#!/bin/sh # # rc.fw-dmz: firewall script for a lan gateway with dmz support # # Copyright (C) Alessandro Dotti Contra # #============================================================================== # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # For any questions related to this software, please write to: # # Alessandro Dotti Contra # v. Verne, 6 # 40128 Bologna ITALY # # or email to: adotti@users.sourceforge.net #============================================================================== # # rc.fw-dmz,v # Revision 1.1 2005/03/16 22:14:18 adotti # First public release. # # #============================================================================== # # FIREWALL CONFIGURATION # IPTABLES="/sbin/iptables" # # network(s) topology # NET_IFACE="eth1" LAN_IFACE="eth0" DMZ_IFACE="eth2" LO_IFACE="lo" PUBLIC_IP="xxx.xxx.xxx.xxx" LAN_NET="192.168.1.0/24" DMZ_NET="192.168.10.0/24" MAILSRV="192.168.10.2" MAILSRV_PUBLIC_IP="xxx.xxx.xxx.xxx" WEBSRV="192.168.10.3" WEBSRV_PUBLIC_IP="xxx.xxx.xxx.xxx" INTRANETSRV="192.168.10.4" DNSSRV="192.168.10.5" # # Services definition # SSH="22" DNS="53" SMTP="25" MAIL="110,143" WEB="80,443" FTP="21" # # Rules definition # case "$1" in 'start') echo "Enforcing firewall rules" # # Set default policy for the chains (table filter) # $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP ################################################################################ # NAT TABLE ################################################################################ # Internet -> DMZ $IPTABLES -t nat -A PREROUTING -d $WEBSRV_PUBLIC_IP -j DNAT --to-destination $WEBSRV $IPTABLES -t nat -A PREROUTING -d $MAILSRV_PUBLIC_IP -j DNAT --to-destination $MAILSRV # DMZ -> Internet $IPTABLES -t nat -A POSTROUTING -s $WEBSRV -j SNAT --to-source $WEBSRV_PUBLIC_IP $IPTABLES -t nat -A POSTROUTING -s $MAILSRV -j SNAT --to-source $MAILSRV_PUBLIC_IP $IPTABLES -t nat -A POSTROUTING -s $DNSSRV -j SNAT --to-source $PUBLIC_IP # LAN -> Internet $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -j SNAT --to-source $PUBLIC_IP ################################################################################ # NAT TABLE ENDS ################################################################################ ################################################################################ # FILTER TABLE ################################################################################ # # INPUT CHAIN # # Statefull settings $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state INVALID -j DROP # Localhost $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT # Internet $IPTABLES -A INPUT -i $NET_IFACE -j LOG --log-level warning --log-prefix "IN NET REJ: " # DMZ $IPTABLES -A INPUT -i $DMZ_IFACE -j LOG --log-level warning --log-prefix "IN DMZ REJ: " # LAN $IPTABLES -A INPUT -s $LAN_NET -i $LAN_IFACE -p icmp -j ACCEPT $IPTABLES -A INPUT -s $LAN_NET -i $LAN_IFACE -p tcp --dport $SSH -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-level warning --log-prefix "IN LAN REJ: " # # FORWARD CHAIN # # Statefull settings $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state INVALID -j DROP # LAN -> Internet $IPTABLES -A FORWARD -s $LAN_NET -i $LAN_IFACE -o $NET_IFACE -p tcp --dport $FTP -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -i $LAN_IFACE -o $NET_IFACE -p tcp --dport $WEB -m state -m multiport --state NEW -j ACCEPT # LAN -> DMZ $IPTABLES -A FORWARD -s $LAN_NET -d $DMZ_NET -i $LAN_IFACE -o $DMZ_IFACE -p icmp -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $DMZ_NET -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $SSH -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $INTRANETSRV -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $FTP -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $INTRANETSRV -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $WEB -m state --state NEW -m multiport -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $WEBSRV -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $FTP -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $MAILSRV -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $SMTP -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $MAILSRV -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $MAIL -m state --state NEW -m multiport -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $DNSSRV -i $LAN_IFACE -o $DMZ_IFACE -p udp --dport $DNS -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $LAN_NET -d $DNSSRV -i $LAN_IFACE -o $DMZ_IFACE -p tcp --dport $DNS -m state --state NEW -j ACCEPT # LAN: rejected traffic $IPTABLES -A FORWARD -i $LAN_IFACE -j LOG --log-level warning --log-prefix "FWD LAN REJ: " # DMZ -> Internet $IPTABLES -A FORWARD -s $MAILSRV -i $DMZ_IFACE -o $NET_IFACE -p tcp --dport $SMTP -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $DNSSRV -i $DMZ_IFACE -o $NET_IFACE -p tcp --dport $DNS -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s $DNSSRV -i $DMZ_IFACE -o $NET_IFACE -p udp --dport $DNS -m state --state NEW -j ACCEPT # DMZ: rejected traffic $IPTABLES -A FORWARD -i $DMZ_IFACE -j LOG --log-level warning --log-prefix "FWD DMZ REJ: " # # OUTPUT CHAIN # # Statefull settings $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state INVALID -j DROP # Localhost $IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT # Internet $IPTABLES -A OUTPUT -o $NET_IFACE -p icmp -j ACCEPT $IPTABLES -A OUTPUT -o $NET_IFACE -j LOG --log-level warning --log-prefix "OUT NET REJ: " # DMZ $IPTABLES -A OUTPUT -o $DMZ_IFACE -p icmp -j ACCEPT $IPTABLES -A OUTPUT -o $DMZ_IFACE -j LOG --log-level warning --log-prefix "OUT DMZ REJ: " # LAN $IPTABLES -A OUTPUT -o $LAN_IFACE -p icmp -j ACCEPT $IPTABLES -A OUTPUT -o $LAN_IFACE -j LOG --log-level warning --log-prefix "OUT LAN REJ: " ################################################################################ # FILTER TABLE ENDS ################################################################################ ;; 'stop') echo "Removing firewall rules" # # Reset the default policies in the filter table # $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Reset the default policies in the nat table # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # Reset the default policies in the mangle table # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # Flush all the rules in all tables # $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -F -t mangle # # Delete all user defined chains in all tables # $IPTABLES -X -t filter $IPTABLES -X -t nat $IPTABLES -X -t mangle ;; *) echo "Usage: $(basename $0) (start|stop)" esac