Do not ask why .... ;-)))

#!/bin/bash
#
# Init der Firewall START / STOP / RESTART / FALLBACK #
# START: Firewall starts with FORWARDING ON
# STOP: Firewall stops, FORWARDING is deactivated
# RESTART: Firewall restarts (stop, then start)
# FALLBACK: Firewall-functions are NOT activated, FORWARDING and ROUTING is
ON! Only for rescue reasons...
####################################################################################################################

#
# Init values ...
#

IPT="/usr/sbin/iptables" # path to prg IPTABLES
slog="/bin/logger" # LOGGING
oeth="eth0" # name of extern network device
ieth="eth1" # name of intern network device
oip=`ifconfig $oeth | grep "inet addr" | cut -d : -f 2 | cut -d \ -f 1` #
IP of extern network device assigned by extern DHCP
iip=`ifconfig $ieth | grep "inet addr" | cut -d : -f 2 | cut -d \ -f 1` #
IP of intern network device assigned by intern DHCP

webs="192.168.200.10" # IP of internal webserver
ntps="192.168.200.24" # IP of internel NTP-server
localn="127.0.0.0/8" # local netadress range
intern="192.168.200.0/24" # internel netadress range
dropnet="172.16.0.0/12" # IPs to drop
trustnet="10.141.3.0/24" # IPs to trust
world="0.0.0.0/0" # Internet
proxy="10.141.8.9 10.141.3.2 10.141.8.5" # Proxys IP-Adress
entp="130.149.4.18 141.2.21.74" # external NTP-Server

hts="192.168.200.10" # internal Webserver
nts="192.168.200.24" # internal Timeserver
dnss="192.168.200.24" # internal Master-DNS
fw=$iip


echo $oeth
echo $ieth
echo $oip
echo $iip

#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -X
#iptables -F
#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.200.0/24 -j SNAT --to-source
10.141.3.197

####################################################################################################################
# INIT of functions
#

##################### START
function start ( )
{
# clear rules
$IPT -F
$IPT -t nat -F
# clear chains
$IPT -X
$IPT -t nat -X
# setup default policies !!! DENY ALL !!!
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT

# setup own chains
$IPT -N PCHECK # Protocolcheck
$IPT -N SPOOF # Spoofcheck
$IPT -N DROPIP # Dropping IPs
$IPT -N WEB # Webaccess from extern
$IPT -N WORLD2LAN # from WORLD to intern LAN
$IPT -N LAN2WORLD # from intern LAN to WORLD
$IPT -N TNET2LAN # from trusted nets to inetn LAN
$IPT -N LAN2TNET # from intern LAN to trusted nets
$IPT -N DSWORLD # denied services from WORLD
$IPT -N DSTRUSTED # denied services from trusted nets
$IPT -N BADFLAGS # bad tcp flags located
$IPT -N LOC # 127.0.0.1 using

# Set FORWARDING ON
echo 1 > /proc/sys/net/ipv4/ip_forward

#######################################
# Declare chains

# Forward

$IPT -A FORWARD -j PCHECK
$IPT -A FORWARD -j SPOOF
$IPT -A FORWARD -i $oeth -s $trustnet -o $ieth -d $intern -j TNET2LAN
$IPT -A FORWARD -i $ieth -s $intern -o $oeth -d $trustnet -j LAN2TNET
$IPT -A FORWARD -i $oeth -s $world -o $ieth -d $intern
-j WORLD2LAN
$IPT -A FORWARD -i $ieth -s $intern -o $oeth -d $world
-j LAN2WORLD

$IPT -A FORWARD -j LOG --log-prefix "> wrong direction - DROP < "
$IPT -A FORWARD -j DROP

# WORLD2LAN connections from all of the internet and non trusted nets to
LAN

$IPT -A WORLD2LAN -j DSWORLD
$IPT -A WORLD2LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A WORLD2LAN -j LOG --log-prefix "--> WORLD2LAN - DROP <-- "
$IPT -A WORLD2LAN -j DROP

# TNET2LAN connections from trusted nets to LAN

$IPT -A TNET2LAN -j DSTRUSTED
$IPT -A TNET2LAN -p tcp --dport 80 -d $hts -j ACCEPT # Webaccess
$IPT -A TNET2LAN -p udp --dport 80 -d $hts -j ACCEPT #
Webaccess
$IPT -A TNET2LAN -p tcp --dport 53 -d $nts -j ACCEPT # NTP-access
$IPT -A TNET2LAN -p udp --dport 53 -d $nts -j ACCEPT
# NTP-access
$IPT -A TNET2LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A TNET2LAN -j LOG --log-prefix "> TNET2LAN - DROP < "
$IPT -A TNET2LAN -j DROP

# LAN2TNET

for i in $entp; do
#check all NTP
$IPT -A LAN2TNET -p tcp --dport 123 -d $i -j
ACCEPT # NTP
$IPT -A LAN2TNET -p udp --dport 123 -d $i -j
ACCEPT # NTP
done
$IPT -A LAN2TNET -p tcp --dport 53 -s $dnss -j ACCEPT #DNS
$IPT -A LAN2TNET -p udp --dport 53 -s $dnss -j ACCEPT #DNS
$IPT -A LAN2TNET -p tcp --sport 53 -s $dnss -j ACCEPT
#DNS
$IPT -A LAN2TNET -p udp --sport 53 -s $dnss -j ACCEPT
#DNS

for i in $proxy; do #check all WEBPROXYS
$IPT -A LAN2TNET -p tcp --dport 8080 -d $i -j ACCEPT #WEBPROXY (HTTP)
$IPT -A LAN2TNET -p udp --dport 8080 -d $i -j ACCEPT #WEBPROXY (HTTP)
done
$IPT -A LAN2TNET -p tcp --sport 80 -s $hts -j ACCEPT
#WEBSERVER
$IPT -A LAN2TNET -p udp --sport 80 -s $hts -j ACCEPT
#WEBSERVER
$IPT -A LAN2TNET -p tcp --dport 123 -j ACCEPT #NTP
$IPT -A LAN2TNET -p udp --dport 123 -j ACCEPT #NTP
$IPT -A LAN2TNET -p tcp --dport 22 -j ACCEPT #SSH
$IPT -A LAN2TNET -p udp --dport 22 -j ACCEPT #SSH
$IPT -A LAN2TNET -p tcp --dport 137:139 -j ACCEPT #SAMBA
$IPT -A LAN2TNET -p udp --dport 137:139 -j ACCEPT #SAMBA
$IPT -A LAN2TNET -p tcp --dport 111 -j ACCEPT #PORTMAPPER
$IPT -A LAN2TNET -p udp --dport 111 -j ACCEPT #PORTMAPPER
$IPT -A LAN2TNET -p tcp --dport 2049 -j ACCEPT #NFS
$IPT -A LAN2TNET -p udp --dport 2049 -j ACCEPT #NFS
$IPT -A LAN2TNET -p tcp --dport nfsd-status -d $trustnet -j ACCEPT #NFS
$IPT -A LAN2TNET -p udp --dport nfsd-keepalive -d $trustnet -j ACCEPT #NFS
$IPT -A LAN2TNET -p udp --dport 32772 -j ACCEPT #NFS

$IPT -A LAN2TNET -j LOG --log-prefix "--> LAN2TNET - DROP <-- "
$IPT -A LAN2TNET -j DROP

# LAN2WORLD
# Direct connection to WORLD is NOT ALLOWED

$IPT -A LAN2WORLD -p tcp --dport 123 -j ACCEPT
$IPT -A LAN2WORLD -p udp --dport 123 -j ACCEPT
$IPT -A LAN2WORLD -j LOG --log-prefix "> LAN2WORLD - DROP < "
$IPT -A LAN2WORLD -j DROP

#DSWORLD

$IPT -A DSWORLD -j RETURN

#DSTRUSTED

$IPT -A DSTRUSTED -j RETURN

#PCHECK

$IPT -A PCHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j BADFLAGS
$IPT -A PCHECK -p tcp --tcp-flags ALL ALL -j BADFLAGS
$IPT -A PCHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BADFLAGS
$IPT -A PCHECK -p tcp --tcp-flags ALL NONE -j BADFLAGS
$IPT -A PCHECK -p tcp --tcp-flags SYN,RST SYN,RST -j BADFLAGS
$IPT -A PCHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADFLAGS
$IPT -A PCHECK -p tcp -j RETURN
$IPT -A PCHECK -p udp -j RETURN
$IPT -A PCHECK -o $oeth -p icmp -j ACCEPT
$IPT -A PCHECK -o $ieth -p icmp --icmp-type destination-unreachable -j
ACCEPT
$IPT -A PCHECK -o $ieth -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A PCHECK -o $ieth -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A PCHECK -o $ieth -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A PCHECK -p icmp --icmp-type 0 -j ACCEPT

$IPT -A PCHECK -j LOG --log-prefix "> Bad Protocol - DROP < "
$IPT -A PCHECK -j DROP

#BADFLAGS

$IPT -A BADFLAGS -j LOG --log-prefix "> Bad TCP-FLAGS - DROP < "
$IPT -A BADFLAGS -j DROP

# SPOOF and SCANning

$IPT -A SPOOF -i ! $ieth -s $intern -j LOG --log-prefix "> $ieth spoofed -
DROP < "
$IPT -A SPOOF -i ! $ieth -s $intern -j DROP
$IPT -A SPOOF -i ! lo -s $localn -j LOG --log-prefix "> loopback spoofed -
DROP < "
$IPT -A SPOOF -i ! lo -s $localn -j DROP


$IPT -A SPOOF -p tcp --syn -m limit --limit 1/s -j RETURN # Syn-flood
Schutz
$IPT -A SPOOF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s
-j RETURN # Verstohlene Portscanner
$IPT -A SPOOF -p icmp --icmp-type echo-request -m limit --limit 1/s -j
RETURN # Ping of death
$IPT -A SPOOF -j RETURN # udp

#$IPT -A SPOOF -j LOG --log-prefix "> SPOOF SCAN - DROP < "
#$IPT -A SPOOF -j DROP

# INPUT

$IPT -A INPUT -j LOC
$IPT -A INPUT -j PCHECK
$IPT -A INPUT -j SPOOF
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "> INPUT rejected - DROP < "
$IPT -A INPUT -j DROP

# OUTPUT

$IPT -A OUTPUT -j LOC
for i in $proxy; do
#check all WEBPROXYS
$IPT -A OUTPUT -p tcp --dport 8080 -d $i -j
ACCEPT #WEBPROXY (HTTP)
$IPT -A OUTPUT -p udp --dport 8080 -d $i -j
ACCEPT #WEBPROXY (HTTP)
done
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
$IPT -A OUTPUT -p tcp --dport 123 -j ACCEPT
#NTP
$IPT -A OUTPUT -p udp --dport 123 -j ACCEPT
#NTP
$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT
#SSH
$IPT -A OUTPUT -p udp --dport 22 -j ACCEPT
#SSH
$IPT -A OUTPUT -p tcp --dport 137:139 -j ACCEPT
#SAMBA
$IPT -A OUTPUT -p udp --dport 137:139 -j ACCEPT
#SAMBA
$IPT -A OUTPUT -p tcp --dport 111 -j ACCEPT
#PORTMAPPER
$IPT -A OUTPUT -p udp --dport 111 -j ACCEPT
#PORTMAPPER
$IPT -A OUTPUT -p tcp --dport 2049 -j ACCEPT
#NFS
$IPT -A OUTPUT -p udp --dport 2049 -j ACCEPT
#NFS
$IPT -A OUTPUT -p tcp --dport nfsd-status -d $trustnet
-j ACCEPT #NFS
$IPT -A OUTPUT -p udp --dport nfsd-keepalive -d $trustnet
-j ACCEPT #NFS
$IPT -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT #ICMP 8
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
$IPT -A OUTPUT -p udp --dport 80 -j ACCEPT
#HTTP
$IPT -A OUTPUT -p tcp --dport 3128 -s $intern -d $fw -j ACCEPT # Local
Proxy
$IPT -A OUTPUT -p udp --dport 3128 -s $intern -d $fw -j
ACCEPT # Local Proxy
$IPT -A OUTPUT -p tcp --sport 3128 -s $fw -d $intern -j
ACCEPT # Local Proxy
$IPT -A OUTPUT -p udp --sport 3128 -s $fw -d $intern
-j ACCEPT # Local Proxy

$IPT -A OUTPUT -j LOG --log-prefix "> OUTPUT - DROP < "
$IPT -A OUTPUT -j DROP

# POSTROUTING

iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o $oeth -s 192.168.200.0/24 -j SNAT --to-source 10.141.3.197

# PREROUTING

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -A PREROUTING -i $oeth -s $trustnet -p tcp --dport 123 -j DNAT --to-destination 192.168.200.24
$IPT -t nat -A PREROUTING -i $oeth -s $trustnet -p udp --dport 123 -j DNAT --to-destination 192.168.200.24
$IPT -t nat -A PREROUTING -i $oeth -s $trustnet -p tcp --dport 53 -j DNAT --to-destination 192.168.200.24
$IPT -t nat -A PREROUTING -i $oeth -s $trustnet -p udp --dport 53 -j DNAT --to-destination 192.168.200.24
$IPT -t nat -A PREROUTING -i $oeth -s $trustnet -p tcp --dport 80 -j DNAT --to-destination 192.168.200.10
$IPT -t nat -A PREROUTING -i $oeth -s $trustnet -p udp --dport 80 -j DNAT --to-destination 192.168.200.10

# LOC

$IPT -A LOC -s $localn -d $localn -j ACCEPT
$IPT -A LOC -j
RETURN
}
########################################################################################################################
function stop ( )
{
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P FORWARD DROP
iptables -t nat -P POSTROUTING DROP
iptables -t nat -P PREROUTING DROP } #######################################################################################################################
function fallback ( )
{
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.200.0/24 -j SNAT --to-source
10.141.3.197
}
#######################################################################################################################

case "$1" in
start)
start;
echo "Firewall is UP!";
;;
fallback)
fallback;
echo "Firewall is DOWN !!! Routing active!"
;;
stop)
stop;
echo "Firewall is DOWN !!! Routing deactivated!"
;;
restart)
stop;
echo "Firewall is DOWN !!! Routing deactivated!"
start;
echo "Firewall is UP!";
;;
*)
echo "firewall (start/stop/fallback/restart)";
;;
esac

exit 0
 

mailladress: danny(at)gaisar.de

Dan Mike (Danny) Gaisar

August 2004

.