Initscript per firewall iptables su Debian
Jump to navigation
Jump to search
Creazione initscript
cat > /etc/init.d/firewall <<'EOFile'
#!/bin/sh -e
#
# v1.0 2005.12.16
# gabriele.vivinetto@rvmgroup.it
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DESC="firewall"
CONFIG_DIR=/etc/firewall
test -d $CONFIG_DIR || {
echo "$CONFIG_DIR missing, nothing to do."
exit 1
}
start_firewall () {
. $CONFIG_DIR/start.firewall || {
echo "$CONFIG_DIR/start.firewall missing, not starting $DESC"
exit 1
}
}
stop_firewall () {
. $CONFIG_DIR/stop.firewall || {
echo "$CONFIG_DIR/stop.firewall missing, not stopping $DESC"
exit 1
}
}
case "$1" in
start)
$0 restart
;;
stop)
echo "Stopping $DESC:"
stop_firewall
echo "."
;;
restart)
shift
$0 stop
sleep 1
echo "Starting $DESC:"
start_firewall
echo "."
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
# vim:set ai sts=2 sw=2 tw=0:
EOFile
chmod 755 /etc/init.d/firewall
mkdir /etc/firewall
Creazione regole
Le regole sono contenute in due rulescripts:
- /etc/firewall/start.firewall: contiene le regole necessarie alla partenza del firewall. Questo files sarà eseguito dando l'opzione start all'initscript.
- /etc/firewall/stop.firewall: contiene le regole necessarie alla disattivazione di tutte le regole del firewall. Questo files sarà eseguito dando l'opzione stop all'initscript.
Se questi files non esistono, l'initscript terminerà.
Attivazione dell'initscript
Creaiamo i link di partena automatica dello script, che deve essere attivato dopo aver configurato le interfacce:
sudo update-rc.d firewall start 41 S . stop 89 0 6 .
Esempio di rulescripts
start.firewall
echo "Setting common variables... "
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
# ------------------------------------------
ANYWHERE="any/0"
WAN0_IF="eth1" # Wan interface
WAN0_IP="192.168.110.253" # WAN IP Address
LAN0_IF="eth0" # Lan interface
LAN0_IP="192.168.10.254" # Lan IP Address
LAN0_NET="192.168.10.0/24" # Lan IP Network
VPN0_IF="tun0" # LAN VPN interface
VPN0_PT="40000" # LAN VPN interface
VPN1_IF="tap0" # Roadwarriors VPN interface
VPN1_PT="50000" # Roadwarriors VPN interface
LAN0_SMTP_SERVER="192.168.10.100"
LAN0_PROXY_SERVER="192.168.10.100"
LAN0_DNS_SERVER="192.168.10.100"
ADMIN_MAC_01="00:08:02:68:3A:7C" # mnt.vvngrl intel lan
#----------------------------------------------------------------------
# NAMESERVERS
#---------------------------
NAMESERVER_1="194.20.8.1"
NAMESERVER_2="194.20.8.4"
NAMESERVER_3="151.99.125.2"
# ---------------------------------------------------------------------
# MISC
# These parameters are unlikely to be changed
# ---------------------------------------------
UNPRIVPORTS="1024:65535"
IPTABLES="/sbin/iptables" # path and $IPTABLES executable
echo "Setting common variables DONE"
# ------------------------------------------------------------------------------
# Set Default Policies and restart IP Accounting
# -------------------------
echo "Setting Default Policies..."
# /etc/init.d/ipac-ng restart
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
echo "Setting Default Policies done."
# -----------------------------------------------------------------------------
#Do NAT and Portmappings
# ------------------------
#echo "Configuring NAT"
# ---------------------------------------------------------------------
# Masquerade internal traffic.
# ------------------------------
#$IPTABLES -t nat -A POSTROUTING \
# -o $WAN0_IF -d ! $LAN0_NET \
# -j SNAT --to-source $WAN0_IP
#echo "NAT done."
echo "Starting firewalling... "
# ------------------------------------------------------------------------------
# Unlock Administrative machines MAC Addressess
# ----------------------------------------------
$IPTABLES -A INPUT \
-m mac --mac-source $ADMIN_MAC_01 \
-j ACCEPT
$IPTABLES -A FORWARD \
-m mac --mac-source $ADMIN_MAC_01 \
-j ACCEPT
# ------------------------------------------------------------------------------
# Unlimited traffic within the loopback interface
# ----------------------------------------------
# Unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# ------------------------------------------------------------------------------
# INPUT Rules
# ----------------------------------------------
# ---------------------------------------------------------------------
# Ping
# ---------------
$IPTABLES -A INPUT -p icmp --icmp-type 0 \
-j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 \
-j ACCEPT
# ---------------------------------------------------------------------
# SSH Server (22)
# ---------------
#WAN0
$IPTABLES -A INPUT -p tcp \
--sport $UNPRIVPORTS \
--dport 22 -j ACCEPT
# ---------------------------------------------------------------------
# VPN0
# ----------------------
$IPTABLES -A INPUT -p udp \
-i $WAN0_IF --sport $VPN0_PT \
-j ACCEPT
$IPTABLES -A INPUT -i $VPN0_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# VPN1
# ----------------------
$IPTABLES -A INPUT -p udp \
-i $WAN0_IF --sport $VPN1_PT \
-j ACCEPT
$IPTABLES -A INPUT -p udp \
-i $WAN0_IF --dport $VPN1_PT \
-j ACCEPT
$IPTABLES -A INPUT -i $VPN1_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# Unlimited Lan Access
# ---------------
#LAN0
$IPTABLES -A INPUT -i $LAN0_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# Allow established reply connections
# ---------------
$IPTABLES -A INPUT \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT
# ---------------------------------------------------------------------
#LOG Everything without limit
# ---------------
$IPTABLES -A INPUT \
-j LOG \
--log-level debug \
--log-prefix "Iptables INPUT Chain: "
# ---------------------------------------------------------------------
# Deny All Other input connections
# ---------------
$IPTABLES -A INPUT \
-j DROP
# ------------------------------------------------------------------------------
# FORWARD Rules
# ----------------------------------------------
# ------------------------------------------------------------------
# Ping
# ---------------
$IPTABLES -A FORWARD -p icmp --icmp-type 8 \
-j ACCEPT
# ------------------------------------------------------------------
# SSH client (22)
# ---------------
$IPTABLES -A FORWARD -p tcp \
--dport 22 -j ACCEPT
# ------------------------------------------------------------------
# DNS
# ------------------
$IPTABLES -A FORWARD -p udp \
--dport 53 \
-s $LAN0_DNS_SERVER \
-j ACCEPT
# ------------------------------------------------------------------
# HTTP client (80)
# ------------------
$IPTABLES -A FORWARD -p tcp \
-d $ANYWHERE --dport 443 \
-s $LAN0_PROXY_SERVER --sport $UNPRIVPORTS \
-j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------
$IPTABLES -A FORWARD -p tcp \
-d $ANYWHERE --dport 80 \
-s $LAN0_PROXY_SERVER --sport $UNPRIVPORTS \
-j ACCEPT
# ------------------------------------------------------------------
# SMTP client (smtp 25)
# ----------------
$IPTABLES -A FORWARD -p tcp \
--sport $UNPRIVPORTS \
-s $LAN0_SMTP_SERVER --dport 25 \
-j ACCEPT
# ------------------------------------------------------------------
# IMAP4 client (imap4 143)
# ----------------
# $IPTABLES -A FORWARD -p tcp -o $WAN0_IF \
# --sport $UNPRIVPORTS \
# -d $POP3_SERVER --dport 143 \
# -j ACCEPT
# ------------------------------------------------------------------
# IMAP4s client (imap4 993)
# ----------------
# $IPTABLES -A FORWARD -p tcp -o $WAN0_IF \
# --sport $UNPRIVPORTS \
# -d $POP3_SERVER --dport 993 \
# -j ACCEPT
# ------------------------------------------------------------------
# VPN clients through $VPN0_IF (OpenVpn Limbiate)
# ----------------
$IPTABLES -A FORWARD -i $VPN0_IF \
-j ACCEPT
$IPTABLES -A FORWARD -o $VPN0_IF \
-j ACCEPT
# ------------------------------------------------------------------
# VPN1
# ----------------
$IPTABLES -A FORWARD -i $VPN1_IF \
-j ACCEPT
$IPTABLES -A FORWARD -o $VPN1_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# Allow all established reply connections
# ----------------------
$IPTABLES -A FORWARD \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT
# ---------------------------------------------------------------------
#LOG Everything without limit
# ---------------
$IPTABLES -A FORWARD \
-j LOG \
--log-level debug \
--log-prefix "Iptables FORWARD Chain: "
# ---------------------------------------------------------------------
# Deny All Other forward connections
# ---------------
$IPTABLES -A FORWARD \
-j DROP
echo "Firewalling done"
stop.firewall
# -----------------------------------------------------------------------------
# Clean all tables and rules
# ------------------------------
IPTABLES="/sbin/iptables"
echo "Flushing all tables and rules... "
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# flush all the rules in the filter nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# -----------------------------------------------------------------------------
#Do NAT and Portmappings
# ------------------------
#echo "Configuring NAT"
# ---------------------------------------------------------------------
# Masquerade internal traffic.
# ------------------------------
#$IPTABLES -t nat -A POSTROUTING \
# -o $WAN0_IF -d ! $LAN0_NET \
# -j SNAT --to-source $WAN0_IP
#echo "NAT done."