#!/bin/sh # 00firewall for static ADSL copyright 2001 by cpbotha@ieee.org echo "00firewall starting..." # this is our ip number ADSL_IP=145.94.197.93 ADSL_IF=eth2 IPTABLES=/sbin/iptables # make sure we have spoof protection on if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done fi # make sure we have IP forwarding turned on if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward fi # and make sure we ignore all source routed packets if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done fi # we have to load at least this modprobe ip_tables # and then some ftp support # conntrack - determine which packets belong to a certain connection (stateful) modprobe ip_conntrack_ftp # nat - so that active ftp works (PORT command is translated and handled) modprobe ip_nat_ftp # flush all previous rules iptables -t filter -F INPUT iptables -t filter -F FORWARD iptables -t filter -F OUTPUT iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING iptables -t nat -F OUTPUT # allow ssh connections to be made from the big bad internet # (we have this here for fool-proofing reasons...) $IPTABLES -t filter -A INPUT -i $ADSL_IF -p tcp --dport 22 -j ACCEPT #$IPTABLES -t filter -A INPUT -i $ADSL_IF -p udp --dport 68 -j ACCEPT # set default policies to paranoid iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT # except this one # use this as target instead of DROP if you'd like to log iptables -N DROPLOG 2> /dev/null iptables -F DROPLOG # do the log target iptables -A DROPLOG -j LOG -m limit --limit 20/minute --log-level 4 --log-prefix "00firewall default drop " # then drop the packet (LOG is not final) iptables -A DROPLOG -j DROP # now we start with the actual rules # localhost, doh, should be allowed iptables -t filter -A INPUT -i lo -j ACCEPT # followups or related connections should be allowed (e.g. answer to a DNS query) $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # stuff from MonMotha (allow ping, but not flood ping... iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i $ADSL_IF -j ACCEPT # ...and the rest of icmp) iptables -t filter -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT # hmmm, don't drop packets to identd, but reject them, else we wait forever # for irc to start iptables -t filter -A INPUT -i $ADSL_IF -p tcp --dport 113 -j REJECT --reject-with tcp-reset # NOW THE INTERNAL NETWORKS for localnetwork in 192.168.1.0/24:eth0 192.168.0.0/24:eth1; do network=`echo $localnetwork | cut -f 1 -d ":"` iface=`echo $localnetwork | cut -f 2 -d ":"` # we should probably accept incoming packets from our internal network iptables -t filter -A INPUT -s $network -i $iface -j ACCEPT # then, packets from our internal network coming into our internal iface # should be forwarded iptables -t filter -A FORWARD -s $network -i $iface -j ACCEPT # reply packets going to our internal network (via internal iface) should # be forwarded right back iptables -t filter -A FORWARD -d $network -o $iface -j ACCEPT # and on our outside interface packets from our internal network will be masqueraded iptables -t nat -A POSTROUTING -s $network -o $ADSL_IF -j MASQUERADE done # AND THEN SOME MISCELLANEOUS SHIT $IPTABLES -t filter -A INPUT -i $ADSL_IF -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A INPUT -i $ADSL_IF -p tcp --dport 53 -j ACCEPT # quake3 dnat iptables -t nat -A PREROUTING -i $ADSL_IF -p tcp --dport 27960 -j DNAT --to-destination 192.168.1.7 iptables -t nat -A PREROUTING -i $ADSL_IF -p udp --dport 27960 -j DNAT --to-destination 192.168.1.7 # gnocatan iptables -t nat -A PREROUTING -p tcp --dport 5556 -j DNAT --to-destination 192.168.1.7 # the donkey iptables -t nat -A PREROUTING -p tcp --dport 4661 -j DNAT --to-destination 192.168.1.7 iptables -t nat -A PREROUTING -p udp --dport 4665 -j DNAT --to-destination 192.168.1.7 # mldonkey uses these two, the two above can be removed... iptables -t nat -A PREROUTING -p tcp --dport 4662 -j DNAT --to-destination 192.168.1.7 iptables -t nat -A PREROUTING -p udp --dport 4666 -j DNAT --to-destination 192.168.1.7 # if it wasn't matched by now, we do the drop and log thing # (yes, we have policies too on this) iptables -t filter -A INPUT -j DROPLOG iptables -t filter -A FORWARD -j DROPLOG