Last active
October 12, 2020 18:30
-
-
Save diegargon/1e6fb0e558de9cea4c93f0627389a707 to your computer and use it in GitHub Desktop.
Ubuntu Firewall init script, NAT and services
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Diego García Gonzalez (diegargon) [email protected] | |
| VER=v3.4 | |
| ### BEGIN UBUNTU INIT | |
| # Provides: myFirewall | |
| # Required-Start: networking | |
| # Required-Stop: | |
| # Should-Start: | |
| # Should-Stop: | |
| # Default-Start: 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| # Short-Description: Start and Stop | |
| # Description: | |
| ### END UBUNTU INIT | |
| # This script setup a firewall with two interfaces running certain daemon/services on FW and/or DMZ. Firewall can do NAT/MASQUERADE (OPT) | |
| # Use /etc/default/firewall for set config variables | |
| # Warning: ATM i not check if the DMZ rules work ok | |
| # TODO | |
| # ALLOW NAT MULTIPLE INTERFACES | |
| #### LATEST CHANGES | |
| # ALLOW FORWARD FOR MULTIPLE INTERNAL INTERFACE F | |
| # FIX INCORRECT LOGGIN DROP PACKET AND IMPROVE | |
| # GENERAL IMPROVEMENTS | |
| # | |
| ########################################################### | |
| #### DEFAULT USERCONFIG BEGIN #### | |
| ########################################################### | |
| ## Use /etc/default/firewall to rewrite this configuration | |
| EXT_IF= | |
| LANS="" | |
| TRUSTED_LANS=$LANS | |
| UNTRUSTED_LANS="" | |
| # LANs allowed to forward to EXT | |
| FWD_LANS_EXT=$LANS | |
| # Lans allow forward between TRUSTED/UNTRUSTED | |
| FWD_BTWN_LANS_TRUSTED=$TRUSTED_LANS | |
| FWD_BTWN_LANS_UNTRUSTED=$UNTRUSTED_LANS | |
| DEBUG=0 #just echo rules not use iptables command | |
| TWEAKS=0 | |
| RATE_LIMIT="-m limit --limit 1/s --limit-burst 7" | |
| ############################################ | |
| #### NAT #### | |
| #### on EXT_IF #### | |
| ########################################### | |
| DO_NAT=1 | |
| #MUST STOP MASQUERADE WHEN STOP FIREWALL | |
| STOP_NAT_WITH_FIREWALL=0 | |
| ############################################ | |
| #### MULTICAST #### | |
| ########################################### | |
| ALLOW_EXT_MULTICAST=0 | |
| ALLOWED_MULTICAST_LANS=$TRUSTED_LANS | |
| ########################################### | |
| #### LOGGING #### | |
| ########################################### | |
| LOG_DROP=0 # GENERAL | |
| LOG_I_D_FINAL=0 # PACKET PASS ALL INPUT RULLES | |
| LOG_F_D_FINAL=1 # PACKET PASS ALL FORWARD RULLES | |
| LOG_D_INVALID=0 # PACKET INVALID | |
| LOG_D_ICMP=1 # ICMP PACKET | |
| LOG_D_RESETPCK=0 # INPUT RESET PACKET | |
| LOG_F_RESETPCK=0 # FORWARD RESET PACKET | |
| LOG_D_EXT_IPBAN=1 # CUSTOM IP BANED | |
| LOG_D_PRIVIP=1 # PRIVATE IP COME EXT | |
| LOG_D_CAST=0 # MULTI/BROAD CAST | |
| LOG_PREFIX="[IPTABLES]" | |
| LOG_LEVEL="4" | |
| ############################################ | |
| #### Open services on firewall ##### | |
| ############################################ | |
| OPEN_FW_SRV=0 | |
| #comma separate | |
| OPEN_FW_IF_LANS=$TRUSTED_LANS | |
| #Ports open to all interfaces | |
| FW_SRV_TCP_PORTS= | |
| FW_SRV_UDP_PORTS= | |
| ##Ports open to internal interfaces | |
| FW_INT_TCP_PORTS= | |
| FW_INT_UDP_PORTS= | |
| ########################################### | |
