Netric Firewall Package - iptables release. This tool enables administrators to easily implement a solid firewall for iptables.
778c4cb9283f25febd472ac8a8118e5c4e02184aff15bd4e66752a4a5c7f29ec#!/bin/bash
#--------------------------------------------------------------------------------
#////////////////////////////////////////////////////////////////////////////////
#--------------------------------------------------------------------------------
#
# NETRIC FIREWALL PACKAGE (iptables release)
#
#
#
#-------------------------------------------------------------------------------
# -
# Copyright (C) Netric Security (sacrine) -
# -
# This program is free software; you can redistribute it and/or -
# -
# modify it under the terms of the GNU General Public License -
# as published by the Free Software Foundation; either version 2 -
# of the License, or (at your option) any later version. -
# -
# This program is distributed in the hope that it will be useful, -
# but WITHOUT ANY WARRANTY; without even the implied warranty of -
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -
# GNU General Public License for more details. -
# -
# You should have received a copy of the GNU General Public License -
# along with this program; if not, write to the Free Software -
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -
# -
#-------------------------------------------------------------------------------
# Netric Security - http://www.netric.org -
#-------------------------------------------------------------------------------
ADSL_IFACE="ppp0" # Your adsl interface
ADSL_DYN=`/sbin/ifconfig $ADSL_IFACE 2>/dev/null \
| grep inet | awk '{ printf("%s\n", substr($2,6)) }'`
EXT_IFACE="" # Your external interface
INT_IFACE="" # Your internal interface
INT_IFACE2="" # Your second internal interface
INT_IFACE3="" # Your interface for your adsl connection
LOC_IFACE="lo" # Your local interface
#------------------------------------------------------------------------------
EXT_IPADDR="" # Your external ipaddr
INT_IPADDR="" # Your internal ipaddr
INT_IPADDR1="" # Your second internal ipaddr
INT_IPADDR2="" # * Could be anything
INT_IPADDR3="" # * Could be anything
ADSL_DYN_IPADDR="" # Auto dynamic ipaddr detection
ADSL_IPADDR="" # Your static ipaddr(like 10.0.0.130)
#------------------------------------------------------------------------------
EXT_NETWORK="" # Your external network
INT_NETWORK="" # Your internal network
INT_NETWORK2="" # Your second internal network
INT_NETWORK3="" # See INT_IPADDR(2,3)
NETMASK_EXT_IFACE="" # Netmask external iface
NETMASK_INT_IFACE="" # Netmask internal iface
NETMASK_INT_IFACE2="" # Netmask second internal interface
NETMASK_INT_IFACE3="" # See INT_NETWORK3
BROADCAST_EXT_IFACE="" # Broadcast addr external interface
BROADCAST_INT_IFACE="" # Broadcast addr internal interface
BROADCAST_INT_IFACE2="" # Broadcast addr second internal interface
BROADCAST_INT_IFACE3="" # See NETMASK_INT_IFACE3
NAMESERVER1="" # First DNS server
NAMESERVER2="" # Second DNS server
#------------------------------------------------------------------------------
PRIV_PORTS="1:1024" # No need to change this
UNPRIV_PORTS="1025:65535" # ""
SSH_PORT=22 # You probaly don't want to change this
POP_PORT=110 # ""
DNS_PORT=53 # ""
HTTP_PORT=80 # ""
SMTP_PORT=25 # ""
TELNET_PORT=23 # ""
