[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables, nat mystery - good stuff!

Oooops, embarassment. Did not attach the script to previous message as I
said I would, my bad. Here it is...


-- 
See my OpenPGP key at https://savannah.gnu.org/people/viewgpg.php?user_id=6050
GnuPG public key fingerprint  | "Only when efforts to reform society have as
 BD26 A5D8 D781 C96B 9936     |  their point of departure the reformation of
 310F 0573 A3D9 4E24 4EA6     |  the inner life -- human revolution -- will
they lead us with certainty to a world of lasting peace and true human security."
                                -- Daisaku Ikeda

#! /bin/sh
# iptables firewall script written by Rick Dicaire <rdicaire@ardynet.com>

# Script version 0.5

# Released under GPL. Alter it as you see fit.

# CONFIGURE THE IPTABLES PATH AND INTERFACE VARIABLES BEFORE RUNNING THIS SCRIPT.
# SEE "START CONFIGURATION SECTION" BELOW.

######################### START FUNCTIONS ##############################
scripthelp () {
cat << SCRIPTHELP

IPTABLES FIREWALL SCRIPT HELP
-----------------------------

This script requires one of the following arguments:

start, restart, refresh, or stop

start
-----

Loads the firewall.

restart
-------

Loads the firewall if not loaded. If one is already running, it verifies
that the current IP matches the one used by the currently loaded
firewall. If the IPs do not match, it dumps the old rules, then reloads
the firewall using the new IP address. This argument is used if you want
to use this script in a cron job to test the firewall to make sure its 
using your current IP, and update the firewall if it isn't, great for 
dialups and other connection types that dynamically assign addresses.
crontab examples:

Every 15 minutes
*/15 * * * * /path/to/this/script restart > /dev/null 2>&1

Every 5 minutes
*/5 * * * * /path/to/this/script restart > /dev/null 2>&1

refresh
-------

Dumps current rules and reloads them.

stop
----

Dumps current rules and halts firewall.
---------------------------------------------------------

Usage: $0 [start|restart|refresh|stop]

SCRIPTHELP
}

fireme () {
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter forward=0
fi
# Load the rest.
modprobe iptable_nat
# modprobe ipt_conntrack

########################################################
#---------- Start predefined target rulesets ----------#
########################################################

# On the fly
$PROG -N ONTHEFLY
$PROG -A ONTHEFLY -j LOG --log-level 5 --log-prefix "TL0G_OTF: "
$PROG -A ONTHEFLY -j DROP

# Debug NAT: log FORWARD chain ACCEPTED.
$PROG -N LFACCEPT
$PROG -A LFACCEPT -j LOG --log-level 5 --log-prefix "FOR_A: "
# We return to calling chain from here; LOG does not terminate.

# DENIED PORTS Privileged (1-1023) Target Ruleset
$PROG -N DENIED_PORT_PRIV
$PROG -A DENIED_PORT_PRIV -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_PRIV -j LOG --log-level 5 --log-prefix "TL0G_DPP: "
$PROG -A DENIED_PORT_PRIV -j DROP

# DENIED PORTS Unprivileged TCP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_TCP
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_UNPRIV_TCP -j LOG --log-level 5 --log-prefix "TL0G_DPT: "
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state NEW,INVALID -j DROP

# DENIED PORTS Unprivileged UDP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_UDP
$PROG -A DENIED_PORT_UNPRIV_UDP -j LOG --log-level 5 --log-prefix "TL0G_DPU: "
$PROG -A DENIED_PORT_UNPRIV_UDP -j DROP

######################################################
#---------- End predefined target rulesets ----------#
######################################################

# Everything from inside to firewall box gets ALLOWed due to default ACCEPT rule.
# Everything from inside to world (but NOT to internal, i.e. firewall box itself)
# gets logged before being forwarded:
$PROG -I FORWARD -i $INTFACE -d ! $PRIVNET -s $PRIVNET -j LFACCEPT
$PROG -A FORWARD -i $INTFACE -d ! $PRIVNET -s $PRIVNET -j ACCEPT
$PROG -A FORWARD -i $EXTFACE -o $INTFACE -d $PRIVNET -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$PROG -t nat -A POSTROUTING -s $PRIVNET -o $EXTFACE -j SNAT --to $IP
$PROG -A FORWARD -i $EXTFACE -d $PRIVNET -m state --state RELATED,ESTABLISHED -j LFACCEPT
$PROG -A FORWARD -i $EXTFACE -d $PRIVNET -m state --state RELATED,ESTABLISHED -j ACCEPT
# LOG -and- DROP what doesn't pass the preceding tests.
$PROG -A FORWARD -i $EXTFACE -d $PRIVNET -j ONTHEFLY