| #### OPEN DMZ #### | |
| ########################################### | |
| OPEN_DMZ=0 | |
| DMZ_IF= | |
| DMZ_SRV1_IP= | |
| DMZ_SRV2_IP= | |
| DMZ_SRV3_IP= | |
| DMZ_SRV1_TCP_PORTS= | |
| DMZ_SRV1_UDP_PORTS= | |
| DMZ_SRV2_TCP_PORTS= | |
| DMZ_SRV2_UDP_PORTS= | |
| DMZ_SRV3_TCP_PORTS= | |
| DMZ_SRV3_UDP_PORTS= | |
| #grep nameserver and get second parameter "nameserver 127.0.0.1" > 127.0.0.1 | |
| #FILE_DNS_SERVERS=/etc/resolv.conf | |
| ICMP_REDIRECTS=1 # D:1 | |
| DISABLE_ECHO_REPLY=0 # D:0 | |
| IP_BANNED_LIST=/etc/default/firewall.ipbanned # format: one ip in each line | |
| ########################################################### | |
| #### END CONFIG BEGIN FUNCTIONS #### | |
| ########################################################### | |
| #### NO MORE USER CONFIG VARS UNDER HERE #### | |
| ########################################################### | |
| #User Config rewrite | |
| test -r /etc/default/firewall && . /etc/default/firewall | |
| if [ $DEBUG = 1 ]; then | |
| echo "****************************************************************************" | |
| echo "********* ALERT: Firewall in debug mode, firewall rules not active *********" | |
| echo "****************************************************************************" | |
| IPTABLES="echo" | |
| else | |
| IPTABLES=$(which iptables) | |
| fi | |
| #if [ -f $FILE_DNS_SERVERS ]; then | |
| # NAME_SERVERS=`grep -i ^nameserver $FILE_DNS_SERVERS| cut -d ' ' -f2` | |
| #fi | |
| tweaks() { | |
| echo -n "**** Setting TCP tweaks:" | |
| # D:? Default on Ubuntu | |
| echo 1 > /proc/sys/net/ipv4/tcp_syncookies # D: 1 | |
| echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # D: 1 | |
| echo 0 > /proc/sys/net/ipv4/conf/all/log_martians # D: 0 | |
| echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # D: 1 | |
| echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # D: 1 | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # D: 0 | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # D: 0 | |
| #End normally | |
| echo $ICMP_REDIRECTS > /proc/sys/net/ipv4/conf/all/send_redirects # D: 1 | |
| echo $DISABLE_ECHO_REPLY > /proc/sys/net/ipv4/icmp_echo_ignore_all # D: 1 | |
| # 0 - disable (default) 1 - log ICMP packets 6 - log TCP packets | |
| # 17 - log UDP packets 33 - log DCCP packets 41 - log ICMPv6 packets | |
| # 136 - log UDPLITE packets 255 - log packets of any protocol | |
| echo 0 > /proc/sys/net/netfilter/nf_conntrack_log_invalid # D: 0 | |
| # Auto-tunne buffer | |
| echo 1 > /proc/sys/net/ipv4/tcp_moderate_rcvbuf # D: 1 | |
| # Empieza con el valor de el medio y luego auto tune ajusta | |
| # entre lo minimo y maximo (minimo:inicia:maximo) | |
| # rmem (recv) wmen(send) | |
| # echo "? ? ?" > /proc/sys/net/ipv4/tcp_rmem # D: 4096 : 131072 : 6291456 | |
| # echo "? ? ?/proc/sys/net/ipv4/tcp_wmem # D: 4096 : 16384 : 4194304 | |
| # | |
| # Tcp windows scaling | |
| # _default (non tcp-sockets) | |
| echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # D: | |
| #echo 256960 > /proc/sys/net/core/rmem_default # D: 212992 | |
| #echo 256960 > /proc/sys/net/core/rmem_max # D: 212992 | |
| #echo 256960 > /proc/sys/net/core/wmem_default # D: 212992 | |
| #echo 256960 > /proc/sys/net/core/wmem_max # D: 212992 | |
| # disable timesstamp & ack (tcp head overhead and cpu | |
| # spikes cycles / cons: congestion controls algoritms?) | |
| #echo 0 > /proc/sys/net/ipv4/tcp_timestamps # D: 1 | |
| #echo 0 > /proc/sys/net/ipv4/tcp_sack # D: 1 | |
| #echo 0 > /proc/sys/net/ipv4/tcp_dsack # D: 1 | |
| #echo 0 > /proc/sys/net/ipv4/tcp_slow_start_after_idle # D: 1 | |
| # TCP FASTOPEN #1 client #2 server #3 both | |
| echo 3 > /proc/sys/net/ipv4/tcp_fastopen # D: 1 | |
| ### REDUCE TIMEOUT | |
| echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # D: 60 | |
| echo 3600 > /proc/sys/net/ipv4/tcp_keepalive_time # D: 7200 | |
| echo "[DONE]"; | |
| } | |
| flush_all() { | |
| $IPTABLES -F | |
| $IPTABLES -X | |
| $IPTABLES -F -t nat | |
| $IPTABLES -X -t nat | |
| } | |
| default_policy() { | |
| $IPTABLES -P INPUT DROP | |
| $IPTABLES -P FORWARD DROP | |
| $IPTABLES -P OUTPUT ACCEPT | |
| } | |
| set_loggin_rules() { | |
| echo -n "**** Setting logging rules:" | |
| #INVALID | |
| $IPTABLES -N I_DROP_INVALID | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_INVALID = 1 ] ; then | |
| $IPTABLES -A I_DROP_INVALID $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][INVALID]" | |
| fi | |
| $IPTABLES -A I_DROP_INVALID -j DROP | |
| $IPTABLES -N O_DROP_INVALID | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_INVALID = 1 ]; then | |
| $IPTABLES -A O_DROP_INVALID $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[O_DROP][INVALID]" | |
| fi | |
| $IPTABLES -A O_DROP_INVALID -j DROP | |
| #FORWARD INVALID | |
| $IPTABLES -N F_DROP_INVALID | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_INVALID = 1 ]; then | |
| $IPTABLES -A F_DROP_INVALID $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[F_DROP][INVALID]" | |
| fi | |
| $IPTABLES -A F_DROP_INVALID -j DROP | |
| # EXTERNAL PACKETS WITH PRIVATE IP | |
| $IPTABLES -N I_DROP_EXT_PRIVIP | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_PRIVIP = 1 ]; then | |
| $IPTABLES -A I_DROP_EXT_PRIVIP $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][EXT_PRIVIP]" | |
| fi | |
| $IPTABLES -A I_DROP_EXT_PRIVIP -j DROP | |
| # IP BANNED | |
| $IPTABLES -N I_IPBAN | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_EXT_IPBAN = 1 ]; then | |
| $IPTABLES -A I_IPBAN $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][EXT_IPBAN]" | |
| fi | |
| $IPTABLES -A I_IPBAN -j DROP | |
| #INPUT RESET PACKETS | |
| $IPTABLES -N I_RESETPCK | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_RESETPCK = 1 ]; then | |
| $IPTABLES -A I_RESETPCK $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][RESETPCK]" | |
| fi | |
| $IPTABLES -A I_RESETPCK -j DROP | |
| #FORWARD RESET PACKETS | |
| $IPTABLES -N F_RESETPCK | |
| if [ $LOG_DROP = 1 ] && [ $LOG_F_RESETPCK = 1 ]; then | |
| $IPTABLES -A F_RESETPCK $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[F_DROP][RESETPCK]" | |
| fi | |
| $IPTABLES -A F_RESETPCK -j DROP | |
| #ICMP PACKETS | |
| $IPTABLES -N I_D_ICMP | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_ICMP = 1 ]; then | |
| $IPTABLES -A I_D_ICMP $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][ICMP]" | |
| fi | |
| $IPTABLES -A I_D_ICMP -j DROP | |
| #BROADCAST/MULTICAST Packets | |
| $IPTABLES -N I_INT_CAST | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_CAST = 1 ]; then | |
| $IPTABLES -A I_INT_CAST $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][INT_CAST]" | |
| fi | |
| $IPTABLES -A I_INT_CAST -j DROP | |
| $IPTABLES -N I_EXT_CAST | |
| if [ $LOG_DROP = 1 ] && [ $LOG_D_CAST = 1 ]; then | |
| $IPTABLES -A I_EXT_CAST $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][EXT_CAST]" | |
| fi | |
| $IPTABLES -A I_EXT_CAST -j DROP | |
| ##FINAL I_DROP & F_DROP (CATCH BEFORE DEFAULT DROP FOR LOG) | |
| $IPTABLES -N FINAL_F_DROP | |
| if [ $LOG_DROP = 1 ] && [ $LOG_F_D_FINAL = 1 ]; then | |
| $IPTABLES -A FINAL_F_DROP $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[F_DROP][FINAL]" | |
| fi | |
| $IPTABLES -A FINAL_F_DROP -j DROP | |
| $IPTABLES -N FINAL_I_DROP | |
| if [ $LOG_DROP = 1 ] && [ $LOG_I_D_FINAL = 1 ]; then | |
| $IPTABLES -A FINAL_I_DROP $RATE_LIMIT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[I_DROP][FINAL]" | |
| fi | |
| $IPTABLES -A FINAL_I_DROP -j DROP | |
| #DEBUG | |
| $IPTABLES -N L_DEBUG | |
| $IPTABLES -A L_DEBUG -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[DEBUG]" | |
| # | |
| $IPTABLES -N L_DEBUG_ACCEPT | |
| $IPTABLES -A L_DEBUG_ACCEPT -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX[DEBUG_ACCEPT]" | |
| $IPTABLES -A L_DEBUG_ACCEPT -j ACCEPT | |
| echo "[DONE]" | |
| } | |
| open_server() { | |
| echo "**** Opening FW server:" | |
| echo " ** Ports open to external $EXT_IF and interal interfaces ($OPEN_FW_IF_LANS):" | |
| echo " ** FW TCP $FW_SRV_TCP_PORTS" | |
| echo " ** FW UDP $FW_SRV_UDP_PORTS" | |
| echo " ** Ports open internal interface ($OPEN_FW_IF_LANS)" | |
| echo " ** FW TCP $FW_INT_TCP_PORTS" | |
| echo " ** FW UDP $FW_INT_UDP_PORTS" | |
| if [ -n "${FW_SRV_TCP_PORTS}" ]; then | |
| $IPTABLES -A INPUT -p tcp -i $EXT_IF -m multiport --dports $FW_SRV_TCP_PORTS -j ACCEPT | |
| for lan_if in $OPEN_FW_IF_LANS | |
| do | |
| $IPTABLES -A INPUT -p tcp -i "$lan_if" -m multiport --dports $FW_SRV_TCP_PORTS -j ACCEPT | |
| done | |
| fi | |
| if [ -n "${FW_SRV_UDP_PORTS}" ]; then | |
| $IPTABLES -A INPUT -p udp -i $EXT_IF -m multiport --dports $FW_SRV_UDP_PORTS -j ACCEPT | |
| for lan_if in $OPEN_FW_IF_LANS | |
| do | |
| $IPTABLES -A INPUT -p udp -i "$lan_if" -m multiport --dports $FW_SRV_UDP_PORTS -j ACCEPT | |
| done | |
| fi | |
| if [ -n "${FW_INT_TCP_PORTS}" ]; then | |
| for lan_if in $OPEN_FW_IF_LANS | |
| do | |
| $IPTABLES -A INPUT -p tcp -i "$lan_if" -m multiport --dports $FW_INT_TCP_PORTS -j ACCEPT | |
| done | |
| fi | |
| if [ -n "${FW_INT_UDP_PORTS}" ]; then | |
| for lan_if in $OPEN_FW_IF_LANS | |
| do | |
| $IPTABLES -A INPUT -p udp -i "$lan_if" -m multiport --dports $FW_INT_UDP_PORTS -j ACCEPT | |
| done | |
| fi | |
| echo " ** [DONE]Opening FW server" | |
| } | |
| open_dmz() { | |
| echo " ** Open DMZ:" | |
| if [[ -n "${DMZ_SRV1_IP}" && -n "${DMZ_IF}" ]]; then | |
| echo " ** DMZ: Opening service ports TCP $DMZ_SRV1_TCP_PORTS and UDP $DMZ_SRV1_UDP_PORTS on $DMZ_SRV1_IP" | |
| if [ -n "${DMZ_SRV1_TCP_PORTS}" ]; then | |
| $IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dports "$DMZ_SRV1_TCP_PORTS" -i $EXT_IF -j DNAT --to "$DMZ_SRV1_IP" | |
