rc.firetux (iptables with auto config)

From: no0ne (no0ne_at_192.168.0.0)
Date: 04/28/05

• Next message: Steve: "Re: Debian or Ubuntu??"
• Previous message: roodwriter_at_core.com: "Re: Fed up with "Linux sucks..." type of messages"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Thu, 28 Apr 2005 19:51:49 GMT

In needing an easy way to setup internet access/firewall for private
networks. Needed something simple that didn't requier all the extra
information that goes into building a script for each indavidaul subnet.
Hence firetux was built.

Using cammands such as ifconfig, route, grep, awk, etc. an auto config
section was designed for gathering information, based on just the
interfaces themselfs (eth0, eth1, ppp0, etc.). Handles class A, B, and
C networks.

Tested on Slackware 10.1, SuSe 9.3 (Novell), and Fedora 3

Any questions or comments, please let me know...

Thanks,
no0ne

-snip-

#!/bin/bash
#
# FireTux 2.0.16 (rc.firetux) - Iptables based firewall script.
# Tested on Slackware 10.1, SuSe 9.3 (Novell), Fedora 3
# By: no0ne (GPL :)
#
# A simple iptables firewall script with auto config for easy setup.
# All you need to know is the internal and external interfaces (eth0,
# ppp0 etc.), script takes care of the rest.
#
# Designed to handle masquerading private lan's for internet access.
# Ability to pose as upstream DNS server for internal lan. (preroutes
# based on /etc/resolv.conf). Can be setup to route external connections
# to internal hosts, for serving http, ftp, etc, to the internet.
#
# Requirements:
# Two network interfaces (eth0, eth1, ppp0, etc.)
# Linux with iptables (Duh :)
#
####-[ User Config ]-##########################################

EXTIF='eth0' # External/Internet
INTIF='eth1' # Internal/Lan
MASQ_INTERNAL_LAN='y' # Masqurade internal LAN -> Internet
PREROUTE_DNS='y' # Pose as DNS Server for internal lan (NAT on port 53 [/etc/resolv.conf])
LOGGING='off' # Log traffic (on/off) [for debugging connections]

EXT_TCP_ACCEPT='' # Allowed ports to connect to on this server.
EXT_UDP_ACCEPT='' # External/Internal Interfaces
INT_TCP_ACCEPT=''
INT_UDP_ACCEPT=''

PREROUTING_DEST='' # Routes external connections on ports, to internal hosts.
                                # List 'ip:port ip2:port' seperated by spaces.

###-[ Auto Config ]-############################################

IPTABLES="`whereis iptables | awk '{print $2}'`"
   if [ ! ${IPTABLES} ]; then
      echo "Can't run! Iptables not found!"
      exit 1
   fi
IFCON_="`whereis ifconfig | awk '{ print $2}'`"
   if [ ! ${IFCON_} ]; then
      echo "Alert! ifconfig not found, can't setup interfaces..."
      exit 1
   fi
EXTIP="`${IFCON_} ${EXTIF} | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
   if [ -z ${EXTIP} ]; then
           EXTIP="127.0.0.1"
           echo "Unable to determine the IP for ${EXTIF} !"
           echo "${EXTIF} set to ${EXTIP}"
   fi
INTIP="`${IFCON_} ${INTIF} | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
   if [ -z ${INTIP} ]; then
           INTIP="127.0.0.1"
           echo "Unable to determine the IP for ${INTIF} !"
           echo "${INTIF} set to ${INTIP}"
   fi
ROUTE_="`whereis route | awk '{ print $2}'`"
   if [ ! ${ROUTE_} ]; then
      echo "Alert! route not found, can't setup internal network..."
      exit 1
   fi
DHCPCLIENT="0"
   if /bin/ps -A | grep dhclient > /dev/null; then
      DHCPCLIENT="1"
   elif /bin/ps -A | grep dhcpcd >/dev/null; then
      DHCPCLIENT="1"
   fi
DHCPSERVER="0"
   if /bin/ps -A | grep dhcpd >/dev/null; then
      DHCPSERVER="1"
   fi

LOOPBACKIF="lo"; LOOPBACKIP="127.0.0.1"; INTERNET="0.0.0.0/0"
INTMASK=`${IFCON_} ${INTIF} | grep Mask | cut -d : -f 4`
INTSUBNET=`${ROUTE_} -n | grep ${INTIF} | grep ${INTMASK} | awk '{ print $1}'`
INTERNAL_LAN=${INTSUBNET}'/'${INTMASK}

dropType="DROP" && [ ${LOGGING} = "on" ] && dropType="LDROP"

STATUS_STARTED=FALSE
################################################################

logo() {
  echo "
  ____ ___ ____ ____ ____ __________________________________________
 ( _) ) o \( _) |____|____|____|____|____|____|___ .--. _|____|
  | |- ) (| __ / | E_ _______ |____|____|____|____|____| |o_o | ___|_
 (___)(___)__|\_)____)_ __) |____|__ |:_/ | |____|
 (__ __) __ __ __ | | | // \ \\ __|_
    | |( \/ )_ \/ _)| | | FireTux II, (2.0.16) (| | ) ___|
    | | | | _> <_ | | |_ /'\_ _/'\\ _|_
   (___) \__/ (__/\__)_______) \___)=(___/ ___|
  "
}

function init() {
 
        logo
        setNetSysOptions
        resetChains
        setupLogging
        trafficControl
        setupRouting

        showStatus done
}

function showStatus() {
        if [ "${STATUS_STARTED}" = FALSE ]; then
           let STATUS_STARTED=TRUE
           echo -n "Loading Firewall ||"
        fi
        if [ "${1}" = "done" ]; then
           echo -n -e "\b| Done!\n"
        else
           # 'showStatus X', for debuging.
           if [ ${1} ]; then
              echo -n -e "\b${1}>"
           else
              echo -n -e "\b===>"
           fi
        fi
}

function resetChains() {
        echo 0 > /proc/sys/net/ipv4/ip_forward
        ${IPTABLES} -F
        ${IPTABLES} -X
        ${IPTABLES} -Z
}

function setNetSysOptions() {
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
        showStatus
}

function setupLogging() {
        LogIt="-j LOG --log-level notice --log-prefix"

        ${IPTABLES} -N LBADFLAG
        ${IPTABLES} -A LBADFLAG ${LogIt} "ALERT BADFLAG A=DROP "
        ${IPTABLES} -A LBADFLAG -j DROP

        ${IPTABLES} -N CHECKBADFLAG
        ${IPTABLES} -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
        ${IPTABLES} -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
        ${IPTABLES} -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
        ${IPTABLES} -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
        ${IPTABLES} -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
        ${IPTABLES} -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

        # ${IPTABLES} -N LDROP
        # ${IPTABLES} -A LDROP -p tcp ${LogIt} "TCP A=DROP "
        # ${IPTABLES} -A LDROP -p udp ${LogIt} "UDP A=DROP "
        # ${IPTABLES} -A LDROP -p icmp ${LogIt} "ICMP A=DROP "
        # ${IPTABLES} -A LDROP -f ${LogIt} "FRAGMENT A=DROP "
        # ${IPTABLES} -A LDROP -j DROP

        ${IPTABLES} -N ALLOWED
        ${IPTABLES} -A ALLOWED -j ACCEPT
        showStatus
}

function trafficControl() {
        for port in ${INT_TCP_ACCEPT}; do
           ${IPTABLES} -A INPUT -s ${INTERNAL_LAN} -d ${INTIP} -p tcp --dport ${port} -j ALLOWED; done
        for port in ${INT_UDP_ACCEPT}; do
           ${IPTABLES} -A INPUT -s ${INTERNAL_LAN} -d ${INTIP} -p udp --dport ${port} -j ALLOWED; done
        for port in ${EXT_TCP_ACCEPT}; do
           ${IPTABLES} -A INPUT -s ! ${INTERNAL_LAN} -d ${EXTIP} -p tcp --dport ${port} -j ALLOWED; done
        for port in ${EXT_UDP_ACCEPT}; do
           ${IPTABLES} -A INPUT -s ! ${INTERNAL_LAN} -d ${EXTIP} -p udp --dport ${port} -j ALLOWED; done

        if [ ${DHCPCLIENT} = "1" ] || [ ${DHCPSERVER} = "1" ]; then
           ${IPTABLES} -A INPUT -p udp --sport 67:68 --dport 67:68 -j ALLOWED
           if [ ${DHCPCLIENT} = "1" ]; then
              echo 1 > /proc/sys/net/ipv4/ip_dynaddr
           fi
        fi

        ${IPTABLES} -A INPUT -i lo -j ALLOWED
        ${IPTABLES} -A INPUT -j CHECKBADFLAG
        ${IPTABLES} -A INPUT -d 255.255.255.255 -j DROP
        ${IPTABLES} -A INPUT -m state --state INVALID,NEW -j ${dropType}
        ${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ALLOWED
        ${IPTABLES} -A OUTPUT -m state --state RELATED,NEW,ESTABLISHED -j ALLOWED
        ${IPTABLES} -A INPUT -j DROP
        ${IPTABLES} -A OUTPUT -j DROP
        showStatus
}

function setupRouting() {

        echo 1 > /proc/sys/net/ipv4/ip_forward

        if [ -n "${PREROUTING_DEST}" ]; then
           for DEST in ${PREROUTING_DEST}; do
                echo "$DEST" | {
                   IFS=':' read host port
                   ${IPTABLES} -A PREROUTING -t nat -i ${EXTIF} -p tcp -d ${EXTIP} --dport ${port} -j DNAT --to ${host}
                   }
           done
        fi
        if [ ${PREROUTE_DNS} = "y" ]; then
           declare -a dnsArray
           dnsArray=( `tail -n 3 /etc/resolv.conf | grep nameserver` )
           # DNS1=${dnsArray[1]}; DNS2=${dnsArray[2]}
           ${IPTABLES} -t nat -A PREROUTING -d ${INTIP} -p udp -j DNAT --to-destination ${dnsArray[1]}:53
        fi
        if [ ${MASQ_INTERNAL_LAN} = "y" ]; then
           ${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_LAN} -d ! ${INTERNAL_LAN} -o ${EXTIF} -j SNAT --to ${EXTIP}
        fi
        showStatus
}
##############################################################################

case "$1" in
   "-o" | "--off" | "stop")
      resetChains
      echo "Firewall Stoped!"
      ;;
   "-s" | "--start" | "start")
      init
      ;;
   "-r" | "--restart" | "restart")
      exec $0 --start
      ;;
   *)
      echo "$0 - a.k.a FireTux II (2.0.16)"
      echo " Usage: $0 --start"
      echo
      echo " -o, --off, stop Unloads current iptable rules"
      echo " -s, --start, start Initialize rule set"
      echo " -r, --restart, restart Reinitializes iptable rule set"
      echo
      ;;
esac
exit 0

---

• Next message: Steve: "Re: Debian or Ubuntu??"
• Previous message: roodwriter_at_core.com: "Re: Fed up with "Linux sucks..." type of messages"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Win2k3 R2 does not route to virtual guests ... We use an ISA as a combined firewall/router in another setup so I'm not ... and,...two different "internal" networks. ... "Internet" as far as ISA is concerned ... (microsoft.public.win2000.networking) Re: Connecting through same domain, different network ... > All Clients must use the "Router" as the Default Gateway. ... >>> Functinality across networks is achieved with a Router. ... >>> get to the Internet. ... >>> Private IP Blocks are not compatible with the Internet. ... (microsoft.public.windows.server.networking) Re: Connecting through same domain, different network ... All Clients must use the "Router" as the Default Gateway. ... >> Functinality across networks is achieved with a Router. ... >> Internet possible and has no relationship to having both networks see ... >> Private IP Blocks are not compatible with the Internet. ... (microsoft.public.windows.server.networking) Re: Secure WAN Setup (Possibly off topic?) ... > The budget for this setup is probably less than $5000 though thats ... If that budget includes costs for initial setup and first year for ... performance than the internet, the internet isn't really all that ... (Security-Basics) Inbound Mail Error of E-2003 behind Single NIC ISA2004/smtp relay ... Network is setup as follows: ... -private range of 192.168.0 network with access to internet via router ... -ISA2004 Server is on single NIC setup acting as web proxy and smtp relay ... (microsoft.public.exchange.setup)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)