INPUT -i lo -j ACCEPT
158
159#
160# If the user wants to have the fake identd running, the identd has to
161# be able to answer.
162#
163if [ ${FAKEIDENT} ] 
164then
165  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT
166else
167  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT --reject-with tcp-reset
168fi
169
170#
171# Forwarding SIP and VoIP rtp ports for PHONE_IP in config
172#
173if [ -n "$PHONE_IP" ] && [ "$WONDER_SHAPER" = "y" ] && [ -n "$RT10" ]
174then
175  if [ -n "$INTPORTS" ] && [ "$FORWARD_SIP" = "y" ]
176   then
177   echo "Enabling port forwarding for SIP INTPORTS setup in config"
178    for a in $INTPORTS
179    do
180     iptables -A PREROUTING -t nat -p UDP -d ${OUTSIDE_IP} --dport $a -j DNAT --to ${PHONE_IP}:$a
181     iptables -A FORWARD -p UDP -d ${PHONE_IP} --dport $a -o ${INSIDE_DEVICE} -j ACCEPT
182    done
183  fi
184  if [ -n "$LO_RTPPORT" ] && [ -n "$HI_RTPPORT" ] && [ "$FORWARD_RTP" = "y" ]
185   then
186   echo "Enabling port forwarding for RTP port range setup in config"
187    iptables -A PREROUTING -t nat -p UDP -d ${OUTSIDE_IP} --dport "$LO_RTPPORT":"$HI_RTPPORT" -j DNAT --to ${PHONE_IP}:"$LO_RTPPORT"-"$HI_RTPPORT"
188    iptables -A FORWARD -p UDP -d ${PHONE_IP} --dport "$LO_RTPPORT":"$HI_RTPPORT" -o ${INSIDE_DEVICE} -j ACCEPT
189  fi
190else
191 echo "VOIP support disabled, PHONE_IP or RT10 not set or WONDER_SHAPER=n in config."
192fi
193
194#
195# Running extra scripts.
196#
197for i in /etc/firewall/*
198 do
199  if [ -f $i ]
200   then
201    sh $i $1
202  fi
203done
204
205#
206# This will also help:
207# It does look weird but it is explained here:
208# http://lartc.org/howto/lartc.qdisc.classless.html
209#
210# The "240Kbit" rate should be set at "a tad less than the speedn you have"
211# 240Kbit is for my 256Kbit "upload"-link.
212#
213# tc qdisc add dev $OUTSIDE_DEVICE root tbf rate 240kbit latency 50ms burst 1540
214
215# Or maybe you chose to use Wondershaper?
216if [ $WONDER_SHAPER = "y" ]
217then
218  /sbin/wshaper.htb
219else
220  #
221  # And, some attempt to get interactive sesions a bit more interactive
222  # under load:
223  #
224  iptables -A PREROUTING -t mangle -p tcp --sport ssh  -j TOS --set-tos Minimize-Delay
225  iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
226  # iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
227
228fi
229
230#
231# Finally, list what we have
232#
233#
234iptables -L
235
236# If broken DNS:
237#iptables -L -n
238
239#
240#  The insert stuff into the kernel (ipsysctl) - section:
241#
242# Some of there goes under the "Better safe than sorry" - banner.
243#
244
245
246#
247# This enables dynamic IP address following
248#
249echo 7 > /proc/sys/net/ipv4/ip_dynaddr
250
251#
252# trying to stop some smurf attacks.
253#
254echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
255
256#
257# Don't accept source routed packets.
258#
259/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
260
261#
262# Syncookies (if they are really needed any more?)
263#
264echo "1" > /proc/sys/net/ipv4/tcp_syncookies
265
266#
267# We don't like IP spoofing,
268#
269if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] 
270 then
271  # These two are redundant but I'll kepp'em here for now.
272  # Will remind me that I can add the first one somewhere smart later.
273  echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
274  echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
275
276#   while read filter
277#    do
278#     echo "1" > $filter
279#   done < `find /proc/sys/net/ipv4/conf -name rp_filter -print`
280 else
281  echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
282fi
283
284#
285# nor ICMP redirect,
286#
287
288if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ] 
289 then
290  echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
291  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
292
293  # while read accr
294  #  do
295  #   echo -n "fil"
296  #   echo $accr
297  #   echo "fil2"
298  #   echo "0" > $accr
299  # done < `find /proc/sys/net/ipv4/conf -name accept_redirects -print`
300
301 else
302  echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
303fi
304
305#stop arp request from other interfaces
306for i in /proc/sys/net/ipv4/conf/*
307do
308  echo 1 > $i/arp_filter
309done
310
311
312#
313# Enable bad error message protection.
314#
315/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
316
317# Maximum limit of ip_conntrack
318# This is RAM dependant so be careful with this.
319# The max, which is the valuehere, needs around 32M RAM to work properly.
320# echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
321
322# This is commented out and will be an option when we have a "LOG_STUFF"
323# config option.
324# /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
325
326# Ming-Ching Tiew <mingching.tiew@remove.this.redtone.com>
327# Made this one for me.
328
329# The amount to reserve is an option in config.
330reserve=`expr $RESERVE_MB \* 1048576`
331#bytes per conntrack, should be kernel specific
332per_con=328
333curmax=` cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max `
334set -- ` cat /proc/meminfo`
335incre=` expr \( $10 - $reserve \) / $per_con`
336new_max=` expr $curmax + $incre`
337[ $new_max -ge 65535 ] && new_max=65535
338echo "Setting ip_conntrack_max to $new_max"
339echo $new_max  > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
340
341#
342# Rules set, we can enable forwarding in the kernel.
343#
344echo "Enabling IP forwarding."
345
346echo "1" > /proc/sys/net/ipv4/ip_forward
347
Note: See TracBrowser for help on using the repository browser.