#!/bin/sh # # rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x # # Author: David Whitmarsh # (c) 2001, 2002 Sparkle Computer Co ltd. # based on rc.firewall by Oskar Andreasson # parts (c) of BoingWorld.com, use at your own risk, # do whatever you please with # it as long as you don't distribute this without due credits to # BoingWorld.com and Sparkle Computer Co Ltd # ########### # Configuration options, these will speed you up getting this script to # work with your own setup. # # your LAN's IP range and localhost IP. /24 means to only use the first 24 # bits of the 32 bit IP adress. the same as netmask 255.255.255.0 # # BR_IP is used to access the firewall accross the network # For maxium security don't set one up - but then you must do # everything directly on the firewall. BR_IP="xxx.xxx.xxx.57" BR_IFACE=br0 LAN_BCAST_ADDRESS="xxx.xxx.xxx.63" INTERNAL_ADDRESS_RANGE="xxx.xxx.xxx.56/29" INET_IFACE="eth1" LAN_IFACE="eth0" LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/sbin/iptables" ######### # Load all required IPTables modules # # # Needed to initially load modules # /sbin/depmod -a # # Adds some iptables targets like LOG, REJECT # /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT # # Support for connection tracking of FTP and IRC. # /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc # # Take down the interfaces before setting up the bridge # ifdown $INET_IFACE ifdown $LAN_IFACE ifconfig $INET_IFACE 0.0.0.0 ifconfig $LAN_IFACE 0.0.0.0 # Clean up for a restart $IPTABLES -F $IPTABLES -X # # Set default policies for the INPUT, FORWARD and OUTPUT chains # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Our interfaces don't have IP addresses so we have to start with the mangle # PREROUTING table $IPTABLES -t mangle -P PREROUTING DROP # Now we are pretty secure, let's start the bridge # This will create a new interface brctl addbr $BR_IFACE # and add the interfaces to it brctl addif $BR_IFACE $INET_IFACE brctl addif $BR_IFACE $LAN_IFACE # make us visible to the network again (optional) if [ "$BR_IP" != "" ] ; then ifconfig $BR_IFACE $BR_IP else # otherwise we must at least bring the interface up for the bridge to work. ifconfig $BR_IFACE up fi # Block obvious spoofs $IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP $IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP $IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP # Accept internal packets on the internal i/f $IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s $INTERNAL_ADDRESS_RANGE -j ACCEPT # Accept external packets on the external i/f $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s $INTERNAL_ADDRESS_RANGE -j ACCEPT # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died: " # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N icmp_packets # # ICMP rules # $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT # echo reply $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT # dest unreachable $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT # redirect $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # time exceeded $IPTABLES -A FORWARD -p ICMP -j icmp_packets # # UDP ports # $IPTABLES -N udpincoming_packets $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT # DNS $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT # ntp #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT # speakfreely #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT #icq $IPTABLES -A FORWARD -p UDP -j udpincoming_packets # $IPTABLES -N tcp_packets # # The allowed chain for TCP connections # $IPTABLES -N allowed $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # TCP rules # # # Bad TCP packets we don't want # $IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 80 -j allowed # smtp $IPTABLES -A tcp_packets -p TCP -s 0/0 -d lisa.sparkle-cc.co.uk --dport 6346 -j allowed # gnutella $IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 25 -j allowed # smtp $IPTABLES -A FORWARD -p TCP -j tcp_packets # # Input to the firewall itself. Leave these out if you don't want the firewall # to be visible on the network at all. # Note that the PREROUTING restrictions above mean that only packets form inside # the firewall can fulfill the source condition. So the firewall machine should not be # visible to the internet. # $IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $LAN_BCAST_ADDRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $BR_IP -j ACCEPT # But you *will* need this $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT INPUT packet died: " # # OUTPUT chain # $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $BR_IP -j ACCEPT $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT OUTPUT packet died: "