#! /bin/sh # Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. # # Author: Michael Diekmann # # /etc/init.d/iptables . /etc/rc.config # Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]} # Force execution if not called by a runlevel directory. test $link = $base && START_IPTABLES=yes test "$START_IPTABLES" = yes || exit 0 MODPROBE="/sbin/modprobe" INSMOD="/sbin/insmod" IPTABLES="/usr/sbin/iptables" # Interface mit der Verbindung zum Internet (z.B. ppp0) DEV_INET="ppp0" IP_INET="192.168.0.98" # Das Device auf LAN-Seite DEV_LAN=eth0 IP_LAN=192.168.1.1 # Loopback Device. Hat jeder. DEV_LOOP=lo IP_LOOP=127.0.0.1 # Kuerzel für alle IP-Adressen ANY=0.0.0.0/0 # Kuerzel für alle IP-Adressen im eigenen LAN LOC_NET=192.168.1.0/24 # The echo return value for success (defined in /etc/rc.config). return=$rc_done case "$1" in start) echo -n "Starting iptables" # BEGIN --- Firewall # Deactivate some things, will be activated later echo "0" > /proc/sys/net/ipv4/ip_dynaddr echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/tcp_syncookies echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp # Load modules for iptables $INSMOD /lib/modules/$KERNEL/kernel/net/ipv4/netfilter/* $MODPROBE iptables_nat ip_conntrack $MODPROBE ip_nat_ftp ip_conntrack_ftp $MODPROBE ipt_LOG ipt_mac ipt_state # Before we do insert rules, we remove all rules $IPTABLES -F $IPTABLES -X $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -t filter -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # If no rules is set, we DROP all $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # PRE- and POST-Routing in nat-Table allowed $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT # Damaged or unsafed $IPTABLES -N invalid $IPTABLES -A INPUT -m state --state INVALID -i ! $DEV_LOOP -j invalid $IPTABLES -A FORWARD -m state --state INVALID -j invalid $IPTABLES -A INPUT -m unclean -i ! $DEV_LOOP -j invalid $IPTABLES -A invalid -m limit -j LOG --log-prefix "invalid " $IPTABLES -A invalid -j REJECT # XMAS-Packages $IPTABLES -N xmas $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j xmas $IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j xmas $IPTABLES -A xmas -m limit -j LOG --log-level info --log-prefix "xmas-scan " $IPTABLES -A xmas -j REJECT # NULL-Packages $IPTABLES -N null_scan $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j null_scan $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j null_scan $IPTABLES -A null_scan -m limit -j LOG --log-level info --log-prefix "null-scan " $IPTABLES -A null_scan -j REJECT # Spoofed packets: log and drop $IPTABLES -N spoofing $IPTABLES -A INPUT -i $DEV_LAN -s ! $LOC_NET -j spoofing $IPTABLES -A FORWARD -i $DEV_LAN -s ! $LOC_NET -j spoofing $IPTABLES -A FORWARD -i $DEV_INET -s 192.168.0.0/16 -j spoofing $IPTABLES -A FORWARD -i $DEV_INET -s 172.16.0.0/12 -j spoofing $IPTABLES -A FORWARD -i $DEV_INET -s 10.0.0.0/8 -j spoofing $IPTABLES -A spoofing -m limit -j LOG --log-level info --log-prefix "spoofing " $IPTABLES -A spoofing -j REJECT # icmp handling - ICMP-Pakete allowed, but not type 5 (redirect) $IPTABLES -N icmp_allow $IPTABLES -N icmp_reject $IPTABLES -A INPUT -p icmp --icmp-type ! 5 -j icmp_allow $IPTABLES -A INPUT -i $DEV_INET -p icmp --icmp-type 5 -m limit -j icmp_reject $IPTABLES -A icmp_allow -j ACCEPT $IPTABLES -A icmp_reject -m limit -j LOG --log-prefix "icmp_rej " $IPTABLES -A icmp_reject -j REJECT --reject-with icmp-host-unreachable # BEGIN --- Needed from Gateway # Established connections allowed $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Loopback-Device, DO NOT CHANGE!!! $IPTABLES -N lo_accept $IPTABLES -A INPUT -i $DEV_LOOP -m state --state NEW -j lo_accept $IPTABLES -A OUTPUT -o $DEV_LOOP -m state --state NEW -j lo_accept $IPTABLES -A lo_accept -j ACCEPT # Ping from Gateway allowed $IPTABLES -N icmp_gate $IPTABLES -A OUTPUT -p icmp -j icmp_gate $IPTABLES -A icmp_gate -j ACCEPT # Allow www/ftp from Gateway $IPTABLES -N www_gate $IPTABLES -A OUTPUT -p tcp --dport 21 -s $IP_INET -m state --state NEW -o $DEV_INET -j www_gate $IPTABLES -A OUTPUT -p tcp --dport 80 -s $IP_INET -m state --state NEW -o $DEV_INET -j www_gate $IPTABLES -A www_gate -j ACCEPT # Allow NTD (Network Time Protocol) $IPTABLES -N ntp_gate $IPTABLES -A OUTPUT -p udp --dport 123 -s $IP_INET -m state --state NEW -o $DEV_INET -j ntp_gate $IPTABLES -A ntp_gate -j ACCEPT # Allow DNS, DO NOT CHANGE!!! $IPTABLES -N dns_gate $IPTABLES -A OUTPUT -p udp -o $DEV_INET --dport 53 -m state --state NEW -j dns_gate $IPTABLES -A dns_gate -j ACCEPT # Allow SSH from Gateway to Inet, from LAN to Gateway and from Inet to Gateway $IPTABLES -N ssh_gate $IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ssh_gate $IPTABLES -A INPUT -p tcp -m state --state NEW -s $LOC_NET --dport 22 -d $IP_LAN -j ssh_gate $IPTABLES -A INPUT -p tcp -m state --state NEW -d $IP_INET --dport 22 -j ssh_gate $IPTABLES -A ssh_gate -j ACCEPT # Allow SMTP $IPTABLES -N smtp_gate $IPTABLES -A OUTPUT -p tcp -o $DEV_INET -m state --state NEW --dport 25 -j smtp_gate $IPTABLES -A OUTPUT -p tcp -o $DEV_LAN -m state --state NEW --dport 25 -d $LOC_NET -j smtp_gate $IPTABLES -A smtp_gate -j ACCEPT # Allow POP3 $IPTABLES -N pop3_gate $IPTABLES -A OUTPUT -p tcp -o $DEV_INET -m state --state NEW --dport 110 -j pop3_gate $IPTABLES -A pop3_gate -j ACCEPT # END --- Needed from Gateway # BEGIN --- Needed from Clients # Established connections allowed $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # NAT/Masquerading, DO NOT CHANGE!!! # $IPTABLES -t nat -A POSTROUTING -o $DEV_INET -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $DEV_INET -s $LOC_NET -j MASQUERADE # $IPTABLES -t nat -A POSTROUTING -o $DEV_INET -s $LOC_NET -j SNAT --to-source $IP_INET # Needed for DSL and PPPoE to change MTU from 1500 to 1492 $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Let Win32 not do some things, that´s not good. $IPTABLES -A INPUT -p tcp -m multiport --sport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A INPUT -p udp -m multiport --sport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A INPUT -p tcp -m multiport --dport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A INPUT -p udp -m multiport --dport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A FORWARD -p tcp -m multiport --sport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A FORWARD -p udp -m multiport --sport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A FORWARD -p tcp -m multiport --dport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT $IPTABLES -A FORWARD -p udp -m multiport --dport 135,137,138,139,67,68,69,23,111,161,1433 -j REJECT # Allow all others from LAN, it is more secure if we allow only need services, # but were in a LAN and behind a Firewall. $IPTABLES -N locnet_out $IPTABLES -A INPUT -s $LOC_NET -i $DEV_LAN -m state --state NEW -j locnet_out $IPTABLES -A FORWARD -s $LOC_NET -i $DEV_LAN -o $DEV_INET -m state --state NEW -j locnet_out $IPTABLES -A locnet_out -j ACCEPT # END --- Needed from Clients # BEGIN --- Logging # Log things that comes to here $IPTABLES -A INPUT -m limit -j LOG --log-prefix "FINAL IN " $IPTABLES -A OUTPUT -m limit -j LOG --log-prefix "FINAL OUT " $IPTABLES -A FORWARD -m limit -j LOG --log-prefix "FINAL FOR " # Reject things that comes to here $IPTABLES -A INPUT -j REJECT $IPTABLES -A OUTPUT -j REJECT $IPTABLES -A FORWARD -j REJECT # END --- Logging # Activate some things echo "2" > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # END --- Firewall echo -e "$return" ;; stop) echo -n "Shutting down iptables" # Before we do insert rules, we remove all rules $IPTABLES -F $IPTABLES -X $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -t filter -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # If no rules is set, we DROP all $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP echo -e "$return" ;; restart) ## If first returns OK call the second, if first or ## second command fails, set echo return value. $0 stop && $0 start || return=$rc_failed ;; *) echo "Usage: $0 {start|stop|restart]}" exit 1 ;; esac # Inform the caller not only verbosely and set an exit status. test "$return" = "$rc_done" || exit 1 exit 0