#!/bin/sh # vim:ai:filetype=sh:foldmethod=marker:foldcolumn=4:sta:sw=4:et: # ## Concept of network interfaces on antares: {{{ ## ## - lo ## allow the works ## ## eth? {{{ ## - eth0 (internal) ## allow the works ## ## - eth1 (wlan a.p.) ## allow only openvpn needs ## - tun+ (protected wlan) ## allow the works ## ## - eth2 (internet) ## allow and dnat http{,s}/dns/imaps/smtp ## snat outgoing ## ## - eth3 (voip) ## 2 be done ## }}} ## ## ueth? {{{ ## ueth? ## allow ntp out to internet ## allow syslog out ## ## ueth0 (elektra) ## allow ldap{,s}+mysql in ## stateful all else ## ## - ueth1 (merope) ## allow smtp+imaps in ## allow smtp out ## stateful all else ## dnat smtp+imaps from internet ## ## - ueth2 (alcyone) ## allow http{,s}+dns in ## allow dns out ## allow sesame out ## stateful all else ## dnat http{,s}+dns from internet ## ## - ueth3 (taygete) ## allow socks+ntp in ## allow everyting to internet out ## stateful all else ## }}} ## ## }}} # Variables {{{ # set some variables INTIFACE="eth0" WLANIFACE="eth1" EXTIFACE="eth2" VOIPIFACE="eth3" # XS4ADDR="80.126.0.138" LDAPHOST="x.x.x.1" MAILHOST="x.x.x.1" WEBHOST="x.x.x.1" PROXYHOST="x.x.x.1" INTERNAL="x.x.x.0/24" ALLDMZ="x.x.x.0/22" DENEBVPN="10.0.24.16" # CLASS_A_PRIVATE="10.0.0.0/8" CLASS_B_PRIVATE="172.16.0.0/12" CLASS_C_PRIVATE="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" # # PATH="/sbin:/usr/sbin:/bin:/usr/bin" ; export PATH # }}} # load needed modules: {{{ # move the modprobes later to /etc/modules modprobe ip_tables modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_limit modprobe ipt_mark modprobe ipt_state modprobe ipt_mac modprobe ipt_REJECT modprobe ipt_REDIRECT modprobe ipt_LOG modprobe ipt_MARK # }}} case $1 in # CASE start {{{ start ) /bin/echo -e "Starting firewall rules... \c" # SET SOME KERNEL FLAGS {{{ # ==================================== # # Disable response to broadcasts. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # }}} # temporary set policies to DROP {{{ iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # }}} # flush tables {{{ iptables -F iptables -F -t mangle iptables -F -t nat iptables -X # }}} # Setup custom tables {{{ # ==================================== # # create DUMP table for logging {{{ iptables -N DUMP > /dev/null iptables -F DUMP # don't log IBR (Internet Background Radiation) iptables -A DUMP -p udp --sport 137 --dport 137 -j DROP iptables -A DUMP -p udp --sport 138 --dport 138 -j DROP iptables -A DUMP -j LOG iptables -A DUMP -j DROP # }}} # STATEFUL table {{{ iptables -N STATEFUL > /dev/null iptables -F STATEFUL iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A STATEFUL -j DUMP # }}} # create MACCHECK table for allowing a few MAC adresses on WL {{{ iptables -N MACCHECK > /dev/null iptables -F MACCHECK iptables -A MACCHECK -m mac --mac-source 00:11:22:33:44:55 -j RETURN # [snipped list] iptables -A MACCHECK -j STATEFUL # }}} #MSN ALLOW {{{ iptables -N MSNALLOW > /dev/null iptables -F MSNALLOW iptables -A MSNALLOW -p tcp --dport 1863 -j ACCEPT # msn iptables -A MSNALLOW -p udp --dport 1863 -j ACCEPT # msn iptables -A MSNALLOW -p tcp --dport 6901 -j ACCEPT # msn iptables -A MSNALLOW -p udp --dport 6901 -j ACCEPT # msn iptables -A MSNALLOW -p udp --dport 5190 -j ACCEPT # msn iptables -A MSNALLOW -p udp --dport 