#------------------------------------------------------------------------------
IPTAB="/sbin/iptables" # Place where your binary is located
START_THIS="N" # This script needs "Y" to start
ROOT_UID=0 # No need to change this
#------------------------------------------------------------------------------
# FORWARD SECTION.
# If you define a forwardserver you have to define a
# "to" server and a "from" server. And a forwardport "to" and "from" also.
#
# like:
# FORWARD_SERVER_FROM1="195.xxx.xxx.x"
# FORWARD_SERVER_TO1="10.10.1.2"
# FORWARD_PORT_FROM1="22"
# FORWARD_PORT_TO1="2000"
#
# If Forward is set to "N", everything will be skipped.
# Use forwarding for a dmz or internal SMTP/POP3/... server.
#------------------------------------------------------------------------------
FORWARD="N"
#[ 1 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM1=""
FORWARD_SERVER_TO1=""
FORWARD_PORT_FROM1=""
FORWARD_PORT_TO1=""
#[ 2 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM2=""
FORWARD_SERVER_TO2=""
FORWARD_PORT_FROM2=""
FORWARD_PORT_TO2=""
#[ 3 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM3=""
FORWARD_SERVER_TO3=""
FORWARD_PORT_FROM3=""
FORWARD_PORT_TO3=""
#[ 4 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM4=""
FORWARD_SERVER_TO4=""
FORWARD_PORT_FROM4=""
FORWARD_PORT_TO4=""
#[ 5 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM5=""
FORWARD_SERVER_TO5=""
FORWARD_PORT_FROM5=""
FORWARD_PORT_TO5=""
#[ 6 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM6=""
FORWARD_SERVER_TO6=""
FORWARD_PORT_FROM6=""
FORWARD_PORT_TO6=""
#[ 7 ]-----------------------------------------------------------------------------
FORWARD_SERVER_FROM7=""
FORWARD_SERVER_TO7=""
FORWARD_PORT_FROM7=""
FORWARD_PORT_TO7=""
#----------------------------------------------------------------------------------
REDIRECT="N"
LOG="N"
REJECT="N"
MIRROR="N"
TCPMSS="N"
QUEUE="N"
MASQ="N"
LENGTH="N"
MARK="N"
#-------------------------------------------------------------------------------
# No Need to change something here, or you really know what you are doing -
#-------------------------------------------------------------------------------
RED="\033[1;31m"
GREEN="\033[1;32m"
END="\033[0m";
WHITE="\033[1;37m"
GREY="\033[1;36m"
banner() {
#if [ -x "/usr/bin/tput" ] ; then
#echo "tput found, switching to color modus";
#tput setab 4
#tput setaf 6
#fi
#if [ `tput colors` == "8" ] ; then
#echo "colors: 8";
#fi
clear;
echo;
echo "____________________________________________________________________________________";
echo "- -";
echo "- -";
echo "- Netric Firewall Script - iptables release -";
echo "- written by sacrine / sacrine@netric.org -";
echo "- URL: http://www.netric.org -";
echo "- -";
echo "- -";
echo "____________________________________________________________________________________";
start;
}
start() {
echo;
echo " starting firewall script..";
echo -n " checking if you are logged in as root.. ";
if [ "$ROOT_UID" -ne "$UID" ]; then
echo "NO";
exit 1;
else
echo "OK";
fi
echo " quick checks -> ";
printf " Software :$GREEN $OSTYPE $END \n";
printf " System.ver:$GREEN $MACHTYPE $END \n";
printf " Kernel.rel:$GREEN `uname -r`$END \n";
echo;
printf "____________________________________________________________________________________\n";
echo;
check;
}
check() {
printf "+ checking for iptables...\n";
if ! [ -x "$IPTAB" ] ; then
echo " NOT INSTALLED";
echo -n "We can't go any further.. iptables is not installed";
echo " or not executable..I'm sorry :(";
exit 1;
else
echo " Iptables is found AND executable @ $IPTAB";
fi
echo;
printf "+ Checking if everything is filled in:\n ";
echo;
echo -n "eth0: ";
if [ "$EXT_IFACE" != "" ] ; then
printf "found\n";
else
echo "not found";
exit 1;
fi
echo -n "eth1: ";
if [ "$INT_IFACE" != "" ] ; then
printf "found\n";
else
echo "not filled in";
fi
echo -n "eth2: ";
if [ "$INT_IFACE2" != "" ] ; then
printf "found\n";
else
echo "not filled in";
fi
echo -n "eth3: ";
if [ "$INT_IFACE3" != "" ] ; then
printf "found\n";
else
echo "not filled in";
fi
echo -n "Extern ipaddr: ";
if [ "$EXT_IPADDR" != "" ] ; then
printf "found\n";
else
echo "not found";
exit 1;
fi
echo -n "Local ipaddr: ";
if [ "$INT_IPADDR" != "" ] ; then
printf "found\n";
else
echo "not filled in";
fi
echo -n "Extern network: ";
if [ "$EXT_NETWORK" != "" ] ; then
printf "found\n";
else
echo "not filled in";
fi
echo -n "Extern netmask: ";
if [ "$NETMASK" != "" ] ; then
printf "found\n";
else
echo "not filled in";
echo;
echo;
fi
echo;
ERR="You can't define 2 or more the same interfaces!"
printf "+ Checking IFACE config\n";
for DEV in ${INT_IFACE}; do
if [ "$DEV" == "${EXT_IFACE}" ] && [ "$DEV" != "" ] ; then
echo "$ERR";
exit 1;
else
echo "Ok, your external and internal interfaces are not the same..";
fi
done
modcheck;
}
modcheck() {
echo;
echo "Starting with the kernel module check";
printf " + Checking for iptables kernel modules(!!IMPORTANT!!):\n";
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ];
then
echo "Ok ip_tables.o found, now doing some "modprobing"..";
echo;
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o 2> ERR_LOG
echo "[Modchecking]: ";
for i in $(ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/);do \
echo " found -> $i";done;
else
echo;
printf "$RED ____________________________________________________________________________________ $END\n";
printf "$RED / \ $END\n";
printf "$RED | $END ip_tables.o (module) not found.. bad news darling :/ $RED|$END\n";
printf "$RED | $END One reason could be that you compiled a new kernel, $RED|$END\n";
printf "$RED | $END and you compiled it directly into your kernel and not as a module. $RED|$END\n";
printf "$RED | $END If you did that, there is no problem ofcourse :), if not..this script will fail.. $RED|$END\n";
printf "$RED \____________________________________________________________________________________/ $END\n";
echo;
printf "$END";
for i in $(ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/);do \
echo " found -> $i";done;
fi
echo;
ERR_LOG="modprobe_error.log"
echo "---------------------------------------------------------------";
echo " now calculating which modules are needed..";
echo "---------------------------------------------------------------";
echo;
echo " If this script failes, you might want to take a look at $ERR_LOG";
echo " If something was wrong during the modprobing, it will be there.";
echo;
echo "NEEDED MODULES: " > MODULE.log
echo -n " ";
echo "- ipt_REJECT";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o 2> $ERR_LOG >> MODULE.log
echo "- ip_conntrack";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o 2> $ERR_LOG >> MODULE.log
echo "- ipt_LOG";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o 2> $ERR_LOG >> MODULE.log
echo "- iptable_nat";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o 2> $ERR_LOG >> MODULE.log
echo "- ipt_MASQUERADE";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o 2> $ERR_LOG >> MODULE.log
echo "- iptable_filter";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o 2> $ERR_LOG >> MODULE.log
echo "- ipt_state";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o 2> $ERR_LOG >> MODULE.log
echo;
echo "--------------------------------------------------------------";
echo " Checking for other modules that are needed..";
echo "--------------------------------------------------------------";
echo " Full stdout is written in MODULE.log";
echo " You can check it later.";
echo;
echo " OTHER MODULES: " >> MODULE.log
if [ "$MIRROR" == "Y" ] || [ "$MIRROR" == "y" ] ; then
printf " Mirroring is set to \t\t\t($GREEN Y $END) \n";
echo " modprobing for ipt_MIRROR.o";
echo " - ipt_MIRROR";
echo -n " ";
/sbin/modprobe ipt_MIRROR 2> $ERR_LOG
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MIRROR.o 2> $ERR_LOG >> MODULE.log
else
echo " Mirroring is set to (N) -> skipping";
fi
if [ "$REDIRECT" == "Y" ] || [ "$REDIRECT" == "y" ] ; then
printf " Redirecting is set to \t\t\t($GREEN Y $END) \n";
echo " modprobing for ipt_REDIRECT.o";
echo " - ipt_REDIRECT";
echo -n " ";
/sbin/modprobe ipt_REDIRECT 2> $ERR_LOG
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REDIRECT.o 2> $ERR_LOG >> MODULE.log
else
echo " Redirecting is set to (N) -> skipping";
fi
if [ "$QUEUE" == "Y" ] || [ "$QUEUE" == "y" ] ; then
printf " Queue is set to \t\t\t\t($GREEN Y $END) \n";
echo " modprobing for ip_queue.o";
echo " - ip_queue";
echo -n " ";
/sbin/modprobe ip_queue 2> $ERR_LOG
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_queue.o 2> $ERR_LOG >> MODULE.log
else
echo " Queue is set to (N) -> skipping";
fi
if [ "$TCPMSS" == "Y" ] || [ "$TCPMSS" == "y" ] ; then
printf " TCPMSS is set to \t\t\t\t($GREEN Y $END) \n";
echo " modprobing for ipt_TCPMSS.o";
echo " - ipt_TCPMSS";
echo -n " ";
/sbin/modprobe ipt_TCPMSS 2> $ERR_LOG
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_TCPMSS.o 2> $ERR_LOG >> MODULE.log
else
echo " TCPMSS is set to (N) -> skipping";
fi
if [ "$LENGTH" == "Y" ] || [ "$LENGTH" == "y" ] ; then
printf " Length is set to \t\t\t\t($GREEN Y $END) \n";
echo " modprobing for ipt_length.o";
echo " - ipt_length";
echo -n " ";
/sbin/modprobe ipt_length 2> $ERR_LOG
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_length.o 2> $ERR_LOG >> MODULE.log
else
echo " Length is set to (N) -> skipping";
fi
if [ "$MARK" == "Y" ] || [ "$MARK" == "y" ] ; then
printf " MARK is set to \t\t\t\t($GREEN Y $END) \n";
echo " modprobing for ipt_MARK.o";
echo " - ipt_MARK";
echo -n " ";
/sbin/modprobe ipt_mark 2> $ERR_LOG
/sbin/modprobe ipt_MARK 2> $ERR_LOG
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mark.o 2> $ERR_LOG >> MODULE_log
echo " modprobing for ipt_mark.o";
echo " - ipt_mark";
echo -n " ";
/sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MARK.o 2> $ERR_LOG >> MODULE.log
else
echo " MARK is set to (N) -> skipping";
fi
echo;
echo "--------------------------------------------------------------";
echo " Modcheck function succesfully ended.";
echo "--------------------------------------------------------------";
echo;
flushandset;
}
flushandset() {
echo -n "Now flushing all previous firewall rules: ";
$IPTAB -F
$IPTAB -X
$IPTAB -t filter -F
$IPTAB -t filter -X
$IPTAB -t nat -F
$IPTAB -t nat -X
$IPTAB --flush INPUT
$IPTAB --flush OUTPUT
$IPTAB --flush FORWARD
echo "done";
echo -n "creating new (needed) chains: ";
$IPTAB --new ICMP 2>/dev/null
echo -n "ICMP, ";
$IPTAB --new LOCAL 2>/dev/null
echo -n "LOCAL, ";
$IPTAB --new WATCH 2>/dev/null
echo -n "WATCH, ";
$IPTAB --new LOGDROP 2>/dev/null
echo -n "LOGDROP, ";
$IPTAB --new FLOOD 2>/dev/null
echo -n "FLOOD";
echo;
echo;
proc;
}
proc() {
# quick proc settings
echo -n "ip_forward set to (1) .. WE NEED IT!: ";
echo "1"> /proc/sys/net/ipv4/ip_forward
echo "done";
# Dynamic IP users:
#
echo -n "ip_dynaddr set to (1): ";
echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "done";
echo -n "icmp_echo_ignore_broadcasts set to (1): ";
echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "done";
echo -n "accept_redirects set to (0): ";
echo "0"> /proc/sys/net/ipv4/conf/all/accept_redirects
echo "done";
echo -n "accept_source_route set to (0): ";
echo "0"> /proc/sys/net/ipv4/conf/all/accept_source_route
echo "done";
echo -n "log_martians set to (1): ";
echo "1"> /proc/sys/net/ipv4/conf/all/log_martians
echo "done";
forward;
}
report() {
echo "report";
}
forward() {
FORWARD_ERR="mmm.. something is missing in your forward configuration, check it!!";
if [ "$FORWARD" == "Y" ] || [ "$FORWARD" == "y" ] ; then
echo "Forwarding is set to (Y) ... checking your forward configuration";
if [ "$FORWARD_SERVER_FROM1" != "" ] &&
[ "$FORWARD_SERVER_TO1" != "" ] &&
[ "$FORWARD_PORT_FROM1" != "" ] &&
[ "$FORWARD_PORT_TO1" != "" ] ; then
# internal can go outside
echo -n "forwarding: $FORWARD_SERVER_FROM1 to $FORWARD_SERVER_TO1: ";
#$IPTABLES -A FORWARD -i $LOC_IFACE -j ACCEPT
$IPTAB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM1 -j ACCEPT
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM1 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTAB -t nat -A POSTROUTING -o $EXT_IFACE -j SNAT --to-source $EXT_IPADDR
#$IPTAB -t nat -A PREROUTING -p tcp -i $LOC_IFACE --dport $FORWARD_PORT_FROM1 \
# -j DNAT --to-destination $FORWARD_SERVER_TO1:$FORWARD_PORT_TO1
#$IPTAB -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $FORWARD_SERVER_FROM1 --dport $FORWARD_PORT_FROM1 \
# -j DNAT --to-destination $FORWARD_SERVER_TO1:$FORWARD_PORT_TO1
#$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM1 \
# -j DNAT --to-destination $FORWARD_SERVER_TO1:$FORWARD_PORT_TO1
echo "done";
else
echo "$FORWARD_ERR";
fi
echo;
echo -n "Checking (possible) next server to forward: ";
if [ "$FORWARD_SERVER_FROM2" != "" ] &&
[ "$FORWARD_SERVER_TO2" != "" ] &&
[ "$FORWARD_PORT_FROM2" != "" ] &&
[ "$FORWARD_PORT_TO2" != "" ] ; then
echo;
echo -n "forwarding: $FORWARD_SERVER_FROM2 to $FORWARD_SERVER_TO2: ";
#$IPTAB -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $FORWARD_SERVER_FROM2 --dport $FORWARD_PORT_FROM2 \
# -j DNAT --to-destination $FORWARD_SERVER_TO2:$FORWARD_PORT_TO2
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM2 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM2 -j ACCEPT
$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM2 \
-j DNAT --to-destination $FORWARD_SERVER_TO2:$FORWARD_PORT_TO2
echo "done";
else
echo "not set";
fi
echo -n "Checking (possible) next server to forward: ";
if [ "$FORWARD_SERVER_FROM3" != "" ] &&
[ "$FORWARD_SERVER_TO3" != "" ] &&
[ "$FORWARD_PORT_FROM3" != "" ] &&
[ "$FORWARD_PORT_TO3" != "" ] ; then
echo;
echo -n "forwarding: $FORWARD_SERVER_FROM3 to $FORWARD_SERVER_TO3: ";
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM3 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM3 -j ACCEPT
$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM3 \
-j DNAT --to-destination $FORWARD_SERVER_TO3:$FORWARD_PORT_TO3
echo "done";
else
echo "not set";
fi
echo -n "Checking (possible) next server to forward: ";
if [ "$FORWARD_SERVER_FROM4" != "" ] &&
[ "$FORWARD_SERVER_TO4" != "" ] &&
[ "$FORWARD_PORT_FROM4" != "" ] &&
[ "$FORWARD_PORT_TO4" != "" ] ; then
echo;
echo -n "forwarding: $FORWARD_SERVER_FROM4 to $FORWARD_SERVER_TO4: ";
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM4 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM4 -j ACCEPT
$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM4 \
-j DNAT --to-destination $FORWARD_SERVER_TO4:$FORWARD_PORT_TO4
else
echo "not set";
fi
echo -n "Checking (possible) next server to forward: ";
if [ "$FORWARD_SERVER_FROM5" != "" ] &&
[ "$FORWARD_SERVER_TO5" != "" ] &&
[ "$FORWARD_PORT_FROM5" != "" ] &&
[ "$FORWARD_PORT_TO5" != "" ] ; then
echo;
echo -n "forwarding: $FORWARD_SERVER_FROM5 to $FORWARD_SERVER_TO5: ";
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM5 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM5 -j ACCEPT
$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM5 \
-j DNAT --to-destination $FORWARD_SERVER_TO5:$FORWARD_PORT_TO5
else
echo "not set";
fi
echo -n "Checking (possible) next server to forward: ";
if [ "$FORWARD_SERVER_FROM6" != "" ] &&
[ "$FORWARD_SERVER_TO6" != "" ] &&
[ "$FORWARD_PORT_FROM6" != "" ] &&
[ "$FORWARD_PORT_TO6" != "" ] ; then
echo;
echo -n "forwarding: $FORWARD_SERVER_FROM6 to $FORWARD_SERVER_TO6: ";
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM6 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM6 -j ACCEPT
$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM6 \
-j DNAT --to-destination $FORWARD_SERVER_TO6:$FORWARD_PORT_TO6
else
echo "not set";
fi
echo -n "Checking (possible) next server to forward: ";
if [ "$FORWARD_SERVER_FROM7" != "" ] &&
[ "$FORWARD_SERVER_TO7" != "" ] &&
[ "$FORWARD_PORT_FROM7" != "" ] &&
[ "$FORWARD_PORT_TO7" != "" ] ; then
echo;
echo -n "forwarding: $FORWARD_SERVER_FROM7 to $FORWARD_SERVER_TO7: ";
else
$IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM7 -i $EXT_IFACE -j ACCEPT
$IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM7 -j ACCEPT
$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM7 \
-j DNAT --to-destination $FORWARD_SERVER_TO7:$FORWARD_PORT_TO7
echo "not set";
echo;
fi
elif [ "$FORWARD" == "N" ] || [ "$FORWARD" == "n" ] ; then
echo "Forwarding is set to (N) ... skipping";
else
echo "unknown choice.. skipping by default";
fi
reject;
}
reject() {
if [ "$REJECT" != "" ] &&
[ "$REJECT" == "Y" ] ||
[ "$REJECT" == "y" ] ; then
echo "REJECT is set to (Y) ... checking configuration";
elif [ "$REJECT" == "N" ] ||
[ "$REJECT" == "n" ] ; then
echo "REJECT is set to (N) ... skipping";
else
echo "unknown choice for REJECT .. skipping by default";
echo;
fi
filter;
}
filter() {
echo "+ Starting with the packetfiltering rules";
echo "now set of logging prefixes: ";
echo -n "TCP DROP : ";
$IPTAB -A LOGDROP --proto tcp -j LOG --log-level info \
--log-prefix "Dropped TCP packets "
echo "done";
echo -n "UDP DROP : ";
$IPTAB -A LOGDROP --proto udp -j LOG --log-level info \
--log-prefix "Dropped UDP packets "
echo "done";
echo -n "ICMP DROP: ";
$IPTAB -A LOGDROP --proto icmp -j LOG --log-level info \
--log-prefix "Dropped ICMP packets "
echo "done";
echo -n "GRE DROP : ";
$IPTAB -A LOGDROP --proto gre -j LOG --log-level info \
--log-prefix "Dropped GRE packets "
echo "done";
echo -n "FRAG DROP: ";
$IPTAB -A LOGDROP -f -j LOG --log-level emerg \
--log-prefix "Drop FRAG "
echo "done";
echo -n "Dropping LOGDROP: ";
#$IPTAB -A LOGDROP -j DROP
echo "done";
echo;
echo "Adding prefix for new monitoring chain(accepted connections/packets)";
$IPTAB -A WATCH -m limit -j LOG --log-level warn --log-prefix "Watched accept "
$IPTAB -A WATCH -j ACCEPT
echo -n "SYN-flood protection: ";
$IPTAB -A INPUT -i $EXT_IFACE -p tcp --syn -j FLOOD
$IPTAB -A FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTAB -A FLOOD -j DROP
echo "added";
echo;
icmp;
}
icmp() {
# Be careful what you choose, some can cause other things not to work #
echo -n "now taking care of icmp: ";
$IPTAB -A INPUT --proto icmp -j ICMP
$IPTAB -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPTAB -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
$IPTAB -A ICMP -p icmp --icmp-type fragmentation-needed -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type network-unknown -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type host-unknown -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type host-precedence-violation -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type precedence-cutoff -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type source-quench -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type redirect -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type network-redirect -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type host-redirect -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type TOS-network-redirect -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type TOS-host-redirect -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type echo-request -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type router-advertisement -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type router-solicitation -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
$IPTAB -A ICMP -p icmp --icmp-type timestamp-request -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type timestamp-reply -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type address-mask-request -j LOGDROP
$IPTAB -A ICMP -p icmp --icmp-type address-mask-reply -j LOGDROP
$IPTAB -A ICMP -p icmp -j LOGDROP
echo "done";
mailfunct;
}
drop() {
echo "deny";
}
mirror() {
echo "mirror";
}
log() {
echo "log";
}
mailfunct() {
echo -n "Now sending you an email with the current firewall rules..";
$IPTAB -L|/bin/mail -s "FIREWALL REPORT: " `whoami`@`hostname`
echo "mail send";
echo;
}
banner;
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed