#!/bin/sh . /etc/rc2.d/./fw_config . /etc/rc2.d/./in_config function start { echo "Setting up firewall... " echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding echo 0 > /proc/sys/net/ipv4/tcp_ecn ### FIX SQUID BUG iptables -N DLOGGING iptables -A DLOGGING -m limit --limit 10/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix "in: " iptables -A DLOGGING -j DROP iptables -N DLOGGING_OUT iptables -A DLOGGING_OUT -m limit --limit 10/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix "out: " iptables -A DLOGGING_OUT -j DROP iptables -N DLOGGING_FWD_IN iptables -A DLOGGING_FWD_IN -m limit --limit 10/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix "fwd in: " iptables -A DLOGGING_FWD_IN -j DROP iptables -N DLOGGING_FWD_OUT iptables -A DLOGGING_FWD_OUT -m limit --limit 10/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix "fwd out: " iptables -A DLOGGING_FWD_OUT -j DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i eth1 -p all -j ACCEPT iptables -A INPUT -i lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 10.65.192.1 --sport 67 --dport 68 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 24.201.245.114 --sport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 24.200.243.234 --sport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 24.200.243.242 --sport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 24.200.243.250 --sport 53 -j ACCEPT case $IN_FTPD in '1') echo -n "Allowing INCOMING FTPD related packets..." iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT echo "Done." ;; esac case $IN_SSHD in '1') echo -n "Allowing INCOMING SSHD related packets..." iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT echo "Done." ;; esac case $IN_SMTPD in '1') echo -n "Allowing INCOMING SMTPD related packets..." iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT echo "Done." ;; esac case $IN_HTTPD in '1') echo -n "Allowing INCOMING HTTPD related packets..." iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 81 -j ACCEPT echo "Done." ;; esac case $IN_POP3 in '1') echo -n "Allowing INCOMING POP3 related packets..." iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT echo "Done." ;; esac case $IN_IDENTD in '1') echo -n "Allowing INCOMING IDENTD related packets..." iptables -A INPUT -i eth0 -p tcp --dport 113 -j ACCEPT echo "Done." ;; esac iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DLOGGING iptables -A INPUT -i eth0 -s 127.0.0.1/32 -j DLOGGING iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DLOGGING iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DLOGGING iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DLOGGING iptables -A INPUT -i eth0 -p all -j DLOGGING iptables -A OUTPUT -o eth1 -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT ###iptables -A OUTPUT -o eth0 -p ICMP -j ACCEPT ### ICMP ###iptables -A OUTPUT -o eth0 -p UDP -j ACCEPT ### ICMP iptables -A OUTPUT -o eth0 -p udp -d 10.23.128.2 --sport 68 --dport 67 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -s 10.23.128.2 --sport 68 --dport 67 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -s 10.23.128.34 --sport 68 --dport 67 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 110 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 113 -j ACCEPT #####DISABLED #iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT ##for squid #iptables -A OUTPUT -o eth0 -p tcp --dport 1863 -j ACCEPT ##for squid #iptables -A OUTPUT -o eth0 -p tcp --dport 1000:5000 -j ACCEPT ##for squid #iptables -A OUTPUT -o eth0 -p tcp --dport 5190 -j ACCEPT ##for squid #iptables -A OUTPUT -o eth0 -p tcp --dport 6660:6669 -j ACCEPT ##for squid #####DISABLED iptables -A OUTPUT -o eth0 -p udp -d 24.201.245.114 --dport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 24.200.243.242 --dport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 24.200.243.250 --dport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 24.200.243.234 --dport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 205.151.222.250 --sport 123 --dport 123 -j ACCEPT iptables -A OUTPUT -o eth0 -p all -j DLOGGING_OUT iptables -A FORWARD -i lo -j ACCEPT iptables -A FORWARD -o lo -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp -d 192.168.1.2 --dport 3389 -j ACCEPT iptables -A FORWARD -i eth0 -p all -j DLOGGING_FWD_IN iptables -A FORWARD -o eth0 -p all -j DLOGGING_FWD_OUT iptables -t nat -N DLOGGING iptables -t nat -A DLOGGING -i eth0 -m limit --limit 5/minute --limit-burst 3 -j LOG iptables -t nat -A DLOGGING -i eth0 -j DROP iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p udp -s 10.65.192.1 --sport 67 --dport 68 -j ACCEPT #DHCP iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DLOGGING iptables -t nat -A PREROUTING -i eth0 -s 127.0.0.1/32 -j DLOGGING iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DLOGGING iptables -t nat -A PREROUTING -i eth0 -s 169.254.0.0/16 -j DLOGGING iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DLOGGING #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 192.168.1.7:22 #SSH case $PRE_P2P in '1') echo -n "Enabling PREROUTING for P2P related packets..." iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4661 -j DNAT --to-destination 192.168.1.2:4661 #Edonkey iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.1.2:4662 #Edonkey iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4665 -j DNAT --to-destination 192.168.1.2:4665 #Edonkey iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 412 -j DNAT --to-destination 192.168.1.2:412 #DC iptables -t nat -A PREROUTING -i eth0 -p udp --dport 412 -j DNAT --to-destination 192.168.1.2:412 #DC iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2234 -j DNAT --to-destination 192.168.1.2:2234 #SOULSEEK echo "Done." ;; esac case $PRE_MSTSC in '1') echo -n "Enabling PREROUTING for MSTSC related packets..." iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.2:3389 #MSTSC echo "Done." ;; esac case $PRE_HTTPD in '1') echo -n "Enabling PREROUTING for HTTPD related packets..." iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to-destination 192.168.1.1:80 #HTTP iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-destination 192.168.1.1:80 #HTTP echo "done." ;; esac } function stop { echo -n "Disabling firewall... " iptables -F iptables -t nat -F iptables -X DLOGGING iptables -X DLOGGING_OUT iptables -X DLOGGING_FWD_OUT iptables -X DLOGGING_FWD_IN iptables -t nat -X DLOGGING iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT echo "done." } function restart { stop start } case "$1" in 'start') start ;; 'stop') stop ;; 'restart') restart ;; *) echo "Usage : $0 {start|stop|restart}"; ;; esac