Initscript per firewall iptables su Debian: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
No edit summary |
||
| Line 12: | Line 12: | ||
DESC="firewall" | DESC="firewall" | ||
CONFIG_DIR=/etc/firewall | CONFIG_DIR=/etc/firewall | ||
test -d $CONFIG_DIR || { | test -d $CONFIG_DIR || { | ||
echo $CONFIG_DIR missing, nothing to do. | echo "$CONFIG_DIR missing, nothing to do." | ||
exit 1 | exit 1 | ||
} | } | ||
| Line 19: | Line 20: | ||
start_firewall () { | start_firewall () { | ||
. $CONFIG_DIR/start.firewall || { | . $CONFIG_DIR/start.firewall || { | ||
echo $CONFIG_DIR/start.firewall missing, not starting $DESC | echo "$CONFIG_DIR/start.firewall missing, not starting $DESC" | ||
exit 1 | exit 1 | ||
} | } | ||
} | |||
stop_firewall () { | stop_firewall () { | ||
. $CONFIG_DIR/start.firewall || { | . $CONFIG_DIR/start.firewall || { | ||
echo $CONFIG_DIR/stop.firewall missing, not stopping $DESC | echo "$CONFIG_DIR/stop.firewall missing, not stopping $DESC" | ||
exit 1 | exit 1 | ||
} | } | ||
} | |||
case "$1" in | case "$1" in | ||
start) | start) | ||
$0 restart | |||
;; | ;; | ||
stop) | stop) | ||
echo | echo "Stopping $DESC:" | ||
stop_firewall | stop_firewall | ||
echo "." | echo "." | ||
| Line 46: | Line 47: | ||
$0 stop | $0 stop | ||
sleep 1 | sleep 1 | ||
$ | echo "Starting $DESC:" | ||
start_firewall | |||
echo "." | |||
;; | ;; | ||
| Line 56: | Line 59: | ||
exit 0 | exit 0 | ||
# vim:set ai sts=2 sw=2 tw=0: | # vim:set ai sts=2 sw=2 tw=0: | ||
EOFile | EOFile | ||
| Line 66: | Line 68: | ||
== Creazione regole == | == Creazione regole == | ||
Le regole sono contenute in due | Le regole sono contenute in due rulescripts: | ||
* '''/etc/firewall/start | * '''/etc/firewall/start.firewall''': contiene le regole necessarie alla partenza del firewall. Questo files sarà eseguito dando l'opzione ''start'' all'initscript. | ||
* '''/etc/firewall/stop | * '''/etc/firewall/stop.firewall''': contiene le regole necessarie alla disattivazione di tutte le regole del firewall. Questo files sarà eseguito dando l'opzione ''stop'' all'initscript. | ||
Se questi files non esistono, l'initscript terminerà. | Se questi files non esistono, l'initscript terminerà. | ||
| Line 79: | Line 81: | ||
sudo update-rc.d firewall start 41 S . stop 89 0 6 . | sudo update-rc.d firewall start 41 S . stop 89 0 6 . | ||
== Esempio di rulescripts == | |||
* '''start.firewall''' | |||
<pre> | |||
echo "Setting common variables... " | |||
# ---------------------------------------------------------------------------- | |||
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP. | |||
# ------------------------------------------ | |||
ANYWHERE="any/0" | |||
WAN0_IF="eth1" # Wan interface | |||
WAN0_IP="192.168.110.253" # WAN IP Address | |||
LAN0_IF="eth0" # Lan interface | |||
LAN0_IP="192.168.10.254" # Lan IP Address | |||
LAN0_NET="192.168.10.0/24" # Lan IP Network | |||
VPN0_IF="tun0" # LAN VPN interface | |||
VPN0_PT="40000" # LAN VPN interface | |||
VPN1_IF="tap0" # Roadwarriors VPN interface | |||
VPN1_PT="50000" # Roadwarriors VPN interface | |||
LAN0_SMTP_SERVER="192.168.10.100" | |||
# non carica | |||
ADMIN_MAC_01="00:08:02:68:3A:7C" # mnt.vvngrl intel lan | |||
#---------------------------------------------------------------------- | |||
# NAMESERVERS | |||
#--------------------------- | |||
NAMESERVER_1="194.20.8.1" | |||
NAMESERVER_2="194.20.8.4" | |||
NAMESERVER_3="151.99.125.2" | |||
# --------------------------------------------------------------------- | |||
# MISC | |||
# These parameters are unlikely to be changed | |||
# --------------------------------------------- | |||
UNPRIVPORTS="1024:65535" | |||
IPTABLES="/sbin/iptables" # path and $IPTABLES executable | |||
echo "Setting common variables DONE" | |||
# ------------------------------------------------------------------------------ | |||
# Set Default Policies and restart IP Accounting | |||
# ------------------------- | |||
echo "Setting Default Policies..." | |||
# /etc/init.d/ipac-ng restart | |||
$IPTABLES -P INPUT DROP | |||
$IPTABLES -P OUTPUT ACCEPT | |||
$IPTABLES -P FORWARD DROP | |||
echo "Setting Default Policies done." | |||
# ----------------------------------------------------------------------------- | |||
#Do NAT and Portmappings | |||
# ------------------------ | |||
#echo "Configuring NAT" | |||
# --------------------------------------------------------------------- | |||
# Masquerade internal traffic. | |||
# ------------------------------ | |||
#$IPTABLES -t nat -A POSTROUTING \ | |||
# -o $WAN0_IF -d ! $LAN0_NET \ | |||
# -j SNAT --to-source $WAN0_IP | |||
#echo "NAT done." | |||
echo "Starting firewalling... " | |||
# ------------------------------------------------------------------------------ | |||
# Unlock Administrative machines MAC Addressess | |||
# ---------------------------------------------- | |||
$IPTABLES -A INPUT \ | |||
-m mac --mac-source $ADMIN_MAC_01 \ | |||
-j ACCEPT | |||
$IPTABLES -A FORWARD \ | |||
-m mac --mac-source $ADMIN_MAC_01 \ | |||
-j ACCEPT | |||
# ------------------------------------------------------------------------------ | |||
# Unlimited traffic within the loopback interface | |||
# ---------------------------------------------- | |||
# Unlimited traffic on the loopback interface. | |||
$IPTABLES -A INPUT -i lo -j ACCEPT | |||
$IPTABLES -A OUTPUT -o lo -j ACCEPT | |||
# ------------------------------------------------------------------------------ | |||
# INPUT Rules | |||
# ---------------------------------------------- | |||
# --------------------------------------------------------------------- | |||
# Ping | |||
# --------------- | |||
$IPTABLES -A INPUT -p icmp --icmp-type 0 \ | |||
-j ACCEPT | |||
$IPTABLES -A INPUT -p icmp --icmp-type 8 \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
# SSH Server (22) | |||
# --------------- | |||
#WAN0 | |||
$IPTABLES -A INPUT -p tcp \ | |||
--sport $UNPRIVPORTS \ | |||
--dport 22 -j ACCEPT | |||
# --------------------------------------------------------------------- | |||
# VPN0 | |||
# ---------------------- | |||
$IPTABLES -A INPUT -p udp \ | |||
-i $WAN0_IF --sport $VPN0_PT \ | |||
-j ACCEPT | |||
$IPTABLES -A INPUT -i $VPN0_IF \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
# VPN1 | |||
# ---------------------- | |||
$IPTABLES -A INPUT -p udp \ | |||
-i $WAN0_IF --sport $VPN1_PT \ | |||
-j ACCEPT | |||
$IPTABLES -A INPUT -p udp \ | |||
-i $WAN0_IF --dport $VPN1_PT \ | |||
-j ACCEPT | |||
$IPTABLES -A INPUT -i $VPN1_IF \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
# Unlimited Lan Access | |||
# --------------- | |||
#LAN0 | |||
$IPTABLES -A INPUT -i $LAN0_IF \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
# Allow established reply connections | |||
# --------------- | |||
$IPTABLES -A INPUT \ | |||
-m state --state ESTABLISHED,RELATED \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
#LOG Everything without limit | |||
# --------------- | |||
$IPTABLES -A INPUT \ | |||
-j LOG \ | |||
--log-level debug \ | |||
--log-prefix "Iptables INPUT Chain: " | |||
# --------------------------------------------------------------------- | |||
# Deny All Other input connections | |||
# --------------- | |||
$IPTABLES -A INPUT \ | |||
-j DROP | |||
# ------------------------------------------------------------------------------ | |||
# FORWARD Rules | |||
# ---------------------------------------------- | |||
# ------------------------------------------------------------------ | |||
# Ping | |||
# --------------- | |||
$IPTABLES -A FORWARD -p icmp --icmp-type 8 \ | |||
-j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# SSH client (22) | |||
# --------------- | |||
$IPTABLES -A FORWARD -p tcp \ | |||
--dport 22 -j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# HTTPS client (443) | |||
# ------------------ | |||
#$IPTABLES -A FORWARD -p tcp \ | |||
# -d $ANYWHERE --dport 443 \ | |||
# -j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# SMTP client (smtp 25) | |||
# ---------------- | |||
$IPTABLES -A FORWARD -p tcp \ | |||
--sport $UNPRIVPORTS \ | |||
-s $LAN0_SMTP_SERVER --dport 25 \ | |||
-j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# IMAP4 client (imap4 143) | |||
# ---------------- | |||
# $IPTABLES -A FORWARD -p tcp -o $WAN0_IF \ | |||
# --sport $UNPRIVPORTS \ | |||
# -d $POP3_SERVER --dport 143 \ | |||
# -j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# IMAP4s client (imap4 993) | |||
# ---------------- | |||
# $IPTABLES -A FORWARD -p tcp -o $WAN0_IF \ | |||
# --sport $UNPRIVPORTS \ | |||
# -d $POP3_SERVER --dport 993 \ | |||
# -j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# VPN clients through $VPN0_IF (OpenVpn Limbiate) | |||
# ---------------- | |||
$IPTABLES -A FORWARD -i $VPN0_IF \ | |||
-j ACCEPT | |||
$IPTABLES -A FORWARD -o $VPN0_IF \ | |||
-j ACCEPT | |||
# ------------------------------------------------------------------ | |||
# VPN1 | |||
# ---------------- | |||
$IPTABLES -A FORWARD -i $VPN1_IF \ | |||
-j ACCEPT | |||
$IPTABLES -A FORWARD -o $VPN1_IF \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
# Allow all established reply connections | |||
# ---------------------- | |||
$IPTABLES -A FORWARD \ | |||
-m state --state ESTABLISHED,RELATED \ | |||
-j ACCEPT | |||
# --------------------------------------------------------------------- | |||
#LOG Everything without limit | |||
# --------------- | |||
$IPTABLES -A FORWARD \ | |||
-j LOG \ | |||
--log-level debug \ | |||
--log-prefix "Iptables FORWARD Chain: " | |||
# --------------------------------------------------------------------- | |||
# Deny All Other forward connections | |||
# --------------- | |||
$IPTABLES -A FORWARD \ | |||
-j DROP | |||
echo "Firewalling done" | |||
</pre> | |||
* '''firewall.stop''' | |||
<pre> | |||
# ----------------------------------------------------------------------------- | |||
# Clean all tables and rules | |||
# ------------------------------ | |||
IPTABLES="/sbin/iptables" | |||
echo "Flushing all tables and rules... " | |||
# reset the default policies in the filter table. | |||
# | |||
$IPTABLES -P INPUT ACCEPT | |||
$IPTABLES -P FORWARD ACCEPT | |||
$IPTABLES -P OUTPUT ACCEPT | |||
# reset the default policies in the nat table. | |||
# | |||
$IPTABLES -t nat -P PREROUTING ACCEPT | |||
$IPTABLES -t nat -P POSTROUTING ACCEPT | |||
$IPTABLES -t nat -P OUTPUT ACCEPT | |||
# reset the default policies in the mangle table. | |||
# | |||
$IPTABLES -t mangle -P PREROUTING ACCEPT | |||
$IPTABLES -t mangle -P OUTPUT ACCEPT | |||
# flush all the rules in the filter nat and mangle tables. | |||
# | |||
$IPTABLES -F | |||
$IPTABLES -t nat -F | |||
$IPTABLES -t mangle -F | |||
# erase all chains that's not default in filter and nat table. | |||
# | |||
$IPTABLES -X | |||
$IPTABLES -t nat -X | |||
$IPTABLES -t mangle -X | |||
# ----------------------------------------------------------------------------- | |||
#Do NAT and Portmappings | |||
# ------------------------ | |||
#echo "Configuring NAT" | |||
# --------------------------------------------------------------------- | |||
# Masquerade internal traffic. | |||
# ------------------------------ | |||
#$IPTABLES -t nat -A POSTROUTING \ | |||
# -o $WAN0_IF -d ! $LAN0_NET \ | |||
# -j SNAT --to-source $WAN0_IP | |||
#echo "NAT done." | |||
</pre> | |||
Revision as of 14:42, 16 December 2005
Creazione initscript
cat > /etc/init.d/firewall <<'EOFile'
#!/bin/sh -e
#
# v1.0 2005.12.16
# gabriele.vivinetto@rvmgroup.it
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DESC="firewall"
CONFIG_DIR=/etc/firewall
test -d $CONFIG_DIR || {
echo "$CONFIG_DIR missing, nothing to do."
exit 1
}
start_firewall () {
. $CONFIG_DIR/start.firewall || {
echo "$CONFIG_DIR/start.firewall missing, not starting $DESC"
exit 1
}
}
stop_firewall () {
. $CONFIG_DIR/start.firewall || {
echo "$CONFIG_DIR/stop.firewall missing, not stopping $DESC"
exit 1
}
}
case "$1" in
start)
$0 restart
;;
stop)
echo "Stopping $DESC:"
stop_firewall
echo "."
;;
restart)
shift
$0 stop
sleep 1
echo "Starting $DESC:"
start_firewall
echo "."
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
# vim:set ai sts=2 sw=2 tw=0:
EOFile
chmod 755 /etc/init.d/firewall
mkdir /etc/firewall
Creazione regole
Le regole sono contenute in due rulescripts:
- /etc/firewall/start.firewall: contiene le regole necessarie alla partenza del firewall. Questo files sarà eseguito dando l'opzione start all'initscript.
- /etc/firewall/stop.firewall: contiene le regole necessarie alla disattivazione di tutte le regole del firewall. Questo files sarà eseguito dando l'opzione stop all'initscript.
Se questi files non esistono, l'initscript terminerà.
Attivazione dell'initscript
Creaiamo i link di partena automatica dello script, che deve essere attivato dopo aver configurato le interfacce:
sudo update-rc.d firewall start 41 S . stop 89 0 6 .
Esempio di rulescripts
- start.firewall
echo "Setting common variables... "
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
# ------------------------------------------
ANYWHERE="any/0"
WAN0_IF="eth1" # Wan interface
WAN0_IP="192.168.110.253" # WAN IP Address
LAN0_IF="eth0" # Lan interface
LAN0_IP="192.168.10.254" # Lan IP Address
LAN0_NET="192.168.10.0/24" # Lan IP Network
VPN0_IF="tun0" # LAN VPN interface
VPN0_PT="40000" # LAN VPN interface
VPN1_IF="tap0" # Roadwarriors VPN interface
VPN1_PT="50000" # Roadwarriors VPN interface
LAN0_SMTP_SERVER="192.168.10.100"
# non carica
ADMIN_MAC_01="00:08:02:68:3A:7C" # mnt.vvngrl intel lan
#----------------------------------------------------------------------
# NAMESERVERS
#---------------------------
NAMESERVER_1="194.20.8.1"
NAMESERVER_2="194.20.8.4"
NAMESERVER_3="151.99.125.2"
# ---------------------------------------------------------------------
# MISC
# These parameters are unlikely to be changed
# ---------------------------------------------
UNPRIVPORTS="1024:65535"
IPTABLES="/sbin/iptables" # path and $IPTABLES executable
echo "Setting common variables DONE"
# ------------------------------------------------------------------------------
# Set Default Policies and restart IP Accounting
# -------------------------
echo "Setting Default Policies..."
# /etc/init.d/ipac-ng restart
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
echo "Setting Default Policies done."
# -----------------------------------------------------------------------------
#Do NAT and Portmappings
# ------------------------
#echo "Configuring NAT"
# ---------------------------------------------------------------------
# Masquerade internal traffic.
# ------------------------------
#$IPTABLES -t nat -A POSTROUTING \
# -o $WAN0_IF -d ! $LAN0_NET \
# -j SNAT --to-source $WAN0_IP
#echo "NAT done."
echo "Starting firewalling... "
# ------------------------------------------------------------------------------
# Unlock Administrative machines MAC Addressess
# ----------------------------------------------
$IPTABLES -A INPUT \
-m mac --mac-source $ADMIN_MAC_01 \
-j ACCEPT
$IPTABLES -A FORWARD \
-m mac --mac-source $ADMIN_MAC_01 \
-j ACCEPT
# ------------------------------------------------------------------------------
# Unlimited traffic within the loopback interface
# ----------------------------------------------
# Unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# ------------------------------------------------------------------------------
# INPUT Rules
# ----------------------------------------------
# ---------------------------------------------------------------------
# Ping
# ---------------
$IPTABLES -A INPUT -p icmp --icmp-type 0 \
-j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 \
-j ACCEPT
# ---------------------------------------------------------------------
# SSH Server (22)
# ---------------
#WAN0
$IPTABLES -A INPUT -p tcp \
--sport $UNPRIVPORTS \
--dport 22 -j ACCEPT
# ---------------------------------------------------------------------
# VPN0
# ----------------------
$IPTABLES -A INPUT -p udp \
-i $WAN0_IF --sport $VPN0_PT \
-j ACCEPT
$IPTABLES -A INPUT -i $VPN0_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# VPN1
# ----------------------
$IPTABLES -A INPUT -p udp \
-i $WAN0_IF --sport $VPN1_PT \
-j ACCEPT
$IPTABLES -A INPUT -p udp \
-i $WAN0_IF --dport $VPN1_PT \
-j ACCEPT
$IPTABLES -A INPUT -i $VPN1_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# Unlimited Lan Access
# ---------------
#LAN0
$IPTABLES -A INPUT -i $LAN0_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# Allow established reply connections
# ---------------
$IPTABLES -A INPUT \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT
# ---------------------------------------------------------------------
#LOG Everything without limit
# ---------------
$IPTABLES -A INPUT \
-j LOG \
--log-level debug \
--log-prefix "Iptables INPUT Chain: "
# ---------------------------------------------------------------------
# Deny All Other input connections
# ---------------
$IPTABLES -A INPUT \
-j DROP
# ------------------------------------------------------------------------------
# FORWARD Rules
# ----------------------------------------------
# ------------------------------------------------------------------
# Ping
# ---------------
$IPTABLES -A FORWARD -p icmp --icmp-type 8 \
-j ACCEPT
# ------------------------------------------------------------------
# SSH client (22)
# ---------------
$IPTABLES -A FORWARD -p tcp \
--dport 22 -j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------
#$IPTABLES -A FORWARD -p tcp \
# -d $ANYWHERE --dport 443 \
# -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (smtp 25)
# ----------------
$IPTABLES -A FORWARD -p tcp \
--sport $UNPRIVPORTS \
-s $LAN0_SMTP_SERVER --dport 25 \
-j ACCEPT
# ------------------------------------------------------------------
# IMAP4 client (imap4 143)
# ----------------
# $IPTABLES -A FORWARD -p tcp -o $WAN0_IF \
# --sport $UNPRIVPORTS \
# -d $POP3_SERVER --dport 143 \
# -j ACCEPT
# ------------------------------------------------------------------
# IMAP4s client (imap4 993)
# ----------------
# $IPTABLES -A FORWARD -p tcp -o $WAN0_IF \
# --sport $UNPRIVPORTS \
# -d $POP3_SERVER --dport 993 \
# -j ACCEPT
# ------------------------------------------------------------------
# VPN clients through $VPN0_IF (OpenVpn Limbiate)
# ----------------
$IPTABLES -A FORWARD -i $VPN0_IF \
-j ACCEPT
$IPTABLES -A FORWARD -o $VPN0_IF \
-j ACCEPT
# ------------------------------------------------------------------
# VPN1
# ----------------
$IPTABLES -A FORWARD -i $VPN1_IF \
-j ACCEPT
$IPTABLES -A FORWARD -o $VPN1_IF \
-j ACCEPT
# ---------------------------------------------------------------------
# Allow all established reply connections
# ----------------------
$IPTABLES -A FORWARD \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT
# ---------------------------------------------------------------------
#LOG Everything without limit
# ---------------
$IPTABLES -A FORWARD \
-j LOG \
--log-level debug \
--log-prefix "Iptables FORWARD Chain: "
# ---------------------------------------------------------------------
# Deny All Other forward connections
# ---------------
$IPTABLES -A FORWARD \
-j DROP
echo "Firewalling done"
- firewall.stop
# -----------------------------------------------------------------------------
# Clean all tables and rules
# ------------------------------
IPTABLES="/sbin/iptables"
echo "Flushing all tables and rules... "
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# flush all the rules in the filter nat and mangle tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# -----------------------------------------------------------------------------
#Do NAT and Portmappings
# ------------------------
#echo "Configuring NAT"
# ---------------------------------------------------------------------
# Masquerade internal traffic.
# ------------------------------
#$IPTABLES -t nat -A POSTROUTING \
# -o $WAN0_IF -d ! $LAN0_NET \
# -j SNAT --to-source $WAN0_IP
#echo "NAT done."