#!/bin/sh # Firewall setup. # # This is a conversion of the ipchains/ipmasqadm based firewall.ini # from the 1.x series of floppyfw, it's pretty simple and the # corresponding ipchains rules are kept for references. # # Setting up iptables # . /etc/config # # Do you want to do port forwaring to an internal server? # Set the server IP here and sort out the port stuff later in this file. # SERVER_IP=10.42.42.42 # # Stopping forwarding (this script may be run during normal uptime because # for re-lease of HDCP or demand dialing / PPPoE. # echo "0" > /proc/sys/net/ipv4/ip_forward # # Overriding the /etc/config and adding additional information. # . /etc/outside.info . /etc/inside.info # # Brad suggested this: # And he suggested to check and maybe change the formatting. # We'll do that later. # echo "Starting firewall with the following config:" echo echo " Inside Outside" echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}" echo " Device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}" echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}" echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}" echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}" echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}" echo # # Flushing the chains. # iptables -F # iptables -t nat -F # iptables -t mangle -F # or: for i in `cat /proc/net/ip_tables_names`; do iptables -F -t $i ; done iptables -X iptables -Z # zero all counters # # Policy for chains DROP everything # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # Good old masquerading. # iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE # # Forwarding outside ports to an internal server. # This used to be the ipchains / ipmasqadm portfw commad. # # SSH: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT # Web: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT # This rule helps the "I can't reach my web server from the inside" problem. #iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP} # FTP: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT # SMTP (Internal mail server): #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT # This rule helps the "I can't reach my server from the inside" problem. #iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 25 -s ${INSIDE_NETWORK} -j SNAT --to ${OUTSIDE_IP} # # Keep state. # iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP # # This is mainly for PPPoE usage but it won't hurt anyway so we'll just # keep it here. # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # # We don't like the NetBIOS and Samba leaking.. # iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 445 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 445 -j DROP # # We would like to ask for names from our floppyfw box # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Ping and friends. iptables -A OUTPUT -p icmp -j ACCEPT # to both sides. iptables -A INPUT -p icmp -j ACCEPT # And also, DHCP, but we can basically accept anything from the inside. iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT # # If the user wants to have the fake identd running, the identd has to # be able to answer. # if [ ${FAKEIDENT} ] then iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT else iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT --reject-with tcp-reset fi # # And, some attempt to get interactive sesions a bit more interactive # under load: # iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput # # Finally, list what we have # # iptables -L # If broken DNS: #iptables -L -n # # This enables dynamic IP address following # echo 7 > /proc/sys/net/ipv4/ip_dynaddr # # trying to stop some smurf attacks. # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # Rules set, we can enable forwarding in the kernel. # echo "Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward