#!/bin/bash #-------------------------------------------------------------------------------- #//////////////////////////////////////////////////////////////////////////////// #-------------------------------------------------------------------------------- # # NETRIC FIREWALL PACKAGE (iptables release) # # # #------------------------------------------------------------------------------- # - # Copyright (C) Netric Security (sacrine) - # - # This program is free software; you can redistribute it and/or - # - # modify it under the terms of the GNU General Public License - # as published by the Free Software Foundation; either version 2 - # of the License, or (at your option) any later version. - # - # This program is distributed in the hope that it will be useful, - # but WITHOUT ANY WARRANTY; without even the implied warranty of - # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - # GNU General Public License for more details. - # - # You should have received a copy of the GNU General Public License - # along with this program; if not, write to the Free Software - # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - # - #------------------------------------------------------------------------------- # Netric Security - http://www.netric.org - #------------------------------------------------------------------------------- ADSL_IFACE="ppp0" # Your adsl interface ADSL_DYN=`/sbin/ifconfig $ADSL_IFACE 2>/dev/null \ | grep inet | awk '{ printf("%s\n", substr($2,6)) }'` EXT_IFACE="" # Your external interface INT_IFACE="" # Your internal interface INT_IFACE2="" # Your second internal interface INT_IFACE3="" # Your interface for your adsl connection LOC_IFACE="lo" # Your local interface #------------------------------------------------------------------------------ EXT_IPADDR="" # Your external ipaddr INT_IPADDR="" # Your internal ipaddr INT_IPADDR1="" # Your second internal ipaddr INT_IPADDR2="" # * Could be anything INT_IPADDR3="" # * Could be anything ADSL_DYN_IPADDR="" # Auto dynamic ipaddr detection ADSL_IPADDR="" # Your static ipaddr(like 10.0.0.130) #------------------------------------------------------------------------------ EXT_NETWORK="" # Your external network INT_NETWORK="" # Your internal network INT_NETWORK2="" # Your second internal network INT_NETWORK3="" # See INT_IPADDR(2,3) NETMASK_EXT_IFACE="" # Netmask external iface NETMASK_INT_IFACE="" # Netmask internal iface NETMASK_INT_IFACE2="" # Netmask second internal interface NETMASK_INT_IFACE3="" # See INT_NETWORK3 BROADCAST_EXT_IFACE="" # Broadcast addr external interface BROADCAST_INT_IFACE="" # Broadcast addr internal interface BROADCAST_INT_IFACE2="" # Broadcast addr second internal interface BROADCAST_INT_IFACE3="" # See NETMASK_INT_IFACE3 NAMESERVER1="" # First DNS server NAMESERVER2="" # Second DNS server #------------------------------------------------------------------------------ PRIV_PORTS="1:1024" # No need to change this UNPRIV_PORTS="1025:65535" # "" SSH_PORT=22 # You probaly don't want to change this POP_PORT=110 # "" DNS_PORT=53 # "" HTTP_PORT=80 # "" SMTP_PORT=25 # "" TELNET_PORT=23 # "" #------------------------------------------------------------------------------ IPTAB="/sbin/iptables" # Place where your binary is located START_THIS="N" # This script needs "Y" to start ROOT_UID=0 # No need to change this #------------------------------------------------------------------------------ # FORWARD SECTION. # If you define a forwardserver you have to define a # "to" server and a "from" server. And a forwardport "to" and "from" also. # # like: # FORWARD_SERVER_FROM1="195.xxx.xxx.x" # FORWARD_SERVER_TO1="10.10.1.2" # FORWARD_PORT_FROM1="22" # FORWARD_PORT_TO1="2000" # # If Forward is set to "N", everything will be skipped. # Use forwarding for a dmz or internal SMTP/POP3/... server. #------------------------------------------------------------------------------ FORWARD="N" #[ 1 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM1="" FORWARD_SERVER_TO1="" FORWARD_PORT_FROM1="" FORWARD_PORT_TO1="" #[ 2 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM2="" FORWARD_SERVER_TO2="" FORWARD_PORT_FROM2="" FORWARD_PORT_TO2="" #[ 3 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM3="" FORWARD_SERVER_TO3="" FORWARD_PORT_FROM3="" FORWARD_PORT_TO3="" #[ 4 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM4="" FORWARD_SERVER_TO4="" FORWARD_PORT_FROM4="" FORWARD_PORT_TO4="" #[ 5 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM5="" FORWARD_SERVER_TO5="" FORWARD_PORT_FROM5="" FORWARD_PORT_TO5="" #[ 6 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM6="" FORWARD_SERVER_TO6="" FORWARD_PORT_FROM6="" FORWARD_PORT_TO6="" #[ 7 ]----------------------------------------------------------------------------- FORWARD_SERVER_FROM7="" FORWARD_SERVER_TO7="" FORWARD_PORT_FROM7="" FORWARD_PORT_TO7="" #---------------------------------------------------------------------------------- REDIRECT="N" LOG="N" REJECT="N" MIRROR="N" TCPMSS="N" QUEUE="N" MASQ="N" LENGTH="N" MARK="N" #------------------------------------------------------------------------------- # No Need to change something here, or you really know what you are doing - #------------------------------------------------------------------------------- RED="\033[1;31m" GREEN="\033[1;32m" END="\033[0m"; WHITE="\033[1;37m" GREY="\033[1;36m" banner() { #if [ -x "/usr/bin/tput" ] ; then #echo "tput found, switching to color modus"; #tput setab 4 #tput setaf 6 #fi #if [ `tput colors` == "8" ] ; then #echo "colors: 8"; #fi clear; echo; echo "____________________________________________________________________________________"; echo "- -"; echo "- -"; echo "- Netric Firewall Script - iptables release -"; echo "- written by sacrine / sacrine@netric.org -"; echo "- URL: http://www.netric.org -"; echo "- -"; echo "- -"; echo "____________________________________________________________________________________"; start; } start() { echo; echo " starting firewall script.."; echo -n " checking if you are logged in as root.. "; if [ "$ROOT_UID" -ne "$UID" ]; then echo "NO"; exit 1; else echo "OK"; fi echo " quick checks -> "; printf " Software :$GREEN $OSTYPE $END \n"; printf " System.ver:$GREEN $MACHTYPE $END \n"; printf " Kernel.rel:$GREEN `uname -r`$END \n"; echo; printf "____________________________________________________________________________________\n"; echo; check; } check() { printf "+ checking for iptables...\n"; if ! [ -x "$IPTAB" ] ; then echo " NOT INSTALLED"; echo -n "We can't go any further.. iptables is not installed"; echo " or not executable..I'm sorry :("; exit 1; else echo " Iptables is found AND executable @ $IPTAB"; fi echo; printf "+ Checking if everything is filled in:\n "; echo; echo -n "eth0: "; if [ "$EXT_IFACE" != "" ] ; then printf "found\n"; else echo "not found"; exit 1; fi echo -n "eth1: "; if [ "$INT_IFACE" != "" ] ; then printf "found\n"; else echo "not filled in"; fi echo -n "eth2: "; if [ "$INT_IFACE2" != "" ] ; then printf "found\n"; else echo "not filled in"; fi echo -n "eth3: "; if [ "$INT_IFACE3" != "" ] ; then printf "found\n"; else echo "not filled in"; fi echo -n "Extern ipaddr: "; if [ "$EXT_IPADDR" != "" ] ; then printf "found\n"; else echo "not found"; exit 1; fi echo -n "Local ipaddr: "; if [ "$INT_IPADDR" != "" ] ; then printf "found\n"; else echo "not filled in"; fi echo -n "Extern network: "; if [ "$EXT_NETWORK" != "" ] ; then printf "found\n"; else echo "not filled in"; fi echo -n "Extern netmask: "; if [ "$NETMASK" != "" ] ; then printf "found\n"; else echo "not filled in"; echo; echo; fi echo; ERR="You can't define 2 or more the same interfaces!" printf "+ Checking IFACE config\n"; for DEV in ${INT_IFACE}; do if [ "$DEV" == "${EXT_IFACE}" ] && [ "$DEV" != "" ] ; then echo "$ERR"; exit 1; else echo "Ok, your external and internal interfaces are not the same.."; fi done modcheck; } modcheck() { echo; echo "Starting with the kernel module check"; printf " + Checking for iptables kernel modules(!!IMPORTANT!!):\n"; if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then echo "Ok ip_tables.o found, now doing some "modprobing".."; echo; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o 2> ERR_LOG echo "[Modchecking]: "; for i in $(ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/);do \ echo " found -> $i";done; else echo; printf "$RED ____________________________________________________________________________________ $END\n"; printf "$RED / \ $END\n"; printf "$RED | $END ip_tables.o (module) not found.. bad news darling :/ $RED|$END\n"; printf "$RED | $END One reason could be that you compiled a new kernel, $RED|$END\n"; printf "$RED | $END and you compiled it directly into your kernel and not as a module. $RED|$END\n"; printf "$RED | $END If you did that, there is no problem ofcourse :), if not..this script will fail.. $RED|$END\n"; printf "$RED \____________________________________________________________________________________/ $END\n"; echo; printf "$END"; for i in $(ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/);do \ echo " found -> $i";done; fi echo; ERR_LOG="modprobe_error.log" echo "---------------------------------------------------------------"; echo " now calculating which modules are needed.."; echo "---------------------------------------------------------------"; echo; echo " If this script failes, you might want to take a look at $ERR_LOG"; echo " If something was wrong during the modprobing, it will be there."; echo; echo "NEEDED MODULES: " > MODULE.log echo -n " "; echo "- ipt_REJECT"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o 2> $ERR_LOG >> MODULE.log echo "- ip_conntrack"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o 2> $ERR_LOG >> MODULE.log echo "- ipt_LOG"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o 2> $ERR_LOG >> MODULE.log echo "- iptable_nat"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o 2> $ERR_LOG >> MODULE.log echo "- ipt_MASQUERADE"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o 2> $ERR_LOG >> MODULE.log echo "- iptable_filter"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o 2> $ERR_LOG >> MODULE.log echo "- ipt_state"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o 2> $ERR_LOG >> MODULE.log echo; echo "--------------------------------------------------------------"; echo " Checking for other modules that are needed.."; echo "--------------------------------------------------------------"; echo " Full stdout is written in MODULE.log"; echo " You can check it later."; echo; echo " OTHER MODULES: " >> MODULE.log if [ "$MIRROR" == "Y" ] || [ "$MIRROR" == "y" ] ; then printf " Mirroring is set to \t\t\t($GREEN Y $END) \n"; echo " modprobing for ipt_MIRROR.o"; echo " - ipt_MIRROR"; echo -n " "; /sbin/modprobe ipt_MIRROR 2> $ERR_LOG /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MIRROR.o 2> $ERR_LOG >> MODULE.log else echo " Mirroring is set to (N) -> skipping"; fi if [ "$REDIRECT" == "Y" ] || [ "$REDIRECT" == "y" ] ; then printf " Redirecting is set to \t\t\t($GREEN Y $END) \n"; echo " modprobing for ipt_REDIRECT.o"; echo " - ipt_REDIRECT"; echo -n " "; /sbin/modprobe ipt_REDIRECT 2> $ERR_LOG /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REDIRECT.o 2> $ERR_LOG >> MODULE.log else echo " Redirecting is set to (N) -> skipping"; fi if [ "$QUEUE" == "Y" ] || [ "$QUEUE" == "y" ] ; then printf " Queue is set to \t\t\t\t($GREEN Y $END) \n"; echo " modprobing for ip_queue.o"; echo " - ip_queue"; echo -n " "; /sbin/modprobe ip_queue 2> $ERR_LOG /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_queue.o 2> $ERR_LOG >> MODULE.log else echo " Queue is set to (N) -> skipping"; fi if [ "$TCPMSS" == "Y" ] || [ "$TCPMSS" == "y" ] ; then printf " TCPMSS is set to \t\t\t\t($GREEN Y $END) \n"; echo " modprobing for ipt_TCPMSS.o"; echo " - ipt_TCPMSS"; echo -n " "; /sbin/modprobe ipt_TCPMSS 2> $ERR_LOG /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_TCPMSS.o 2> $ERR_LOG >> MODULE.log else echo " TCPMSS is set to (N) -> skipping"; fi if [ "$LENGTH" == "Y" ] || [ "$LENGTH" == "y" ] ; then printf " Length is set to \t\t\t\t($GREEN Y $END) \n"; echo " modprobing for ipt_length.o"; echo " - ipt_length"; echo -n " "; /sbin/modprobe ipt_length 2> $ERR_LOG /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_length.o 2> $ERR_LOG >> MODULE.log else echo " Length is set to (N) -> skipping"; fi if [ "$MARK" == "Y" ] || [ "$MARK" == "y" ] ; then printf " MARK is set to \t\t\t\t($GREEN Y $END) \n"; echo " modprobing for ipt_MARK.o"; echo " - ipt_MARK"; echo -n " "; /sbin/modprobe ipt_mark 2> $ERR_LOG /sbin/modprobe ipt_MARK 2> $ERR_LOG /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mark.o 2> $ERR_LOG >> MODULE_log echo " modprobing for ipt_mark.o"; echo " - ipt_mark"; echo -n " "; /sbin/insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MARK.o 2> $ERR_LOG >> MODULE.log else echo " MARK is set to (N) -> skipping"; fi echo; echo "--------------------------------------------------------------"; echo " Modcheck function succesfully ended."; echo "--------------------------------------------------------------"; echo; flushandset; } flushandset() { echo -n "Now flushing all previous firewall rules: "; $IPTAB -F $IPTAB -X $IPTAB -t filter -F $IPTAB -t filter -X $IPTAB -t nat -F $IPTAB -t nat -X $IPTAB --flush INPUT $IPTAB --flush OUTPUT $IPTAB --flush FORWARD echo "done"; echo -n "creating new (needed) chains: "; $IPTAB --new ICMP 2>/dev/null echo -n "ICMP, "; $IPTAB --new LOCAL 2>/dev/null echo -n "LOCAL, "; $IPTAB --new WATCH 2>/dev/null echo -n "WATCH, "; $IPTAB --new LOGDROP 2>/dev/null echo -n "LOGDROP, "; $IPTAB --new FLOOD 2>/dev/null echo -n "FLOOD"; echo; echo; proc; } proc() { # quick proc settings echo -n "ip_forward set to (1) .. WE NEED IT!: "; echo "1"> /proc/sys/net/ipv4/ip_forward echo "done"; # Dynamic IP users: # echo -n "ip_dynaddr set to (1): "; echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_all echo "done"; echo -n "icmp_echo_ignore_broadcasts set to (1): "; echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "done"; echo -n "accept_redirects set to (0): "; echo "0"> /proc/sys/net/ipv4/conf/all/accept_redirects echo "done"; echo -n "accept_source_route set to (0): "; echo "0"> /proc/sys/net/ipv4/conf/all/accept_source_route echo "done"; echo -n "log_martians set to (1): "; echo "1"> /proc/sys/net/ipv4/conf/all/log_martians echo "done"; forward; } report() { echo "report"; } forward() { FORWARD_ERR="mmm.. something is missing in your forward configuration, check it!!"; if [ "$FORWARD" == "Y" ] || [ "$FORWARD" == "y" ] ; then echo "Forwarding is set to (Y) ... checking your forward configuration"; if [ "$FORWARD_SERVER_FROM1" != "" ] && [ "$FORWARD_SERVER_TO1" != "" ] && [ "$FORWARD_PORT_FROM1" != "" ] && [ "$FORWARD_PORT_TO1" != "" ] ; then # internal can go outside echo -n "forwarding: $FORWARD_SERVER_FROM1 to $FORWARD_SERVER_TO1: "; #$IPTABLES -A FORWARD -i $LOC_IFACE -j ACCEPT $IPTAB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM1 -j ACCEPT $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM1 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTAB -t nat -A POSTROUTING -o $EXT_IFACE -j SNAT --to-source $EXT_IPADDR #$IPTAB -t nat -A PREROUTING -p tcp -i $LOC_IFACE --dport $FORWARD_PORT_FROM1 \ # -j DNAT --to-destination $FORWARD_SERVER_TO1:$FORWARD_PORT_TO1 #$IPTAB -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $FORWARD_SERVER_FROM1 --dport $FORWARD_PORT_FROM1 \ # -j DNAT --to-destination $FORWARD_SERVER_TO1:$FORWARD_PORT_TO1 #$IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM1 \ # -j DNAT --to-destination $FORWARD_SERVER_TO1:$FORWARD_PORT_TO1 echo "done"; else echo "$FORWARD_ERR"; fi echo; echo -n "Checking (possible) next server to forward: "; if [ "$FORWARD_SERVER_FROM2" != "" ] && [ "$FORWARD_SERVER_TO2" != "" ] && [ "$FORWARD_PORT_FROM2" != "" ] && [ "$FORWARD_PORT_TO2" != "" ] ; then echo; echo -n "forwarding: $FORWARD_SERVER_FROM2 to $FORWARD_SERVER_TO2: "; #$IPTAB -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $FORWARD_SERVER_FROM2 --dport $FORWARD_PORT_FROM2 \ # -j DNAT --to-destination $FORWARD_SERVER_TO2:$FORWARD_PORT_TO2 $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM2 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM2 -j ACCEPT $IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM2 \ -j DNAT --to-destination $FORWARD_SERVER_TO2:$FORWARD_PORT_TO2 echo "done"; else echo "not set"; fi echo -n "Checking (possible) next server to forward: "; if [ "$FORWARD_SERVER_FROM3" != "" ] && [ "$FORWARD_SERVER_TO3" != "" ] && [ "$FORWARD_PORT_FROM3" != "" ] && [ "$FORWARD_PORT_TO3" != "" ] ; then echo; echo -n "forwarding: $FORWARD_SERVER_FROM3 to $FORWARD_SERVER_TO3: "; $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM3 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM3 -j ACCEPT $IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM3 \ -j DNAT --to-destination $FORWARD_SERVER_TO3:$FORWARD_PORT_TO3 echo "done"; else echo "not set"; fi echo -n "Checking (possible) next server to forward: "; if [ "$FORWARD_SERVER_FROM4" != "" ] && [ "$FORWARD_SERVER_TO4" != "" ] && [ "$FORWARD_PORT_FROM4" != "" ] && [ "$FORWARD_PORT_TO4" != "" ] ; then echo; echo -n "forwarding: $FORWARD_SERVER_FROM4 to $FORWARD_SERVER_TO4: "; $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM4 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM4 -j ACCEPT $IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM4 \ -j DNAT --to-destination $FORWARD_SERVER_TO4:$FORWARD_PORT_TO4 else echo "not set"; fi echo -n "Checking (possible) next server to forward: "; if [ "$FORWARD_SERVER_FROM5" != "" ] && [ "$FORWARD_SERVER_TO5" != "" ] && [ "$FORWARD_PORT_FROM5" != "" ] && [ "$FORWARD_PORT_TO5" != "" ] ; then echo; echo -n "forwarding: $FORWARD_SERVER_FROM5 to $FORWARD_SERVER_TO5: "; $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM5 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM5 -j ACCEPT $IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM5 \ -j DNAT --to-destination $FORWARD_SERVER_TO5:$FORWARD_PORT_TO5 else echo "not set"; fi echo -n "Checking (possible) next server to forward: "; if [ "$FORWARD_SERVER_FROM6" != "" ] && [ "$FORWARD_SERVER_TO6" != "" ] && [ "$FORWARD_PORT_FROM6" != "" ] && [ "$FORWARD_PORT_TO6" != "" ] ; then echo; echo -n "forwarding: $FORWARD_SERVER_FROM6 to $FORWARD_SERVER_TO6: "; $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM6 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM6 -j ACCEPT $IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM6 \ -j DNAT --to-destination $FORWARD_SERVER_TO6:$FORWARD_PORT_TO6 else echo "not set"; fi echo -n "Checking (possible) next server to forward: "; if [ "$FORWARD_SERVER_FROM7" != "" ] && [ "$FORWARD_SERVER_TO7" != "" ] && [ "$FORWARD_PORT_FROM7" != "" ] && [ "$FORWARD_PORT_TO7" != "" ] ; then echo; echo -n "forwarding: $FORWARD_SERVER_FROM7 to $FORWARD_SERVER_TO7: "; else $IPTAB -A FORWARD -p tcp --dport $FORWARD_PORT_FROM7 -i $EXT_IFACE -j ACCEPT $IPTAB -A INPUT -p tcp --dport $FORWARD_PORT_FROM7 -j ACCEPT $IPTAB -t nat -A PREROUTING -p tcp -i $EXT_IFACE --dport $FORWARD_PORT_FROM7 \ -j DNAT --to-destination $FORWARD_SERVER_TO7:$FORWARD_PORT_TO7 echo "not set"; echo; fi elif [ "$FORWARD" == "N" ] || [ "$FORWARD" == "n" ] ; then echo "Forwarding is set to (N) ... skipping"; else echo "unknown choice.. skipping by default"; fi reject; } reject() { if [ "$REJECT" != "" ] && [ "$REJECT" == "Y" ] || [ "$REJECT" == "y" ] ; then echo "REJECT is set to (Y) ... checking configuration"; elif [ "$REJECT" == "N" ] || [ "$REJECT" == "n" ] ; then echo "REJECT is set to (N) ... skipping"; else echo "unknown choice for REJECT .. skipping by default"; echo; fi filter; } filter() { echo "+ Starting with the packetfiltering rules"; echo "now set of logging prefixes: "; echo -n "TCP DROP : "; $IPTAB -A LOGDROP --proto tcp -j LOG --log-level info \ --log-prefix "Dropped TCP packets " echo "done"; echo -n "UDP DROP : "; $IPTAB -A LOGDROP --proto udp -j LOG --log-level info \ --log-prefix "Dropped UDP packets " echo "done"; echo -n "ICMP DROP: "; $IPTAB -A LOGDROP --proto icmp -j LOG --log-level info \ --log-prefix "Dropped ICMP packets " echo "done"; echo -n "GRE DROP : "; $IPTAB -A LOGDROP --proto gre -j LOG --log-level info \ --log-prefix "Dropped GRE packets " echo "done"; echo -n "FRAG DROP: "; $IPTAB -A LOGDROP -f -j LOG --log-level emerg \ --log-prefix "Drop FRAG " echo "done"; echo -n "Dropping LOGDROP: "; #$IPTAB -A LOGDROP -j DROP echo "done"; echo; echo "Adding prefix for new monitoring chain(accepted connections/packets)"; $IPTAB -A WATCH -m limit -j LOG --log-level warn --log-prefix "Watched accept " $IPTAB -A WATCH -j ACCEPT echo -n "SYN-flood protection: "; $IPTAB -A INPUT -i $EXT_IFACE -p tcp --syn -j FLOOD $IPTAB -A FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTAB -A FLOOD -j DROP echo "added"; echo; icmp; } icmp() { # Be careful what you choose, some can cause other things not to work # echo -n "now taking care of icmp: "; $IPTAB -A INPUT --proto icmp -j ICMP $IPTAB -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT $IPTAB -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH $IPTAB -A ICMP -p icmp --icmp-type network-unreachable -j WATCH $IPTAB -A ICMP -p icmp --icmp-type host-unreachable -j WATCH $IPTAB -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH $IPTAB -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT $IPTAB -A ICMP -p icmp --icmp-type fragmentation-needed -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type source-route-failed -j WATCH $IPTAB -A ICMP -p icmp --icmp-type network-unknown -j WATCH $IPTAB -A ICMP -p icmp --icmp-type host-unknown -j WATCH $IPTAB -A ICMP -p icmp --icmp-type network-prohibited -j WATCH $IPTAB -A ICMP -p icmp --icmp-type host-prohibited -j WATCH $IPTAB -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH $IPTAB -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH $IPTAB -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH $IPTAB -A ICMP -p icmp --icmp-type host-precedence-violation -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type precedence-cutoff -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type source-quench -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type redirect -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type network-redirect -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type host-redirect -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type TOS-network-redirect -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type TOS-host-redirect -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type echo-request -j WATCH $IPTAB -A ICMP -p icmp --icmp-type router-advertisement -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type router-solicitation -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type time-exceeded -j WATCH $IPTAB -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH $IPTAB -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH $IPTAB -A ICMP -p icmp --icmp-type parameter-problem -j WATCH $IPTAB -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH $IPTAB -A ICMP -p icmp --icmp-type required-option-missing -j WATCH $IPTAB -A ICMP -p icmp --icmp-type timestamp-request -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type timestamp-reply -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type address-mask-request -j LOGDROP $IPTAB -A ICMP -p icmp --icmp-type address-mask-reply -j LOGDROP $IPTAB -A ICMP -p icmp -j LOGDROP echo "done"; mailfunct; } drop() { echo "deny"; } mirror() { echo "mirror"; } log() { echo "log"; } mailfunct() { echo -n "Now sending you an email with the current firewall rules.."; $IPTAB -L|/bin/mail -s "FIREWALL REPORT: " `whoami`@`hostname` echo "mail send"; echo; } banner;