| $IPTABLES -A FORWARD -p tcp -i $EXT_IF -o "$DMZ_IF" -d "$DMZ_SRV1_IP" -m multiport --dports "$DMZ_SRV1_TCP_PORTS" -j ACCEPT | |
| $IPTABLES -A FORWARD -p tcp -s "$DMZ_SRV1_IP" -m multiport --sports "$DMZ_SRV1_TCP_PORTS" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| fi | |
| if [ -n "${DMZ_SRV1_UDP_PORTS}" ]; then | |
| $IPTABLES -t nat -A PREROUTING -p udp -m multiport --dports "$DMZ_SRV1_UDP_PORTS" -i $EXT_IF -j DNAT --to "$DMZ_SRV1_IP" | |
| $IPTABLES -A FORWARD -p udp -i $EXT_IF -o "$DMZ_IF" -d "$DMZ_SRV1_IP" -m multiport --dports "$DMZ_SRV1_UDP_PORTS" -j ACCEPT | |
| $IPTABLES -A FORWARD -p udp -s "$DMZ_SRV1_IP" -m multiport --sports "$DMZ_SRV1_UDP_PORTS" -j ACCEPT | |
| fi | |
| fi | |
| # | |
| if [[ -n "${DMZ_SRV2_IP}" && -n "${DMZ_IF}" ]]; then | |
| echo " ** DMZ2: Opening service ports TCP $DMZ_SRV2_TCP_PORTS and UDP $DMZ_SRV2_UDP_PORTS on $DMZ_SRV2_IP" | |
| if [ -n "${DMZ_SRV2_TCP_PORTS}" ]; then | |
| $IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dports "$DMZ_SRV2_TCP_PORTS" -i $EXT_IF -j DNAT --to "$DMZ_SRV2_IP" | |
| $IPTABLES -A FORWARD -p tcp -i $EXT_IF -o "$DMZ_IF" -d "$DMZ_SRV2_IP" -m multiport --dports "$DMZ_SRV2_TCP_PORTS" -j ACCEPT | |
| $IPTABLES -A FORWARD -p tcp -s "$DMZ_SRV2_IP" -m multiport --sports "$DMZ_SRV2_TCP_PORTS" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| fi | |
| if [ -n "${DMZ_SRV2_UDP_PORTS}" ]; then | |
| $IPTABLES -t nat -A PREROUTING -p udp -m multiport --dports "$DMZ_SRV2_UDP_PORTS" -i $EXT_IF -j DNAT --to "$DMZ_SRV2_IP" | |
| $IPTABLES -A FORWARD -p udp -i $EXT_IF -o "$DMZ_IF" -d "$DMZ_SRV2_IP" -m multiport --dports "$DMZ_SRV2_UDP_PORTS" -j ACCEPT | |
| $IPTABLES -A FORWARD -p udp -s "$DMZ_SRV2_IP" -m multiport --sports "$DMZ_SRV2_UDP_PORTS" -j ACCEPT | |
| fi | |
| fi | |
| # | |
| if [[ -n "${DMZ_SRV3_IP}" && -n "${DMZ_IF}" ]]; then | |
| echo " ** DMZ3: Opening service ports TCP $DMZ_SRV3_TCP_PORTS and UDP $DMZ_SRV3_UDP_PORTS on $DMZ_SRV3_IP" | |
| if [ -n "${DMZ_SRV3_TCP_PORTS}" ]; then | |
| $IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dports "$DMZ_SRV3_TCP_PORTS" -i $EXT_IF -j DNAT --to "$DMZ_SRV3_IP" | |
| $IPTABLES -A FORWARD -p tcp -i $EXT_IF -o "$DMZ_IF" -d "$DMZ_SRV3_IP" -m multiport --dports "$DMZ_SRV3_TCP_PORTS" -j ACCEPT | |
| $IPTABLES -A FORWARD -p tcp -s "$DMZ_SRV3_IP" -m multiport --sports "$DMZ_SRV3_TCP_PORTS" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| fi | |
| if [ -n "${DMZ_SRV3_UDP_PORTS}" ]; then | |
| $IPTABLES -t nat -A PREROUTING -p udp -m multiport --dports "$DMZ_SRV3_UDP_PORTS" -i $EXT_IF -j DNAT --to "$DMZ_SRV3_IP" | |
| $IPTABLES -A FORWARD -p udp -i $EXT_IF -o "$DMZ_IF" -d "$DMZ_SRV3_IP" -m multiport --dports "$DMZ_SRV3_UDP_PORTS" -j ACCEPT | |
| $IPTABLES -A FORWARD -p udp -s "$DMZ_SRV3_IP" -m multiport --sports "$DMZ_SRV3_UDP_PORTS" -j ACCEPT | |
| fi | |
| fi | |
| echo " ** [DONE] Open DMZ" | |
| } | |
| input_chain_rules() { | |
| echo "**** Setting input chain rules:" | |
| #Permitimos todo a lo | |
| $IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT | |
| #bloqueamos posibles intentos de falsificacion de ips internas, bloqueamos todos los paquetes del exterior con algun bloque de uso interno | |
