#!/bin/sh #### # Greg Schenzel's Linux iptables firewall script. # It has fully commented configuration variables at the beginning. # # # /usr/src/linux/.config requirements: # NAT modules only required for NAT systems (routers/internet gateways). # # CONFIG_NETFILTER=y # CONFIG_IP_NF_CONNTRACK=m # CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_IPTABLES=m # CONFIG_IP_NF_MATCH_LIMIT=m # CONFIG_IP_NF_MATCH_MAC=m # CONFIG_IP_NF_MATCH_MULTIPORT=m # CONFIG_IP_NF_MATCH_STATE=m # CONFIG_IP_NF_FILTER=m # CONFIG_IP_NF_TARGET_REJECT=m # CONFIG_IP_NF_TARGET_MIRROR=m # CONFIG_IP_NF_NAT=m # CONFIG_IP_NF_NAT_NEEDED=y # CONFIG_IP_NF_TARGET_MASQUERADE=m # CONFIG_IP_NF_TARGET_REDIRECT=m # CONFIG_IP_NF_NAT_FTP=m # CONFIG_IP_NF_TARGET_LOG=m # CONFIG_IP_NF_COMPAT_IPCHAINS=m # CONFIG_IP_NF_NAT_NEEDED=y # CONFIG_IP_NF_MATCH_MULTIPORT=m # # # RFC 1918 Local Networks: # 10.0.0.0 - 10.255.255.255 (10/8 prefix) # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) # #### # Configuration # ## WHETHER TO ALLOW ALL TRAFFIC ON $INTIF INTALLOWALL=no ## WHETHER TO ENABLE NAT ROUTER NAT=no ## WHETHER TO SET SYNCOOKIE SUPPORT SYNCOOKIE=no ## CIDR IP OF LOCAL NETWORK LOCNET=172.16.0.0/16 ## TCP PORTS TO ALLOW TCPPORTS=ssh,ftp,time,finger,auth ## UDP PORTS TO ALLOW UDPPORTS=time,58800 export LOCNET NAT TCPPORTS UDPPORTS ## EXTERNAL INTERFACE EXTIF=eth0 ## INTERNAL INTERFACE (NAT DEPENDANT) if [ "$NAT" = "yes" ]; then INTIF=eth1 else INTIF=$EXTIF fi export EXTIF INTIF #### # Firewall # case "$1" in start) echo -n "Starting firewall and NAT (${INTIF} in; ${EXTIF} out): " ## Let us be really un-debian about the next few modprobes and echos ## Load modules /sbin/modprobe ip_tables /sbin/modprobe iptable_filter if [ "$NAT" = "yes" ]; then /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ipt_MASQUERADE fi /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ipt_multiport /sbin/modprobe ipt_state ## Flush Rules /sbin/iptables -F ## Set Defaults /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT ## allow anything from internal /sbin/iptables -A INPUT -i lo -j ACCEPT if [ "$INTALLOWALL" = "yes" ]; then /sbin/iptables -A INPUT -i ${INTIF} -j ACCEPT fi ## lights, camera, action! if [ "$NAT" = "yes" ]; then echo 1 > /proc/sys/net/ipv4/ip_forward if [ "$SYNCOOKIE" = "yes" ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi /sbin/iptables -t nat -A POSTROUTING -s ${LOCNET} -o ${EXTIF} -j MASQUERADE fi ## only allow ftp,time,...,ping in from external /sbin/iptables -A INPUT -p tcp -m multiport --dports ${TCPPORTS} -i ${EXTIF} -j ACCEPT /sbin/iptables -A INPUT -p udp -m multiport --dports ${UDPPORTS} -i ${EXTIF} -j ACCEPT /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -i ${EXTIF} -j ACCEPT ## allow in all valid replies /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -i ${EXTIF} -j ACCEPT /sbin/iptables -A FORWARD -m state --state INVALID -i ${EXTIF} -j DROP echo "done." ;; stop) echo "Stopping firewall and NAT ($INTIF in; $EXTIF out): nothing to do." /sbin/iptables -F ;; *) echo "Usage: $0 {start|stop}" exit 1 ;; esac exit 0