File "rc.firewall"
Full path: /www/wwwroot/fabriciovc.eti.br/downloads/scripts/rc.firewall
File size: 9.18 KiB (9404 bytes)
MIME-type: text/x-shellscript
Charset: utf-8
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: iptables rules ifupdown
# Required-Start:
# Required-Stop:
# Default-Start: 2
# Default-Stop: 0 6
# Short-Description: Configure iptables rules in firewall
# Description: Configure iptables rules in firewall
### END INIT INFO
#
checkStatus () {
if [ $? -eq 0 ]; then
echo " ... done"
else
echo " ... failed"
fi
}
#
# vars: Loading variables
echo -n "iptables: Loading variables"
#
# path: $PATH define
PATH="/sbin:/bin"
#
# path: LAN vars
LAN_IFACE="eth2"
LAN_IP="192.168.0.250"
LAN_NET="192.168.0.0/24"
#
# path: VPN vars
#TUN_IFACE="tun+"
#
# path: WAN1 vars
WAN1_IFACE="ppp0"
#
# path: WAN2 vars
WAN2_IFACE="eth1"
WAN2_GW="192.168.1.1"
WAN2_NET="192.168.1.0/24"
WAN2_RTTBL="gvt"
checkStatus
#
# kernel: System configurations
echo -n "kernel: System configurations"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#
# ICMP control
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# ipspoofing protect
for RP in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > ${RP} ; done
#
# Controlando mensagens de erros de overflow no syslog
gc_thresh1="/proc/sys/net/ipv4/neigh/default/gc_thresh1"
if [ -e "${gc_thresh1}" ]; then echo 1024 > ${gc_thresh1} ; fi
gc_thresh2="/proc/sys/net/ipv4/neigh/default/gc_thresh2"
if [ -e "${gc_thresh2}" ]; then echo 2048 > ${gc_thresh2} ; fi
gc_thresh3="/proc/sys/net/ipv4/neigh/default/gc_thresh3"
if [ -e "${gc_thresh3}" ]; then echo 4096 > ${gc_thresh3} ; fi
#
# Dobrando limite default do ip_conntrack
ip_conntrack_max="/proc/sys/net/ipv4/ip_conntrack_max"
if [ -e "${ip_conntrack_max}" ]; then echo 65535 > ${ip_conntrack_max}; fi
nf_conntrack_max="/proc/sys/net/nf_conntrack_max"
if [ -e "${nf_conntrack_max}" ]; then echo 65535 > ${nf_conntrack_max}; fi
ip_conntrack_tcp_timeout="/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established"
if [ -e "${ip_conntrack_tcp_timeout}" ]; then echo 900 > ${ip_conntrack_tcp_timeout}; fi
checkStatus
#
# iptables: Loading modules
echo -n "iptables: Loading modules"
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_MASQUERADE
checkStatus
#
# iptables: Clear ALL rules
echo -n "iptables: Clear ALL rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
checkStatus
#
# iptables: Setting chains to ACCEPT
echo -n "iptables: Setting chains to ACCEPT"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
checkStatus
#
# iptables: SSH rules
echo -n "iptables: SSH rules"
iptables -A INPUT -m comment --comment "ssh input accept" -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#iptables -A PREROUTING -t nat -m comment --comment "ssh port redirect" -i ${LAN_IFACE} -p tcp -m tcp -d ${LAN_IP} --dport 22 -j REDIRECT --to-port 65522
checkStatus
#
# iptables: ip route stop
#ip_route_stop () {
# IPVAR=$(ip route show table ${WAN2_RTTBL})
# if [ ! -z "${IPVAR}" ]; then
# ip route del ${WAN2_NET} via ${WAN2_GW} table ${WAN2_RTTBL}
# ip route del default dev ${WAN2_IFACE} via ${WAN2_GW} table ${WAN2_RTTBL}
# ip rule del fwmark 2 table ${WAN2_RTTBL}
# ip route flush cache
# fi
#}
#
# iptables: ip route start
#ip_route_start () {
# for RP in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > ${RP} ; done
# ip route add ${WAN2_NET} via ${WAN2_GW} table ${WAN2_RTTBL}
# ip route add default dev ${WAN2_IFACE} via ${WAN2_GW} table ${WAN2_RTTBL}
# ip rule add fwmark 2 table ${WAN2_RTTBL}
# ip route flush cache
#}
#
# iptables: Default policy DROP
default_policy_drop () {
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
}
#
# iptables: ICMP rules
icmp_rules () {
iptables -N ICMP
iptables -A ICMP -m comment --comment "icmp type 0 accept" -p icmp --icmp-type 0 -m limit --limit 1/s -j ACCEPT
iptables -A ICMP -m comment --comment "icmp type 3 accept" -p icmp --icmp-type 3 -m limit --limit 1/s -j ACCEPT
iptables -A ICMP -m comment --comment "icmp type 5 accept" -p icmp --icmp-type 5 -m limit --limit 1/s -j ACCEPT
iptables -A ICMP -m comment --comment "icmp type 8 accept" -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
iptables -A ICMP -m comment --comment "icmp type 11 accept" -p icmp --icmp-type 11 -m limit --limit 1/s -j ACCEPT
iptables -A ICMP -m comment --comment "icmp type 12 accept" -p icmp --icmp-type 12 -m limit --limit 1/s -j ACCEPT
}
#
# iptables: Protect rules
protect_rules () {
iptables -N PROTECT
iptables -A PROTECT -m comment --comment "invalid pct drop" -m state --state INVALID -j DROP
iptables -A PROTECT -m comment --comment "reset unknown ports" -p tcp -j REJECT --reject-with tcp-reset
iptables -A PROTECT -m comment --comment "syn-flood protect" -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A PROTECT -m comment --comment "syn-flood protect" -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A PROTECT -m comment --comment "syn-flood protect" -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A PROTECT -m comment --comment "syn-flood protect" -p tcp -m tcp --tcp-flags ALL NONE -j DROP
iptables -A PROTECT -m comment --comment "syn-flood protect" -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
iptables -A PROTECT -m comment --comment "syn-flood protect" -p tcp --syn -m limit --limit 2/s -j ACCEPT
iptables -A PROTECT -m comment --comment "port scan protect" -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
}
#
# iptables: Filter table input rules
filter_input_accept () {
iptables -N ALLOWIN
iptables -A ALLOWIN -m comment --comment "zabbix accept" -i ${LAN_IFACE} -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
}
filter_input () {
iptables -A INPUT -m comment --comment "lo accept" -i lo -j ACCEPT
iptables -A INPUT -m comment --comment "return accept" -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m comment --comment "lan nic accept" -i ${LAN_IFACE} -j ACCEPT
iptables -A INPUT -j ICMP
iptables -A INPUT -j ALLOWIN
iptables -A INPUT -j PROTECT
}
#filter_mss_pmtu () {
# iptables -A FORWARD -m comment --comment "tcp mss mtu pppoe" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#}
#
# iptables: Filter table forward rules
filter_forward_accept () {
iptables -N ALLOWFWD
iptables -A ALLOWFWD -m comment --comment "ftp port accept" -i ${WAN1_IFACE} -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A ALLOWFWD -m comment --comment "http port accept" -i ${WAN1_IFACE} -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
}
filter_forward () {
iptables -A FORWARD -m comment --comment "return accept" -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -m comment --comment "80 port drop" -i ${LAN_IFACE} -p tcp -m tcp --dport 80 -j DROP
#iptables -A FORWARD -m comment --comment "443 port drop" -i ${LAN_IFACE} -p tcp -m tcp --dport 443 -j DROP
iptables -A FORWARD -m comment --comment "lan nic accept" -i ${LAN_IFACE} -j ACCEPT
iptables -A FORWARD -j ICMP
iptables -A FORWARD -j ALLOWFWD
iptables -A FORWARD -j PROTECT
}
#nat_prerouting () {
#iptables -A PREROUTING -t nat -m comment --comment "80 to 3128 - proxy transparent" -i ${LAN_IFACE} -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -A PREROUTING -t nat -m comment --comment "443 to 3128 - proxy transparent" -i ${LAN_IFACE} -p tcp -m tcp --dport 443 -j REDIRECT --to-port 3128
#}
nat_postrouting () {
iptables -A POSTROUTING -t nat -m comment --comment "bel out mask" -o ${WAN1_IFACE} -j MASQUERADE
#iptables -A POSTROUTING -t nat -m comment --comment "gvt out mask" -o ${WAN2_IFACE} -j MASQUERADE
}
#mangle_prerouting () {
#iptables -A PREROUTING -t mangle -m comment --comment "mark to out gvt" -s 192.168.2.114 -j MARK --set-mark 0x2
#}
case $1 in
start)
echo -n "iptables: Setting chains to DROP"
default_policy_drop ; checkStatus
echo -n "iptables: Ping rules"
icmp_rules ; checkStatus
echo -n "iptables: Extra protections rules"
protect_rules ; checkStatus
echo -n "iptables: FILTER INPUT rules"
filter_input_accept && filter_input ; checkStatus
echo -n "iptables: MSS PMTU rules"
filter_mss_pmtu ; checkStatus
echo -n "iptables: FILTER FORWARD rules"
filter_forward_accept && filter_forward ; checkStatus
#echo -n "iptables: NAT PREROUTING rules"
# nat_prerouting ; checkStatus
echo -n "iptables: NAT POSTROUTING rules"
nat_postrouting ; checkStatus
#echo -n "iptables: MANGLE PREROUTING rules"
# mangle_prerouting ; checkStatus
#echo -n "ip route: Stop ip route rules"
# ip_route_stop ; checkStatus
#echo -n "ip route: Start ip route rules"
# ip_route_start ; checkStatus
echo "done"
;;
nat)
echo -n "iptables: Enable ping"
icmp_rules ; checkStatus
#echo -n "iptables: MSS PMTU rules"
# filter_mss_pmtu ; checkStatus
echo -n "iptables: NAT POSTROUTING rules"
nat_postrouting ; checkStatus
#echo -n "ip route: Stop ip route rules"
# ip_route_stop ; checkStatus
echo "done"
;;
stop)
#echo -n "ip route: Stop ip route rules"
# ip_route_stop ; checkStatus
echo "done"
;;
*)
echo "Use: $0 {start|stop|nat}"
;;
esac
exit 0