| $IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j I_DROP_EXT_PRIVIP | |
| $IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j I_DROP_EXT_PRIVIP | |
| $IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j I_DROP_EXT_PRIVIP | |
| $IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j I_DROP_EXT_PRIVIP | |
| $IPTABLES -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j I_DROP_EXT_PRIVIP | |
| #Block IP BAN LIST | |
| if [ -f $IP_BANNED_LIST ]; then | |
| echo "**** Banning user custom ips" | |
| while IFS='' read -r ip && [[ -n "${ip}" ]]; do | |
| echo -n "" #$IPTABLES -I INPUT -i $EXT_IF -s "${ip}" -j I_IPBAN | |
| done < $IP_BANNED_LIST | |
| fi | |
| #Reset packet | |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK -j I_RESETPCK | |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL RST -j I_RESETPCK | |
| ## OPEN/INPUT FIREWALL PORTS | |
| if [ $OPEN_FW_SRV = 1 ]; then | |
| open_server | |
| fi | |
| #Permitimos la entrada/paso de paquetes a nuestro firewall de conexiones inicialidadas por el firewall mismo | |
| $IPTABLES -A INPUT -i $EXT_IF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # y las lans | |
| for lan_if in $LANS | |
| do | |
| $IPTABLES -A INPUT -i "$lan_if" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| done | |
| # Drop invalid | |
| $IPTABLES -A INPUT -m conntrack --ctstate INVALID -j I_DROP_INVALID | |
| ##################################################### | |
| ######## MULTICAST RULES ############# | |
| #################################################### | |
| #EXT Multicast | |
| if [ $ALLOW_EXT_MULTICAST = 1 ]; then | |
| echo " ** Allowing multicast packets from EXT" | |
| $IPTABLES -A INPUT -i $EXT_IF -d 224.0.0.0/4 -j ACCEPT | |
| else | |
| $IPTABLES -A INPUT -i $EXT_IF -d 224.0.0.0/4 -j I_EXT_CAST | |
| fi | |
| ## INT Multicast | |
| for lan_if in $ALLOWED_MULTICAST_LANS | |
| do | |
| $IPTABLES -A INPUT -i "$lan_if" -d 224.0.0.0/4 -j ACCEPT | |
| done | |
| # DENY REST | |
| $IPTABLES -A INPUT -d 224.0.0.0/4 -j I_INT_CAST | |
| input_icmp_rules | |
| #DROP REST BEFORE DEFAULT DROP RULE FOR LOG | |
| if [ $LOG_DROP = 1 ]; then | |
| $IPTABLES -A INPUT -j FINAL_I_DROP | |
| fi | |
| echo " ** Setting input chain rules:[DONE]" | |
| } | |
| input_icmp_rules() { | |
| echo -n "**** Setting icmp input rules: " | |
| ##################################################### | |
| #### ICMP INPUT RULES | |
| ##################################################### | |
| #### EXTERNAL | |
| ##################################################### | |
| # Accept all internal/input icmp | |
| #$IPTABLES -A INPUT -p icmp --icmp-type any -i $EXT_IF -j ACCEPT | |
| # 0 echo reply limits | |
| $IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j ACCEPT | |
| # 0 echo reply nolimits | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j ACCEPT | |
| # 1/2 unused | |
| # 3 Destinaition unrecheable | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 3/4 -j ACCEPT | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 3/3 -j ACCEPT | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 3/1 -j ACCEPT | |
| # 4 ICMP Source Quench | |
| # IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 4 -j ACCEPT | |
| # 5 ICMP Redirect (disable echo->proc) | |
| # 6 Alternat Host Address #7 Unassigned | |
| # 8 echo request (disable with user conf-> DISABLED_ECHO_REQUEST=1) | |
| $IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 8 -j ACCEPT | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 8 -j ACCEPT | |
| #9 router advertisement / 10 Router Solicitation | |
| #11 Time exceeded | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 11 -j ACCEPT | |
| #12 Paramater problem | |
| #$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 12 -j ACCEPT | |
| # ICMP Timestamp (type 13) # ICMP Timestamp Reply (type 14) # ICMP Information Request (type 15) # ICMP Information Reply (type 16) | |
| # ICMP Address Mask Request (type 17) # ICMP Address Mask Reply (type 18) # ICMP Reserved (types 19-29) # ICMP Traceroute (type 30) | |
| # ICMP Datagram Conversion Error (type 31) | |
| ############# END ICMP EXT RULES | |
| $IPTABLES -A INPUT -p icmp -i lo -j ACCEPT | |
| ##################################### | |
| #### LANS | |
| ##################################### | |
| ##################################### | |
| #### TRUSTED LANS | |
| ##################################### | |
| for lan_if_t in $TRUSTED_LANS | |
| do | |
| $IPTABLES -A INPUT -p icmp --icmp-type any -i "$lan_if_t" -j ACCEPT | |
| done | |
| ##################################### | |
| #### UNTRUSTED LANS | |
| ##################################### | |
| for lan_if_u in $UNTRUSTED_LANS | |
| do | |
| $IPTABLES -A INPUT -i "$lan_if_u" -p icmp --icmp-type 0 -j ACCEPT | |
| $IPTABLES -A INPUT -i "$lan_if_u" -p icmp --icmp-type 8 -j ACCEPT | |
| $IPTABLES -A INPUT -i "$lan_if_u" -p icmp --icmp-type 3/4 -j ACCEPT | |
| $IPTABLES -A INPUT -i "$lan_if_u" -p icmp --icmp-type 3/3 -j ACCEPT | |
| $IPTABLES -A INPUT -i "$lan_if_u" -p icmp --icmp-type 3/1 -j ACCEPT | |
| done | |
| ######################################## | |
| #### DROP ICMP that not ACCEPTED | |
| ######################################## | |
| $IPTABLES -A INPUT -p icmp -j I_D_ICMP | |
| echo "[DONE]" | |
| } | |
| output_chain_rules() { | |
| echo -n "**** Setting OUTPUT rules:" | |
| $IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j O_DROP_INVALID | |
| echo "[DONE]" | |
| } | |
| nat_chain_rules() { | |
| echo -n "**** Setting Nat/Masq rules:" | |
| echo 1 > /proc/sys/net/ipv4/ip_forward #Default 0 | |
| $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j MASQUERADE | |
| echo "[DONE]" | |
| } | |
| forward_chain_rules() { | |
| echo "**** Setting forward a rules:" | |
| echo " ** FWD LANS TO EXT $FWD_LANS_EXT" | |
| echo " ** FWD_BTWN_LANS_TRUSTED $FWD_BTWN_LANS_TRUSTED" | |
| echo " ** FWD_BTWN_LANS_UNTRUSTED $FWD_BTWN_LANS_TRUSTED" | |
| #Reset packet | |
| $IPTABLES -A FORWARD -p tcp --tcp-flags ALL RST,ACK -j F_RESETPCK | |
| $IPTABLES -A FORWARD -p tcp --tcp-flags ALL RST -j F_RESETPCK | |
| #permitimos pasar paquetes de internet a la red interna si corresponden con alguna conexion inicializada por alguna computadora de nuestra red interna | |
| for lan_if in $FWD_LANS_EXT | |
| do | |
| $IPTABLES -A FORWARD -i $EXT_IF -o "$lan_if" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| done | |
| #DROP INVALID | |
| $IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j F_DROP_INVALID | |
| #permitimos pasar todos los paquetes de la red interna hacia internet | |
| for lan_if in $FWD_LANS_EXT | |
| do | |
| $IPTABLES -A FORWARD -i "$lan_if" -o $EXT_IF -j ACCEPT | |
| done | |
| #Allow forward between lan interfaces | |
| # CONFIABLES | |
| for lan_if_i in $FWD_BTWN_LANS_TRUSTED | |
| do | |
| for lan_if_o in $FWD_BTWN_LANS_TRUSTED | |
| do | |
| if [ "$lan_if_o" != "$lan_if_i" ]; then | |
| $IPTABLES -A FORWARD -i "$lan_if_i" -o "$lan_if_o" -j ACCEPT | |
| fi | |
| done | |
| done | |
| # NOCONFIABLES | |
| for lan_if_t in $FWD_BTWN_LANS_TRUSTED | |
| do | |
| for lan_if_u in $FWD_BTWN_LANS_UNTRUSTED | |
| do | |
| $IPTABLES -A FORWARD -i "$lan_if_t" -o "$lan_if_u" -j ACCEPT | |
| $IPTABLES -A FORWARD -i "$lan_if_u" -o "$lan_if_t" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| done | |
| done | |
| if [ $OPEN_DMZ = 1 ]; then | |
| open_dmz | |
| fi | |
| $IPTABLES -A FORWARD -j FINAL_F_DROP | |
| echo " ** [DONE]Setting forward a rules" | |
| } | |
| do_start() { | |
| echo -n "**** Starting firewall ($VER):" | |
| if [ -z "${EXT_IF}" ]; then | |
| echo "[ERROR] EXT_IF isn't set" | |
| exit 0 | |
| fi | |
| if [ -z "${TRUSTED_LANS}" ]; then | |
| echo "[ERROR], TRUSTED_LANS isn't set" | |
| exit 0 | |
| fi | |
| echo "" | |
| if [ $TWEAKS = 1 ]; then | |
| tweaks | |
| fi | |
| flush_all | |
| default_policy | |
| set_loggin_rules | |
| ############################################################# | |
| # DEFAULT CHAINS PATHS | |
| ############################################################# | |
| # PREROUTING->FORWARD->POSTROUTING (remote dst path) | |
| # PREROUTING->INPUT->OUTPUT->POSTROUTING (local dst) | |
| ############################################################# | |
| # DEFAULT CHAINS TABLES | |
| ############################################################# | |
| # PREROUTING ( raw, state, mangle, nat(dst) ) | |
| # FORWARD ( mangle, filter) | |
| # POSTROUTING ( mangle, nat(src) ) | |
| # INPUT ( filter, mangle ) | |
| # OUTPUT ( raw, state, mangle, nat(dst), filter ) | |
| ############################################################# | |
| forward_chain_rules | |
| input_chain_rules | |
| output_chain_rules | |
| if [ $DO_NAT = 1 ]; then | |
| nat_chain_rules | |
| fi | |
| echo " ** [DONE]Starting firewall $VER]" | |
| return 0 | |
| } | |
| do_stop() { | |
| echo -n "**** Stoping firewall ($VER):" | |
| flush_all | |
| $IPTABLES -P INPUT ACCEPT | |
| $IPTABLES -P FORWARD ACCEPT | |
| $IPTABLES -P OUTPUT ACCEPT | |
| if [ $STOP_NAT_WITH_FIREWALL = 1 ]; then | |
| echo 0 > /proc/sys/net/ipv4/ip_forward | |
| else | |
| $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j MASQUERADE | |
| fi | |
| echo "[DONE]" | |
| return 0 | |
| } | |
| ###END FUNCTIONS | |
| case "$1" in | |
| start) | |
| do_start | |
| logger Firewall Started | |
| ;; | |
| stop) | |
| do_stop | |
| logger Firewall Stopped | |
| ;; | |
| restart) | |
| do_stop | |
| do_start | |
| logger Firewall restart | |
| ;; | |
| status) | |
| echo "Firewall rules" | |
| echo "Ver: ($VER)" | |
| $IPTABLES -nvL | |
| ;; | |
| *) | |
| echo "Usage: /etc/init.d/firewall {start|stop|restart|status} " | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment