source: floppyfw/scripts/firewall.ini @ 58

Revision 58, 9.0 KB checked in by root, 8 years ago (diff)

Need to escape * in expr.

Line 
1#!/bin/sh
2
3# $Id: firewall.ini,v 1.6 2005/09/25 22:15:40 thomasez Exp $
4
5# If you want the box to just act as a router, uncomment the 2 lines below
6#echo 1 > /proc/sys/net/ipv4/ip_forward
7#exit 0
8
9#
10# Firewall setup.
11#
12
13. /etc/config
14
15
16#
17# Do you want to do port forwaring to an internal server?
18# Set the server IP here and sort out the port stuff later in this file.
19#
20SERVER_IP=10.42.42.42
21
22#
23# Stopping forwarding (this script may be run during normal uptime because
24# for re-lease of HDCP or demand dialing / PPPoE.
25#
26echo "0" > /proc/sys/net/ipv4/ip_forward
27
28#
29# Overriding the /etc/config and adding additional information.
30#
31. /etc/outside.info
32. /etc/inside.info
33
34#
35# Brad suggested this:
36# And he suggested to check and maybe change the formatting.
37# We'll do that later.
38#
39echo "Starting firewall with the following config:"
40printf "\t\t   Inside\t\tOutside
41 Physical device:  %-15s\t%-15s
42  Logical device:  %-15s\t%-15s
43\t Network:  %-15s\t%-15s
44      IP Address:  %-15s\t%-15s
45\t Netmask:  %-15s\t%-15s
46       Broadcast:  %-15s\t%-15s
47\t Gateway:  %-15s\t%-15s\n"    $INSIDE_DEV             $OUTSIDE_DEV \
48                                $INSIDE_DEVICE          $OUTSIDE_DEVICE \
49                                $INSIDE_NETWORK         $OUTSIDE_NETWORK \
50                                $INSIDE_IP              $OUTSIDE_IP \
51                                $INSIDE_NETMASK         $OUTSIDE_NETMASK \
52                                $INSIDE_BROADCAST       $OUTSIDE_BROADCAST \
53                                "[None Set]"            $OUTSIDE_GATEWAY
54
55#
56# Flushing the chains.
57#
58
59iptables -F
60iptables -X
61iptables -Z
62for i in `cat /proc/net/ip_tables_names`
63  do 
64   iptables -F -t $i 
65   iptables -X -t $i 
66   iptables -Z -t $i 
67 done
68
69
70#
71# Policy for chains DROP everything
72#
73
74iptables -P INPUT DROP
75iptables -P OUTPUT DROP
76iptables -P FORWARD DROP
77
78#
79# SYN-Flooding protection
80# Looks good and nicked from a firewall script mentioned on floppyfw.something.
81# Didn't work that well..
82#
83iptables -N syn-flood
84iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
85iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
86iptables -A syn-flood -j DROP
87# Make sure NEW tcp connections are SYN packets
88iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP 
89
90
91#
92# Good old masquerading.
93#
94iptables -t nat -A POSTROUTING -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
95
96#
97# Forwarding outside ports to an internal server.
98# This used to be the ipchains / ipmasqadm portfw commad.
99#
100# SSH:
101
102#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22
103#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT
104
105
106# Web:
107#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80
108#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
109# This rule helps the "I can't reach my web server from the inside" problem.
110#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
111
112# FTP:
113
114#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
115#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
116
117# SMTP (Internal mail server):
118#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25
119#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
120# This rule helps the "I can't reach my server from the inside" problem.
121#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 25 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
122
123#
124# Keep state and open up for outgoing connections.
125#
126iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
127iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
128iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
129
130#
131# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
132# keep it here.
133#
134iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
135
136#
137# We don't like the NetBIOS and Samba leaking..
138#
139iptables -t nat -A PREROUTING -p TCP --dport 135:139 -j DROP
140iptables -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
141iptables -t nat -A PREROUTING -p TCP --dport 445 -j DROP
142iptables -t nat -A PREROUTING -p UDP --dport 445 -j DROP
143
144
145#
146# We would like to ask for names from our floppyfw box
147#
148iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
149iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
150
151# Ping and friends.
152iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
153iptables -A INPUT  -p icmp -j ACCEPT 
154
155# And also, DHCP, but we can basically accept anything from the inside.
156iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
157iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
158# And also accept talking to ourself.
159iptables -A INPUT -i lo -j ACCEPT
160
161#
162# If the user wants to have the fake identd running, the identd has to
163# be able to answer.
164#
165if [ ${FAKEIDENT} ] 
166then
167  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT
168else
169  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT --reject-with tcp-reset
170fi
171
172#
173# Running extra scripts.
174#
175for i in /etc/firewall/*
176 do
177  if [ -f $i ]
178   then
179    sh $i $1
180  fi
181done
182
183
184#
185# DMZ Stuff goes here:
186#
187
188if [ -f /etc/dmz.info ];
189then
190  echo "Setting up DMZ."
191  . /etc/dmz.info
192  iptables -N dmz
193  if [ "$DMZ_USE_NAT" = "y" ]
194   then
195    iptables -t nat -A POSTROUTING -s ${DMZ_NETWORK}/${DMZ_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
196  fi
197fi
198
199
200#
201# This will also help:
202# It does look weird but it is explained here:
203# http://lartc.org/howto/lartc.qdisc.classless.html
204#
205# The "240Kbit" rate should be set at "a tad less than the speedn you have"
206# 240Kbit is for my 256Kbit "upload"-link.
207#
208# tc qdisc add dev $OUTSIDE_DEVICE root tbf rate 240kbit latency 50ms burst 1540
209
210# Or maybe you chose to use Wondershaper?
211if [ $WONDER_SHAPER = "y" ]
212then
213  /sbin/wshaper.htb
214else
215  #
216  # And, some attempt to get interactive sesions a bit more interactive
217  # under load:
218  #
219  iptables -A PREROUTING -t mangle -p tcp --sport ssh  -j TOS --set-tos Minimize-Delay
220  iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
221  # iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
222
223fi
224
225#
226# Finally, list what we have
227#
228#
229iptables -L
230
231# If broken DNS:
232#iptables -L -n
233
234#
235#  The insert stuff into the kernel (ipsysctl) - section:
236#
237# Some of there goes under the "Better safe than sorry" - banner.
238#
239
240
241#
242# This enables dynamic IP address following
243#
244echo 7 > /proc/sys/net/ipv4/ip_dynaddr
245
246#
247# trying to stop some smurf attacks.
248#
249echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
250
251#
252# Don't accept source routed packets.
253#
254/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
255
256#
257# Syncookies (if they are really needed any more?)
258#
259echo "1" > /proc/sys/net/ipv4/tcp_syncookies
260
261#
262# We don't like IP spoofing,
263#
264if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] 
265 then
266  # These two are redundant but I'll kepp'em here for now.
267  # Will remind me that I can add the first one somewhere smart later.
268  echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
269  echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
270
271#   while read filter
272#    do
273#     echo "1" > $filter
274#   done < `find /proc/sys/net/ipv4/conf -name rp_filter -print`
275 else
276  echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
277fi
278
279#
280# nor ICMP redirect,
281#
282
283if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ] 
284 then
285  echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
286  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
287
288  # while read accr
289  #  do
290  #   echo -n "fil"
291  #   echo $accr
292  #   echo "fil2"
293  #   echo "0" > $accr
294  # done < `find /proc/sys/net/ipv4/conf -name accept_redirects -print`
295
296 else
297  echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
298fi
299
300#stop arp request from other interfaces
301for i in /proc/sys/net/ipv4/conf/*
302do
303  echo 1 > $i/arp_filter
304done
305
306
307#
308# Enable bad error message protection.
309#
310/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
311
312# Maximum limit of ip_conntrack
313# This is RAM dependant so be careful with this.
314# The max, which is the valuehere, needs around 32M RAM to work properly.
315# echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
316
317# This is commented out and will be an option when we have a "LOG_STUFF"
318# config option.
319# /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
320
321# Ming-Ching Tiew <mingching.tiew@remove.this.redtone.com>
322# Made this one for me.
323
324# The amount to reserve is an option in config.
325reserve=`expr $RESERVE_MB \* 1048576`
326#bytes per conntrack, should be kernel specific
327per_con=328
328curmax=` cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max `
329set -- ` cat /proc/meminfo`
330incre=` expr \( $10 - $reserve \) / $per_con`
331new_max=` expr $curmax + $incre`
332[ $new_max -ge 65535 ] && new_max=65535
333echo "Setting ip_conntrack_max to $new_max"
334echo $new_max  > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
335
336#
337# Rules set, we can enable forwarding in the kernel.
338#
339echo "Enabling IP forwarding."
340
341echo "1" > /proc/sys/net/ipv4/ip_forward
342
Note: See TracBrowser for help on using the repository browser.