#!/bin/sh # # firewall script # based on sample scripts from # http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html # http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html # # purpose : # router for 2 private and 1 public network # the public network is internet, the ip address of the interface is dynamically assigned # use iptables / netfilter for # Network Address Translation # firewall rules e.a. for security # ------------------------------------------------------------------------------------------------------ # echo -e "\n\nRunning $0 for NAT and firewall ..\n" # The location of the iptables and kernel module programs IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # WANif="eth0" LAN1if="eth1" LAN2if="eth2" echo " External Interface: $WANif" echo " Internal LAN 1 interface: $LAN1if" echo " Internal LAN 1 interface: $LAN2if" #Check modules etc. echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo -en "ip_tables, " $MODPROBE ip_tables #Load the stateful connection tracking framework - "ip_conntrack" echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding (can also be done in options file) echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP : echo " Enabling Dynamic IP Address ..." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # echo " Setting default policies and clearing any existing rules" $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -P INPUT ACCEPT #change to DROP later ? $IPTABLES -P OUTPUT DROP #change to DROP later ? $IPTABLES -P FORWARD DROP #enabling source nat and packet forwarding echo " enabling source nat and packet forwarding ..." echo " Rules for FORWARDing : Allow all connections OUT and only existing and related ones IN" echo " LAN 1 :" $IPTABLES -A FORWARD -i $WANif -o $LAN1if -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN1if -o $WANif -j ACCEPT echo " LAN 2 :" $IPTABLES -A FORWARD -i $WANif -o $LAN2if -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN2if -o $WANif -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling Source NAT (MASQUERADE) functionality using WANif IP address" #may need to modify this to allow comm between two LAN without NAT, only NAT to internet $IPTABLES -t nat -A POSTROUTING -o $WANif -j MASQUERADE echo -e "\n$0 done. You're on. \n" #-------------------------------------------------------------------------------------------------------------- # FIREWALL RULES #-------------------------------------------------------------------------------------------------------------- # add packet filter rules here