7001 -j ACCEPT # msn # }}} # MSN DENY {{{ iptables -N MSNDENY > /dev/null iptables -F MSNDENY iptables -I MSNDENY -d 65.54.183.203 -j ACCEPT # login.live.com iptables -I MSNDENY -d 65.54.179.203 -j ACCEPT # login.live.com iptables -I MSNDENY -d 65.54.208.221 -j ACCEPT # help.live.com iptables -A MSNDENY -d 64.4.13.0/24 -j DUMP iptables -A MSNDENY -d 64.12.163.0/24 -j DUMP iptables -A MSNDENY -d 65.54.0.0/16 -j DUMP iptables -A MSNDENY -d 152.163.241.0/24 -j DUMP iptables -A MSNDENY -d 207.46.1.0/24 -j DUMP iptables -A MSNDENY -d 207.46.110.0/24 -j DUMP iptables -A MSNDENY -d 207.46.96.153 -j DUMP # messenger.hotmail.com iptables -A MSNDENY -d 80.67.86.64/28 -j DUMP # msgr.dlservice.microsoft.com iptables -A MSNDENY -d 193.238.160.0/24 -j DUMP # www.ebuddy.com iptables -A MSNDENY -d 8.6.13.62 -j DUMP # www.ebuddy.com iptables -A MSNDENY -d 66.150.161.128/28 -j DUMP # www.webmessenger.co.uk iptables -A MSNDENY -d 69.25.27.160/28 -j DUMP # www.webmessenger.co.uk iptables -A MSNDENY -d 216.129.112.0/24 -j DUMP # www.meebo.com iptables -A MSNDENY -d 65.19.140.246/24 -j DUMP # www.meebo.com iptables -A MSNDENY -d 216.32.64.0/19 -j DUMP # iloveim.com iptables -A MSNDENY -d 209.67.208.0/20 -j DUMP # iloveim.com iptables -A MSNDENY -d 72.232.0.0/16 -j DUMP # iloveim.com iptables -A MSNDENY -d 72.36.128.0/17 -j DUMP # iloveim.com iptables -A MSNDENY -d 194.109.193.71 -j DUMP # www.onlinemessenger.nl iptables -A MSNDENY -d 72.36.128.0/17 -j DUMP # iloveim.com # }}} # WINALLOW - Allways allow for Windoze clients {{{ iptables -N WINALLOW > /dev/null iptables -F WINALLOW iptables -A WINALLOW -p tcp --dport 80 -j ACCEPT # http iptables -A WINALLOW -p tcp --dport 443 -j ACCEPT # https iptables -A WINALLOW -p tcp --dport 21 -j ACCEPT # ftp iptables -A WINALLOW -p udp --dport 53 -j ACCEPT # dns iptables -A WINALLOW -p tcp --dport 53 -j ACCEPT # dns iptables -A WINALLOW -p icmp -j ACCEPT # ping etc iptables -A WINALLOW -j STATEFUL # }}} # WINCLIENTS - Windows clients (MSN dynamic) {{{ iptables -N WINCLIENTS > /dev/null iptables -F WINCLIENTS iptables -I WINCLIENTS -j MSNDENY # MSN is initially off iptables -A WINCLIENTS -j WINALLOW # }}} # NOMSN - Windows clients (static, no MSN) {{{ iptables -N NOMSN > /dev/null iptables -F NOMSN iptables -I NOMSN -j MSNDENY # MSN is off iptables -A NOMSN -j WINALLOW # }}} # FREEMSN Windows clients (static, with MSN) {{{ iptables -N FREEMSN > /dev/null iptables -F FREEMSN iptables -I FREEMSN -j MSNALLOW # MSN is allowed iptables -A FREEMSN -j WINALLOW # }}} # OUTHOOK hook for adding output deny rules {{{ iptables -N OUTHOOK > /dev/null iptables -F OUTHOOK # }}} # }}} # Global ACCEPTs {{{ #=================================================== # # loopback rules iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # # internal net and vpn nets should be allowed to do anything, iptables -A INPUT -i $INTIFACE -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT # }}} # Wireless & OpenVPN {{{ #=================================================== # # Only a few wireless cards are allowed iptables -A INPUT -i $WLANIFACE -j MACCHECK # allow openvpn {{{ # wireless {{{ for VPNPORT in 5016 5024 5017 5018 ; do iptables -A INPUT -i $WLANIFACE -p udp --sport $VPNPORT \ --dport $VPNPORT -j ACCEPT iptables -A OUTPUT -o $WLANIFACE -p udp --sport $VPNPORT \ --dport $VPNPORT -j ACCEPT done # }}} # brons {{{ for VPNPORT in 5022 5033 ; do for SRNET in 1.1.1.1 2.2.2.2 3.3.3.3 ; do iptables -A INPUT -i $EXTIFACE -s $SRNET -p udp --sport \ $VPNPORT --dport $VPNPORT -j ACCEPT iptables -A OUTPUT -o $EXTIFACE -d $SRNET -p udp --sport \ $VPNPORT --dport $VPNPORT -j ACCEPT done done # }}} # }}} # Other wireless rules {{{ iptables -A INPUT -i $WLANIFACE -p udp --sport 68 --dport 67 -j ACCEPT iptables -A OUTPUT -o $WLANIFACE -p udp --sport 67 --dport 68 -j ACCEPT # dump non-sesame'd connections on wlan interface iptables -A INPUT -i $WLANIFACE -j STATEFUL iptables -A OUTPUT -o $WLANIFACE -j STATEFUL # }}} # }}} # FORWARD rules {{{ #=================================================== # # white-list the forward chain # Forward from some VPNs unconditionally {{{ for SOURCEIP in $DENEBVPN ; do iptables -A FORWARD -i tun+ -s $SOURCEIP -j ACCEPT iptables -A FORWARD -o tun+ -d $SOURCEIP -j ACCEPT done # }}} # DMZ {{{ iptables -A FORWARD -s $ALLDMZ -p udp --sport 123 --dport 123 -j ACCEPT iptables -A FORWARD -s $ALLDMZ -d $ALLDMZ -p icmp -j ACCEPT iptables -A FORWARD -i $INTIFACE -d $ALLDMZ -j ACCEPT # ===== merope ===== {{{ # Allow SMTP out, SMTP, IMAP, IMAPS in iptables -A FORWARD -s $MAILHOST -o $EXTIFACE -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -d $MAILHOST -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -d $MAILHOST -p tcp --dport 993 -j ACCEPT iptables -A FORWARD -d $MAILHOST -p tcp --dport 143 -j ACCEPT # }}} # ===== alcyone ===== {{{ # Allow DNS out, DNS, HTTP, HTTPS in iptables -A FORWARD -s $WEBHOST -o $EXTIFACE -p udp --dport 53 -j ACCEPT iptables -A FORWARD -s $WEBHOST -o $EXTIFACE -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -d $WEBHOST -p udp --dport 53 -j ACCEPT iptables -A FORWARD -d $WEBHOST -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -d $WEBHOST -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -d $WEBHOST -p tcp --dport 443 -j ACCEPT # }}} # ===== taygete ===== {{{ # Allow all out, SOCKS, HTTPPROXY in iptables -A FORWARD -s $PROXYHOST -o $EXTIFACE -j ACCEPT iptables -A FORWARD -d $PROXYHOST ! -s $ALLDMZ -p tcp --dport 1080 -j ACCEPT iptables -A FORWARD -d $PROXYHOST -p tcp --dport 3128 -j ACCEPT # }}} # ===== elektra ===== {{{ # Allow LDAP, LDAPS, MYSQL in iptables -A FORWARD -d $LDAPHOST -p tcp --dport 389 -j ACCEPT iptables -A FORWARD -d $LDAPHOST -p tcp --dport 636 -j ACCEPT iptables -A FORWARD -d $LDAPHOST -p tcp --dport 3306 -j ACCEPT # }}} # }}} # Wired internal net {{{ # Deneb wired iptables -A FORWARD -m mac --mac-source 00:15:11:22:33:44 -j ACCEPT # [snipped more] # # All other internal hosts are considered Windoze boxen iptables -A FORWARD -i $INTIFACE -j WINCLIENTS # }}} # No other new connections should be forwarded iptables -A FORWARD -j STATEFUL # }}} # DMZ rules {{{ #=================================================== # # Allow sesame connections iptables -A INPUT -s $WEBHOST -p tcp --dport 62324 -j ACCEPT # Allow syslog iptables -A INPUT -s $ALLDMZ -p udp --dport 514 -j ACCEPT # # }}} # Other rules for external interface {{{ #=================================================== # # Masquerade on the outgoing interfaces and wireless net: iptables -t nat -A POSTROUTING -o $EXTIFACE \ -j SNAT --to $XS4ADDR # }}} # drop reserved addresses incoming on external interface {{{ iptables -A INPUT -i $EXTIFACE -s $CLASS_A_PRIVATE -j DUMP iptables -A INPUT -i $EXTIFACE -s $CLASS_B_PRIVATE -j DUMP iptables -A INPUT -i $EXTIFACE -s $CLASS_C_PRIVATE -j DUMP iptables -A INPUT -i $EXTIFACE -s $CLASS_D_MULTICAST -j DUMP iptables -A INPUT -i $EXTIFACE -s $CLASS_E_RESERVED_NET -j DUMP # }}} # prevent ACK scans {{{ iptables -A INPUT -i $EXTIFACE -p tcp ! --syn -m state --state NEW -j DUMP #}}} # allow certain inbound ICMP types {{{ iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # }}} # reject AUTH {{{ iptables -A INPUT -i $EXTIFACE -p tcp --dport 113 -j REJECT \ --reject-with tcp-reset # }}} # allow incoming SMTP {{{ iptables -A INPUT -i $EXTIFACE -p tcp --dport 25 \ -m state --state NEW,ESTABLISHED -j ACCEPT # and pass it on to the DMZ iptables -t nat -A PREROUTING -i $EXTIFACE -p tcp --dport 25 \ -j DNAT --to-destination $MAILHOST # }}} # allow incoming IMAPS {{{ iptables -A INPUT -i $EXTIFACE -p tcp --dport 993 \ -m state --state NEW,ESTABLISHED -j ACCEPT # and pass it on to the DMZ iptables -t nat -A PREROUTING -i $EXTIFACE -p tcp --dport 993 \ -j DNAT --to-destination $MAILHOST # }}} # allow incoming HTTP{,S} {{{ iptables -A INPUT -i $EXTIFACE -p tcp --dport 80 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $EXTIFACE -p tcp --dport 443 \ -m state --state NEW,ESTABLISHED -j ACCEPT # and pass it on to the DMZ iptables -t nat -A PREROUTING -i $EXTIFACE -p tcp --dport 80 \ -j DNAT --to-destination $WEBHOST iptables -t nat -A PREROUTING -i $EXTIFACE -p tcp --dport 443 \ -j DNAT --to-destination $WEBHOST # }}} # allow incoming DNS queries {{{ iptables -A INPUT -i $EXTIFACE -p tcp --dport 53 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $EXTIFACE -p udp --dport 53 \ -m state --state NEW,ESTABLISHED -j ACCEPT # and pass it on to the DMZ iptables -t nat -A PREROUTING -i $EXTIFACE -p tcp --dport 53 \ -j DNAT --to-destination $WEBHOST iptables -t nat -A PREROUTING -i $EXTIFACE -p udp --dport 53 \ -j DNAT --to-destination $WEBHOST # }}} # block outgoing SMB {{{ iptables -A OUTPUT -o $EXTIFACE -p tcp --sport 137:139 -j DROP #}}} # block outgoing NFS {{{ iptables -A OUTPUT -o $EXTIFACE -p tcp --sport 635 -j DROP iptables -A OUTPUT -o $EXTIFACE -p tcp --sport 2049 -j DROP iptables -A OUTPUT -o $EXTIFACE -p udp --sport 635 -j DROP iptables -A OUTPUT -o $EXTIFACE -p udp --sport 2049 -j DROP # }}} # block outgoing portmapper {{{ iptables -A OUTPUT -o $EXTIFACE -p tcp --sport 111 -j DROP #}}} # statecheck all else iptables -A INPUT -j STATEFUL # Internal hook iptables -A OUTPUT -o $EXTIFACE -j OUTHOOK # # default table policies {{{ iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # }}} /bin/echo "done." ;; # }}} # CASE stop {{{ stop ) /bin/echo -e "Starting firewall rules... \c" # flush tables {{{ iptables -F iptables -F -t mangle iptables -F -t nat iptables -X # }}} # prevent us being wide open {{{ iptables -I INPUT -i $EXTIFACE -j DROP #}}} # set policy to accept {{{ iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # }}} /bin/echo "done." ;; # }}} # CASE restart {{{ restart ) /bin/echo -e "Re-\c" # no stopping, flushing also happens in start $0 start ;; # }}} # CASE * {{{ * ) echo "Usage: $0 [ start | stop ]" ;; # }}} esac