# Supposedly provides "Ping of Death" protection:
$PROG -I INPUT -i $EXTFACE -p icmp --icmp-type 'echo-request' -m limit --limit '2/s' -j ACCEPT
# Let ssh traffic in:
$PROG -A INPUT -m state --state NEW -p udp --dport 22 -d $IP -i $EXTFACE -j ACCEPT
$PROG -A INPUT -m state --state NEW -p tcp --dport 22 -d $IP -i $EXTFACE -j ACCEPT
# Services
$PROG -A INPUT -p tcp --dport 0:112 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 0:112 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_PRIV

$PROG -A INPUT -p tcp --dport 114:1023 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 114:1023 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_PRIV

# NFS
$PROG -A INPUT -p tcp --dport 2049 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 2049 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_UDP

# X11
$PROG -A INPUT -p tcp --dport 6000:6005 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 6000:6005 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_UDP

# Netbus
$PROG -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_UDP

# -----------------------------------------------------------------
# Deny all else on TCP unless initiated from local machine/network.
# This rule covers NFS, X11, and Netbus listed above, its a catch-all for any TCP
# ports you may have services running on, but don't know what ports they use.
# Prevents an accidental crack attempt via TCP services.
# If you wish to allow any services, or alter the existing rules, they must be
# added BEFORE the rule below.

$PROG -A INPUT -p tcp --dport 1024:65535 -s 0/0 -d $IP -i $EXTFACE -j DENIED_PORT_UNPRIV_TCP
# -----------------------------------------------------------------
echo "[OK]"
echo "`basename $0` doing NAT, loaded with IP: $IP and external interface: $EXTFACE."
# This might be where we execute the command to re-enable ip forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward
}

########################### END FUNCTIONS ##########################

####################################################################
#----------------- START CONFIGURATION SECTION --------------------#
####################################################################
# Set path to iptables program
PROG=/sbin/iptables

# Set interface type, ie; eth0, ppp0
EXTFACE="eth0"
INTFACE="eth1"

# Set internal private network
PRIVNET="192.168.1.0/24"
####################################################################
#------------------ END CONFIGURATION SECTION ---------------------#
####################################################################

# Test to make sure configuration variables are set, die if not.

if [ ! -x "$PROG" ] || [ -z "$EXTFACE" ] || [ -z "$INTFACE" ] ; then
  echo "$PROG is not executable, or an interface is not set, exiting."
  exit 0
  else

# Get current IP address

IP=`ifconfig $EXTFACE| grep inet| cut -f2 -d:| cut -f1 -d" "`

# Get old IP from last firewall load (if any).
# The purpose of getting OLDIP is so you can use this script in a cron
# job to update the firewall with the current IP, great for dialups 
# and other dynamic connections.
# Examples:
# Check every 15 minutes:
# */15 * * * * /path/to/this/script restart > /dev/null 2>&1
# Check every 5 minutes:
# */5 * * * * /path/to/this/script restart > /dev/null 2>&1

OLDIP=`$PROG -n -L INPUT| grep 6005|grep udp| cut -b55-|cut -f1 -d u`

case $1 in

  start)
  if [ -z "$OLDIP" ];
    then
    echo -n "Starting firewall..."
    fireme
    elif [ $IP = $OLDIP ];
    then
    echo "FIREWALL IS UPDATED."
  fi
;;
  restart)
echo -n "Restarting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ]; 
  then 
  fireme
  elif [ $IP = $OLDIP ];
  then
  echo "FIREWALL IS UPDATED."
  else 
  for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
  do 
  $PROG -F $i
  $PROG -F INPUT
  $PROG -F FORWARD
  $PROG -X $i
  done
  fireme
fi
;;
  refresh)
echo -n "Resetting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
   fireme
   else
  for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
  do
  $PROG -F $i
  $PROG -F INPUT
  $PROG -F FORWARD
  $PROG -X $i
  done
  fireme
fi
;;
  stop)
  for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
  do
  $PROG -F $i
  $PROG -F INPUT
  $PROG -F FORWARD
  $PROG -X $i
  done
  echo "Firewall stopped...[OK]"
;;
  *)
  echo
  scripthelp
;;
esac
fi
# end.
Reply to: