#!/bin/bash # Program Name = FIRE|GATE # Intended Use = An IPtables firewall ruleset and NAT gateway # Revision Lvl = 0.79 # Created File = 20 Jan 2002 # Last Updated = 01 Sep 2003 # Download URL = http://firegate.lunarfox.com # Mirror URL 1 = http://freshmeat.net/projects/firegate/ # Mirror URL 2 = http://sourceforge.net/projects/firegate/ # Mirror URL 3 = http://lunar.darktech.org/firegate/ # Copyright 2002-2003 Jeff Bonner (firegate@lunarfox.com) # OSI Certified Open Source Software # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation, Version 2. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public # License along with this program; if not, write to the Free # Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307 USA # CAUTION: THIS SCRIPT IS IN DEVELOPMENT AND MAY NOT BE SUITABLE # FOR USE IN A PRODUCTION ENVIRONMENT. Concerns and questions are # prefixed with "FIXME" to denote they need to be addressed. You # should review the code thoroughly to ensure it is appropriate for # your location and situation. # REVISION HISTORY # ________________ # # Please check the download sites to make sure you have the latest # revision. Important fixes, additions and changes may occur with # new releases. # # v0.64: Removed unneeded ReAIM proxy rules (IM client rules remain) # v0.65: Added -t mangle & -t nat rule flushing upon "./firegate stop" # v0.66: Added HTTP/SMTP forwarding through firewall to internal server # v0.67: Added NoIdent (reject w/TCP reset) or Ident (nullidentd) option # v0.68: Added section-purpose separators, and cleaned up all comments # v0.69: Added direct-from-internet SSH option (disabled by default) # v0.70: Began documenting script changes via Revision History :) # v0.71: Blocked in/out port 445; fixed TCP/UDP types for 137-139 (SMB) # v0.72: Blocked UDP inbound to ports 0:19 (was only TCP previously) # v0.73: Fixed blacklist so it drops any inbound forwarded traffic too # # v0.74: Added to and clarified comments. More trojan blocks. Portscan # & badflag check now performed only on external interface. Can # now have multiple DHCP servers. Added variables to turn on/off # SSH and IDENT; define the external/internal interface names; and # for internal HTTP & SMTP machine IPs. Changed specific inbound # port blocking to be on external interface only (would have kept # some internal services from working). # # v0.75: Fixed bug in DHCP define loop (introduced in v0.74); corrected # DNS comments; added usage/installation instructions to INSTALL # files; included LICENSE file for full GPL compliance; MD5 sum # now included on website to verify authenticity. # # v0.76: Added comments & more addresses to block private/reserved space. # Added OUTPUT block for blacklist sites. Added LAN address range # to restrict sNAT/masquerade. If no IPs are specified for HTTP or # SMTP, port forward via PREROUTING is now disabled, plus attempts # are not logged. Can now specify AIM, ICQ and MSN ports to use # for file transfers; if not defined, PREROUTING rule(s) disabled. # Added Gnutella P2P client forwarding option (port can be changed # for KaZaA etc, see also line 286). Removed unused ICMP rule name. # Fixed problem with null values causing "unary operator expected" # error, and a nasty surprise upon 'stop' command that would cause # loss of connectivity if using only SSH with no monitor/keyboard. # # v0.77: Added to and clarified comments. Additional ICMP messages are # now allowed in for more compliant servers; response to external # ping can be turned off with PING variable. If/Then/Else logic # surrounded by quotes for more reliable operation. Added variable # QUIET to suppress logging of commonly scanned ports; it affects # SSH/HTTP/SMTP as well, if these aren't in use. Added variable # WEBPORT for users whose ISPs block standard