# #+----------------------------------------------------------------------------------------+ #!/bin/sh # # # # rc.firewall-2.4 FWVER=0.73 # # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.73 - REJECT is not a legal policy yet; back to DROP # 0.72 - Changed the default block behavior to REJECT not DROP # 0.71 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 0.70 - Added commented option for IRC nat module # - Added additional use of environment variables # - Added additional formatting # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo "\n\nLoading simple rc.firewall version $FWVER..\n" # The location of the iptables and kernel module programs # # If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/usr/sbin/iptables DEPMOD=/sbin/depmod INSMOD=/sbin/insmod #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="venet0" INTIFVPN0="tun0" echo " External Interface: $EXTIF" echo " VPN0 Interface : $INTIFVPN0" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # #echo " Enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # echo " Clearing any existing rules and setting default policy.." $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # max 10 icmp packets / second $IPTABLES -A INPUT -i $EXTIF -p icmp --icmp-type ping -m limit --limit 10/s -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -p icmp --icmp-type ping -j DROP # Allowed ports # These are the uesed ports of the external interface. # One port in two line, first is for tcp protocol, second is for udp. echo " Accept all from $INTIFVPN0 and localhost" $IPTABLES -A INPUT -i $INTIFVPN0 -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT echo " Accept packets with state ESTABLISHED,RELATED" $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Allowed ports on $EXTIF" echo " SSH 22" $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 22 -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXTIF --dport 22 -j ACCEPT echo " SMTP 25" $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 25 -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXTIF --dport 25 -j ACCEPT echo " DNS 53" $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXTIF --dport 53 -j ACCEPT echo " HTTP 80" $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 80 -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXTIF --dport 80 -j ACCEPT echo " HTTPS 443" $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 443 -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXTIF --dport 443 -j ACCEPT echo " OpenVPN 1194" $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 1194 -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXTIF --dport 1194 -j ACCEPT echo -e "\nrc.firewall-2.4 v$FWVER done.\n" #----------------------------------------------------------------------------------------+$