incoming HTTP port # 80; adjust if needed. Changed spaces to tabs for 2K savings. # # v0.78: Added TCP/UDP port 135 to ignored ports. Added Gnutella ignore # @ line 287 (disabled by default). Added/clarified more comments. # Attempt to allow streaming camera apps like iVista. Added new # variable "DROPEXT", default is true; if false, "./firegate stop" # does NOT drop all external traffic (keeps you from being locked # out if using remote SSH, similar to the 0.76 fix for local SSH). # Added FAQ file and list of kernel modules needed for script. # # v0.79: Added to and clarified comments. Added TCP 4444 outbound block # to deal with W32.Blaster worm and variants; note that tFTP (UDP # port 69) could also be blocked by FIRE|GATE for maximum effect, # but currently is not. Fixed bug (introduced in v0.78): when # CAM/CAMIP variables were null, a script error appeared. Added # indicators showing FIRE|GATE's progress, and variable COLOR to # use ANSI when displaying (re)start/stop/status messages. When # DHCP variable is blank, script allows any DHCP server traffic # inbound; if DNS variable is blank, all DNS traffic is allowed # inbound (previous behavior dropped traffic, which can generate # substantial PACKET DROP logs). Confirmed list of kernel modules # needed now, and those which are optional and/or for future use. ### SET NECESSARY VARIABLES -------------------------------------------------- # VER="v0.79" IPT="/sbin/iptables" # Location of your IPtables EXT="eth0" # External interface name INT="eth1" # Internal interface name MASQ="192.168.0.0/24" # LAN IP range to masquerade; see # http://dmdl.uvm.edu/subnet.shtml # Null "" allows ANY traffic in: DHCP="172.30.166.36 68.61.96.1" # DHCP server(s) to allow inbound DNS="68.60.32.5 68.60.32.6 206.141.251.2" # DNS server(s) to allow inbound IDENT="0" # Use Ident/Auth? 0=REJECT 1=ACCEPT SSH="0" # SSH in from Internet? 0=NO 1=YES PING="0" # Allow PINGs inbound? 0=NO 1=YES QUIET="1" # Ignore common scans? 0=NO 1=YES DROPEXT="1" # Drop all external traffic when you # stop the firewall? 0=NO 1=YES WEBPORT="80" # If ISP blocks port 80, change here HTTP="192.168.0.2" # Forward HTTP > LAN IP; "" disables SMTP="192.168.0.3" # Forward SMTP > LAN IP; "" disables AIM="5190" # Port(s) forwarded to internal LAN ICQ="4001:4005" # machines using IP masq; null value MSN="1863" # "" disables that one. For a range P2P="" # (eg ICQ) use colon between ports. CAM="8080" # Forward port number to internal IP; CAMIP="192.168.0.4" # a null value "" for both disables COLOR="1" # Use ANSI color msgs? 0=NO 1=YES if [ $COLOR = "1" ] then NORM="\\033[0;39m" # You may adjust these as desired to GREEN="\\033[1;32m" # use other colors, insert different RED="\\033[1;31m" # sequences (non-ANSI), sound your WHITE="\\033[1;29m" # terminal bell CTRL-G, et cetera fi ### BLACKLISTED IPs ---------------------------------------------------------- # # This section can be used against nefarious sites you want to prevent # from coming into your network. Some listed below are Comcast 68.6#.* # Nimda-infected IIS servers. Blocking Nimda/Code Red/et al isn't really # necessary, as they don't infect Linux, but the logs are annoying. The # mod_antihak Apache module at http://apantihak.sourceforge.net/ might be # a good alternative, or perhaps the Anti-Nimda/Code Red Auto-Emailer at # http://small.dropbear.id.au/myscripts/nimda.html for aggressive admins. EVIL="219.96.228.226 150.108.236.20 210.80.207.147 200.222.3.3 24.148.22.92 216.127.74.43" # ***** END OF USER VARIABLES; EXERCISE CAUTION EDITING BELOW THIS LINE ***** # [START] ==================================================================== # case "$1" in start) echo -e "\n"$NORM"FIRE|GATE $VER$GREEN starting"$NORM"..." ### SYSCTL: PERFORMANCE TUNING, DoS, ETC ------------------------------------- # http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.obscure.html # echo -e "\n - SYSCTL, performance tuning" echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP masq echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rewrite new address echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP SYN overload echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Smurf amplify off echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redir echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/GB Ethernet echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # ICMP redirects off echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No bcast response echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # No return path mod echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # No bad msgs for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter echo 1 > $r # (default for Debian done # installations) ### ERASE PREVIOUS RULES, DEFINE DEFAULT POLICY ------------------------------ # echo " - Flush; default policy DENY" $IPT -F # Flush built-in rules $IPT -X # Erase custom rules $IPT -Z # Zero all counters $IPT -t nat -F # Flush pre/postroute $IPT -t mangle -F # Flush packet mangle $IPT -P INPUT DROP # $IPT -P OUTPUT DROP # Default policy $IPT -P FORWARD DROP # $IPT -A INPUT -i lo -j ACCEPT # Allow traffic on $IPT -A OUTPUT -o lo -j ACCEPT # loopback interface # You should never see legitimate traffic originating from any of these # addresses to the external interface, but a misconfigured router or hack # attempt could produce this behavior. Comcast sends broadcast messages # from 10.0.0.0/8 to bootpc for whatever reason (check it yourself with # "iptables -L -n -v"), but it does not appear to matter if we drop them. # See http://again.net/cidr for a list of these addresses plus tables of # subnets, ICMP codes, and more. Toss any packets to external interface # claiming to be: echo " - No reserved IPs coming from" $EXT $IPT -A INPUT -i $EXT -s 10.0.0.0/8 -j DROP # $IPT -A INPUT -i $EXT -s 172.16.0.0/12 -j DROP # RFC1918 Private $IPT -A INPUT -i $EXT -s 192.168.0.0/16 -j DROP # $IPT -A INPUT -i $EXT -s 0.0.0.0/8 -j DROP # Broadcast $IPT -A INPUT -i $EXT -s 127.0.0.0/8 -j DROP # Loopback $IPT -A INPUT -i $EXT -s 192.0.2.0/24 -j DROP # TEST-NET $IPT -A INPUT -i $EXT -s 169.254.0.0/16 -j DROP # Unconfigured DHCP $IPT -A INPUT -i $EXT -s 224.0.0.0/4 -j DROP # Class D / Multicast $IPT -A INPUT -i $EXT -s 240.0.0.0/5 -j DROP # Class E / Reserved $IPT -A INPUT -i $EXT -s 255.255.255.255 -j DROP # Broadcast ### DROP BLACKLIST SITES (SCANS, WORMS, ETC) --------------------------------- # if [ "$EVIL" ] then echo " - Drop traffic for blacklisted IP(s)" for v in $EVIL; do $IPT -A INPUT -s $v -j DROP # Drop blacklist traffic to firewall done for v in $EVIL; do $IPT -A OUTPUT -d $v -j DROP # Don't send to any blacklist sites done for v in $EVIL; do $IPT -A FORWARD -s $v -j DROP # Don't forward any blacklist traffic done fi ### IGNORE COMMONLY PROBED PORTS (SSH/SMTP/HTTP HANDLED LATER) --------------- # # FIRE|GATE assumes a default INPUT policy of DROP, so this section is just # to cut down on nuisance logs. However, if you analyze your firewall logs # for hack attempts (fwlogwatch, DShield, etc), you should set QUIET variable # to "1"; otherwise, activity aimed at these ports will not be recorded. If # you host any of these services for the Internet, you should comment out the # appropriate ports (notably FTP). # if [ "$QUIET" = "1" ] then echo " - Ignore commonly probed ports" $IPT -A INPUT -p tcp -i $EXT --dport 0:19 -j DROP # ... Diagnostics $IPT -A INPUT -p udp -i $EXT --dport 0:19 -j DROP # ... Diagnostics $IPT -A INPUT -p tcp -i $EXT --dport 21 -j DROP # ... FTPd $IPT -A INPUT -p tcp -i $EXT --dport 23 -j DROP # ... Telnet $IPT -A INPUT -p tcp -i $EXT --dport 111 -j DROP # ... RPC/Portmap $IPT -A INPUT -p tcp -i $EXT --dport 135 -j DROP # ... Microsoft RPC $IPT -A INPUT -p udp -i $EXT --dport 135 -j DROP # ... Microsoft RPC $IPT -A INPUT -p udp -i $EXT --sport 137:138 -j DROP # ... SMB w/NetBIOS $IPT -A INPUT -p tcp -i $EXT --sport 139 -j DROP # ... SMB w/NetBIOS $IPT -A INPUT -p tcp -i $EXT --dport 443 -j DROP # ... HTTP w/SSL $IPT -A INPUT -p tcp -i $EXT --dport 445 -j DROP # ... SMB w/o NetBIOS $IPT -A INPUT -p tcp -i $EXT --dport 515 -j DROP # ... LPR/Printer $IPT -A INPUT -p tcp -i $EXT --dport 1080 -j DROP # ... SOCKS Proxy $IPT -A INPUT -p tcp -i $EXT --dport 27374 -j DROP # ... SubSeven $IPT -A INPUT -p tcp -i $EXT --dport 31337 -j DROP # ... BackOrifice etc $IPT -A INPUT -p udp -i $EXT --dport 31337 -j DROP # ... BackOrifice etc # $IPT -A INPUT -p tcp -i $EXT --dport 1214 -j DROP # ... KaZaA # $IPT -A INPUT -p tcp -i $EXT --dport 6346 -j DROP # ... Gnutella fi ### DETECT & LOG SUSPECTED PORT SCANS ---------------------------------------- # # FIXME: These need to be confirmed for correctness; 3rd rule may cause # some false alarms during certain FTP sessions (including apt-get) # echo " - PortScan, Fragment, Hostile Flags" $IPT -N SCAN $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j SCAN # `Xmas' scan $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j SCAN # `Null' scan $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,ACK,FIN,RST RST -j SCAN # Type? $IPT -A SCAN -m limit --limit 2/s -j LOG --log-level info \ --log-prefix "**PORTSCAN** " $IPT -A SCAN -j DROP ### FRAGMENTED PACKETS ------------------------------------------------------- # # FIXME: Necessary w/NAT? Mostly hostile (need to be logged)? # $IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**FRAGMENT** " $IPT -A INPUT -i $EXT -f -j DROP ### HOSTILE TCP FLAGS -------------------------------------------------------- # # FIXME: These need to be confirmed for correctness # $IPT -N FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL FIN,URG,PSH -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,RST SYN,RST -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,FIN SYN,FIN -j FLAGS #QueSO $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS $IPT -A FLAGS -m limit --limit 2/s -j LOG --log-level info \ --log-prefix "**BADFLAGS** " $IPT -A FLAGS -j DROP ### ALLOW DHCP LEASE & RENEWAL ----------------------------------------------- # # If running a DHCP server internally, you may need different/additional # rules here. # if [ "$DHCP" ] then echo " - Allow only authorized DHCP servers" for d in $DHCP; do $IPT -A INPUT -p udp -s $d --sport 67 -d 0/0 --dport 68 -j ACCEPT done else $IPT -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT fi ### ALLOW REPLIES ONLY FROM AUTHORIZED DNS SERVERS --------------------------- # # UDP = Short DNS answers; TCP = Long/retry DNS answers, zones # if [ "$DNS" ] then echo " - Allow only authorized DNS replies" for u in $DNS; do $IPT -A INPUT -p udp -s $u --sport 53 -d 0/0 -j ACCEPT done for t in $DNS; do $IPT -A INPUT -p tcp -s $t --sport 53 -d 0/0 -j ACCEPT done else echo " - Allow ALL incoming DNS replies" $IPT -A INPUT -p tcp --sport 53 -j ACCEPT fi ### HANDLE IDENTD (with DAEMON, or REJECT) ----------------------------------- # # If you ARE NOT running an ident daemon, set IDENT as "0"; this bounces # auth gracefully so you don't wait for a timeout, as may happen if you # just block the port. If you DO need the real thing, set IDENT as "1". # Debian package "harden-servers" will conflict with many common identd's # for security reasons, but nullidentd or perhaps slidentd are acceptable. $IPT -A INPUT -p tcp -i $INT --dport 113 -j ACCEPT # Always accept internal if [ "$IDENT" = "1" ] then echo " - Allow external IDENT/auth" $IPT -A INPUT -p tcp -i $EXT --dport 113 -j ACCEPT else echo " - Reject IDENT with tcp-reset" $IPT -A INPUT -p tcp -i $EXT --dport 113 -j REJECT --reject-with tcp-reset fi ### BLOCK OUTBOUND TROJANS & INSECURE PORTS ---------------------------------- # # The ports listed below are not exhaustive, and blocking a particular one # is not always effective (most new trojans can use any high port). These # could also intentionally prevent your LAN users from using some outbound # applications (with the same caveat as above). A well-documented list of # trojans is available at http://www.simovits.com/trojans/. # echo " - Drop, log outbound trojan ports" $IPT -N STOPOUT $IPT -A OUTPUT -p udp --dport 137:138 -j STOPOUT # SMB w/NetBIOS $IPT -A OUTPUT -p tcp --dport 139 -j STOPOUT # SMB w/NetBIOS $IPT -A OUTPUT -p tcp --dport 445 -j STOPOUT # SMB w/o NetBIOS $IPT -A OUTPUT -p tcp --dport 4444 -j STOPOUT # W32.Blaster worm $IPT -A OUTPUT -p tcp --dport 10008 -j STOPOUT # Lion worm $IPT -A OUTPUT -p tcp --dport 65535 -j STOPOUT # Ramen worm $IPT -A OUTPUT -p tcp --dport 12345 -j STOPOUT # Various trojans $IPT -A OUTPUT -p tcp --dport 27374 -j STOPOUT # " $IPT -A OUTPUT -p tcp --dport 31335:31337 -j STOPOUT # " $IPT -A OUTPUT -p udp --dport 31335:31337 -j STOPOUT # " $IPT -A STOPOUT -m limit --limit 1/s -j LOG \ --log-level info --log-prefix "**TROJAN?** " # Log these attempts $IPT -A STOPOUT -j DROP # then drop packets ### CONTROL ICMP MESSAGES ---------------------------------------------------- # # Certain types should be allowed for more friendly/compliant servers, but # some must be restricted as well. Set PING to "0" if you do not want to # respond to those, but be warned that just blocking ping at the firewall # won't keep connection from being saturated in a Denial of Service attack # ("ping flood"); you'd need your upstream (ISP) to filter these instead. # # These ICMPs are suggested by "Linux Firewalls 2nd Edition" by R Ziegler: # # 0 = Echo Reply, what gets sent back after a Type 8 is received here # 3 = Destination Unreachable (inbound) or Fragmentation Needed (out) # 4 = Source Quench tells sending IP to slow down its rate to destination # 8 = Echo Request used for pinging hosts, but see the caution above # 11 = Time Exceeded used for traceroute (TTL) or sometimes frag packets # 12 = Parameter Problem is some error or weirdness detected in header # # See also http://www.iana.org/assignments/icmp-parameters or RFC792 # # FIXME: This may break traceroute from the firewall itself, but it works # from NAT'd machines behind it. echo -e -n " - Control ICMP messages" $IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**ICMP FRAG** " # Log and drop any $IPT -A INPUT -p icmp -i $EXT --fragment -j DROP # frag'd ICMPs (bad) # No outgoing destination-unreachable; can be spoofed & sent to other hosts $IPT -A OUTPUT -p icmp --icmp-type destination-unreachable -o $EXT -j DROP # Specifically allow these types (just in case ESTABLISHED/RELATED doesn't) $IPT -A INPUT -p icmp --icmp-type destination-unreachable -i $EXT -j ACCEPT $IPT -A INPUT -p icmp --icmp-type source-quench -i $EXT -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -i $EXT -j ACCEPT $IPT -A INPUT -p icmp --icmp-type parameter-problem -i $EXT -j ACCEPT if [ "$PING" = "1" ] then echo -e -n "; PING on\n" $IPT -A INPUT -p icmp --icmp-type echo-request -i $EXT -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-reply -o $INT -j ACCEPT else echo -e -n "; PING off\n" $IPT -A INPUT -p icmp --icmp-type echo-request -i $EXT -j DROP $IPT -A OUTPUT -p icmp --icmp-type echo-reply -o $INT -j DROP fi $IPT -A INPUT -p icmp -i $INT -j ACCEPT # Accept all from LAN $IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p icmp -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**ICMP DROP** " # Log anything else $IPT -A INPUT -p icmp -j DROP # denied, then drop ### ALLOW SSH INTO FIREWALL FROM INTERNET ------------------------------------ # # Blocked by default and not logged, but internal LAN use & outbound SSH # always allowed. To permit external access FROM internet, set SSH as "1"; # be sure you also specify the proper interface for your listening address # (i.e., in /etc/ssh/sshd_config). $IPT -A INPUT -p tcp -i $INT --dport 22 -j ACCEPT # Allow SSH from LAN if [ "$SSH" = "1" ] then echo " - Inbound SSH from Internet" $IPT -A INPUT -p tcp -i $EXT --dport 22 -j ACCEPT # SSH from internet elif [ "$QUIET" = "1" ] then echo " - No inbound SSH from Internet" $IPT -A INPUT -p tcp -i $EXT --dport 22 -j DROP # No SSH & don't log fi ### REDIRECT INBOUND TRAFFIC TO SERVER(S) ------------------------------------ # # To permit access to your internal servers from those outside the LAN # (on the internet), define all the appropriate IP(s) at top of script. # Otherwise, this traffic will be dropped; set QUIET to 1 to not log # these attempts either. echo -e -n " - Redirect inbound: " if [ "$CAM" ] && [ "$CAMIP" ] then echo -e -n "+CAM " $IPT -A FORWARD -i $EXT -o $INT -p tcp --dport $CAM -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport $CAM -j DNAT --to $CAMIP:$CAM # Forward webcam elif [ "$QUIET" = "1" ] && [ "$CAM" ] then $IPT -A INPUT -p tcp -i $EXT --dport $CAM -j DROP # No cam & don't log fi if [ "$HTTP" ] && [ $WEBPORT ] then echo -e -n "+HTTP " $IPT -A FORWARD -i $EXT -o $INT -p tcp --dport $WEBPORT -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport $WEBPORT -j DNAT --to $HTTP:$WEBPORT # Forward HTTP elif [ "$QUIET" = "1" ] then $IPT -A INPUT -p tcp -i $EXT --dport 80 -j DROP # No HTTP & don't log fi if [ "$SMTP" ] then echo -e -n "+SMTP " $IPT -A FORWARD -i $EXT -o $INT -p tcp --dport 25 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport 25 -j DNAT --to $SMTP:25 # Forward SMTP elif [ "$QUIET" = "1" ] then $IPT -A INPUT -p tcp -i $EXT --dport 25 -j DROP # No SMTP & don't log fi ### PREROUTE CLIENT PORTS FOR IM DIRECT CONNECT/FILE XFER -------------------- # # FIXME: At this time, the following implementation results in... # # AIM - Allows in/outbound file xfers, direct connect # ICQ - Allows outgoing file transfers only # MSN - Allows incoming file transfers, no voice chat # IRC (DCC) - Untested, but supposedly built-in to IPtables # P2P - Believed to work but recently added; let me know # H.323 - aka Netmeeting: see below, and read included FAQ # Yahoo - "View My Webcam" works, but file xfers untested # # Since the author uses Trillian for all IM clients, these results may be # slightly different when using a "genuine" application. Either way, you # may need to change and/or experiment with port settings (such as the "Use # alternate network adapter" in AIM). # # Normal text messages should work without any problems. However, for # complete file transfer functionality, you may need to install a proxy, # such as ReAIM (http://reaim.sourceforge.net) or a full SOCKS proxy. A # 2.4 app module matrix at http://www.e-infomax.com/ipmasq/matrix24.html # states SOCKS is the most reliable method at present. # # Lastly, some of these concerns may also be addressed by the new 2.6.x # kernel: "Linux's NAT/masquerading support has been extended to better # handle protocols that require multiple connections (H.323, PPTP, etc.)" # from http://www.kniggit.net/wwol26.html, "Wonderful World of Linux 2.6". if [ "$AIM" ] then echo -e -n "+AIM " $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport $AIM -j REDIRECT --to-ports $AIM # Allow AIM file xfer fi if [ "$ICQ" ] then echo -e -n "+ICQ " $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport $ICQ -j REDIRECT --to-ports $ICQ # Allow ICQ file xfer fi if [ "$MSN" ] then echo -e -n "+MSN " $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport $MSN -j REDIRECT --to-ports $MSN # Allow MSN file xfer fi if [ "$P2P" ] then echo -e -n "+P2P " $IPT -A PREROUTING -t nat -i $EXT -p tcp \ --dport $P2P -j REDIRECT --to-ports $P2P # Allow P2P file share fi ### MAIN RULESET FOR AUTHORIZED (LAN) TRAFFIC -------------------------------- # echo -e "\n - Allow authorized LAN traffic" $IPT -N TRAFFIC $IPT -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A TRAFFIC -m state --state NEW -i ! $EXT -j ACCEPT $IPT -A TRAFFIC -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**PACKET DROP** " # Log anything denied $IPT -A TRAFFIC -j DROP # and drop the packets $IPT -A INPUT -j TRAFFIC # Send INPUT to above $IPT -A OUTPUT -j TRAFFIC # Send OUTPUT to above $IPT -A FORWARD -j TRAFFIC # Send FORWARD above ### ENABLE sNAT/MASQUERADE --------------------------------------------------- # echo " - Enable sNAT/Masquerade" $IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -i $INT -o $EXT -j ACCEPT $IPT -A FORWARD -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**FORWARD DROP** " # Log anything denied $IPT -A FORWARD -j DROP # and drop the packets $IPT -A POSTROUTING -t nat -s $MASQ -o $EXT -j MASQUERADE # NOTE: The last line above is intended for dynamic IPs (PPP, DHCP etc); see # info at http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html for # important differences between sNAT and MASQUERADE. If your IP address is # truly static, you should use this format instead: # # $IPT -t nat -A POSTROUTING -o $EXT -j SNAT --to # # Of course, then you have to grep the IP or specify it manually. Since this # is contrary to the original design of this script, it won't be accommodated # herein (but you are free to make that modification yourself if needed). echo -e "\n"$WHITE"FINISHED!"$NORM"\n" touch /var/lock/firegate ;; # [STATUS] =================================================================== # status) if [ -f /var/lock/firegate ]; then echo -e "\nFIRE|GATE $VER is "$GREEN"running$NORM.\n" else echo -e "\nFIRE|GATE $VER is "$RED"NOT running$NORM.\n" fi exit 0 ;; # [RESTART/RELOAD] =========================================================== # restart|reload) $0 stop $0 start ;; # [STOP] ===================================================================== # stop) echo -e "\n"$NORM"FIRE|GATE $VER$RED stopping"$NORM"..." echo -e "\n - IP forwarding off" echo 0 > /proc/sys/net/ipv4/ip_forward # IP forwarding off echo -e " - Address rewrite off" echo 0 > /proc/sys/net/ipv4/ip_dynaddr # Address rewrite off for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter echo 1 > $r # (default for Debian done # installations) echo -e " - Flush built-in/custom/NAT/mangle" $IPT -F # Flush built-in rules $IPT -X # Erase custom rules $IPT -Z # Zero all counters $IPT -t nat -F # Flush pre/postroute $IPT -t mangle -F # Flush packet mangle if [ "$DROPEXT" = "1" ] then echo -e " - Drop all traffic on $EXT" $IPT -A INPUT -i $EXT -j DROP # ALL external access $IPT -A OUTPUT -o $EXT -j DROP # & forwarding disabled else echo -e " - Allow traffic on $EXT" $IPT -A INPUT -i $EXT -j ACCEPT # Remote SSH works even $IPT -A OUTPUT -o $EXT -j ACCEPT # after ./firegate stop fi echo -e " - Allow in/output on $INT" $IPT -A INPUT -i $INT -j ACCEPT # Leave internal alone $IPT -A OUTPUT -o $INT -j ACCEPT # (prevents a local SSH $IPT -P FORWARD DROP # session lockout) $IPT -A INPUT -i lo -j ACCEPT # Allow traffic on the $IPT -A OUTPUT -o lo -j ACCEPT # loopback interface rm -f /var/lock/firegate # Remove status file echo -e "\n"$WHITE"FINISHED!"$NORM"\n" ;; # [*] ======================================================================== # *) echo -e "\nFIRE|GATE $VER usage:" echo -e " "$WHITE"firegate {start|stop|status|restart|reload}$NORM\n" ;; esac exit 0