Routing question
David Demland
plug-discuss@lists.plug.phoenix.az.us
Mon, 20 Jan 2003 15:45:40 -0700
I just got my server up and running after having some problems upgrading the
kernel. Now my iptables scripts will not route traffic. I have been using
this script for a while without any problems before. What would cause the
problem? The script is:
#!/bin/bash
# ----------------------------------------------------------------------|
# This is it...MonMotha's Firewall 2.3.7! |
# All your hackers are belong to Linux/Netfilter! |
# ----------------------------------------------------------------------|
# 2.3 RELEASE NOTES: This is the 2.2 series with some extra stuff, |
# including MAC address matching, stateful matching, port forwarding, |
# per-proto accept behavior, and some other stuff that I might think |
# about adding later. |
# ----------------------------------------------------------------------|
# COMMENTS from MonMotha: |
# |
# I will be entering "feature freeze" when 2.3.8 goes final. Please |
# make sure to have any patches or feature requests in by then. |
# I expect 2.3.7 to be closing in on deserving the "stable" marking. |
# --MonMotha |
# |
# Please note the change of my e-mail address. The new address is: |
# obi-wan@starwarsfan.com. The old address (bvmopen@usa.net) will be |
# discontinued as of July 31, 2001. |
# --MonMotha |
# |
# When e-mailing to report a bug, please check first that it has not |
# already been fixed in the next prerelease (which can be found at the |
# distribution site). |
# --MonMotha |
# |
# Before e-mailing me, please check the distribution site (which can be |
# found at http://freshmeat.net/projects/mothafirewall as it changes |
# sometimes) for a new version. |
# --MonMotha |
# |
# Please...PLEASE give me feedback on your experiences with this script |
# I would really like to know what everyone wants, what works, and |
# about the inevitable bugs present in anything. |
# |
# Direct all feedback to: obi-wan@starwarsfan.com |
# --MonMotha |
# |
# When e-mailing with problems, please include firewall script version, |
# iptables version, kernel version, and GNU BASH version. If you think |
# your problem might be related to kernel configuration, please attach |
# the .config file for your kernel. |
# --MonMotha |
# |
# ----------------------------------------------------------------------|
# SYSTEM REQUIREMENTS: You must have either compiled the appropriate |
# iptables support into your 2.4 kernel or have loaded all the |
# applicable modules BEFORE you run this script. This script will not |
# load modules for you. |
# |
# You will need (at least) the following kernel options to use |
# this firewall: CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, |
# CONFIG_IP_NF_FILTER, CONFIG_IP_NF_MATCH_STATE and |
# CONFIG_IP_NF_TARGET_REJECT. |
# To use the masquerading you will also need (at least): |
# CONFIG_IP_NF_CONNTRACK, CONFIG_IP_NF_NAT, CONFIG_IP_NF_NAT_NEEDED |
# and CONFIG_IP_NF_TARGET_MASQUERADE. |
# Additional options may be needed to use other features. |
# |
# You need iptables. Get it at "http://netfilter.filewatcher.org". |
# Some of the features will need patches only present in the CVS |
# |
# This script was written (and partially tested) with iptables CVS |
# and kernel 2.4.x (non testing) in mind. |
# |
# Also, this is a BASH shell script...any 2.x version of GNU BASH |
# should work. |
# ----------------------------------------------------------------------|
# |
# ALL USERS, READ THE FOLLOWING: |
# |
# This is distributed under the modified BSD liscense: |
# |
# Redistribution and use in source and binary forms, with or without |
# modification, are permitted provided that the following conditions |
# are met: |
# |
# 1.Redistributions of source code must retain the above copyright |
# notice, this list of conditions and the following disclaimer. |
# 2.Redistributions in binary form must reproduce the above |
# copyright notice, this list of conditions and the following |
# disclaimer in the documentation and/or other materials provided |
# with the distribution. |
# 3.The name of the author may not be used to endorse or promote |
# products derived from this software without specific prior |
# written permission. |
# |
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE |
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER |
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE |
# |
# While this may be used freely for commercial use, I do REQUEST that |
# any commercial users please tell me via e-mail at |
# obi-wan@starwarsfan.com that they are using it, why they chose it, |
# how well it works, etc. |
# |
# ----------------------------------------------------------------------|
# IMPORTANT: This firewall is currently in beta! It may be too |
# restrictive or insecure. |
# ----------------------------------------------------------------------|
# CHANGELOG: (Since 2.3.0-pre1a only) |
# version 2.3.7: No changes from pre8 |
# version 2.3.7-pre8: Change email address on liscense |
# Revert to pre6 behavior of dropping ICMP |
# echo-request (take global DROP= policy) |
# Allow everything from interface lo |
# Correct pre7 changelog |
# Special rules for DHCP servers |
# version 2.3.7-pre7: Fix version number in changelog entry below |
# Fix 127.0.0.1 INPUT handling. |
# Only enable IP forwarding if it's needed |
# (INTERNAL_LAN defined) |
# Tweak flood parameters |
# Hostwise allows now override explicit, |
# denies but not blackholes |
# ICMP echo-request will no longer take the |
# specified drop policy when it doesn't |
# comply with limits, straight DROP will |
# be used instead |
# Fix REJECT handling in TREJECT and LTREJECT |
# Add transparent proxy support (Joshua Link) |
# version 2.3.7-pre6: Fix status reporting on SSR SysCtl loop |
# Fix the SSR SysCtl loop |
# Remove stateful match from forward chain |
# version 2.3.7-pre5: Make the default policy actually be DROP |
# instead of just saying it is |
# Add stateful matching to forward chain to |
# prevent people from routing onto your |
# internal network (please tell me if |
# breaks anything). Thanks to Martin |
# Mosny for noticing this |
# Block Source Routed Packets to help with |
# the above problem |
# Add option for TCP SynCookies on or off |
# Fix BLACKHOLE directive (was being applied |
# to INPUT/OUTPUT after the jump for |
# INETIN/INETOUT so didn't apply for |
# the internet). Thanks to Gerry Doris |
# for noticing this |
# Add DHCP client to default UDP port allows |
# Note email address change |
# Changed emphesis in comments |
# Forwarding of port ranges (Vinny and Eddie) |
# version 2.3.7-pre4: Line 414, missing subnet match caused all |
# packets from anywhere to be allowed. |
# Fixed. |
# version 2.3.7-pre3: Fix missing fi (fatal syntax error) |
# Fix logging in TCPACCEPT chain |
# version 2.3.7-pre2: Add route verification (thanks to Jeremy |
# Frank) |
# Add blackhole directive |
# Updated configuration sanity checks |
# Ripped out SSH Stuff as it isn't needed |
# True default DROP on INPUT |
# Don't run the INTERNAL_LAN loop if no nets |
# Upped the default SYN limit as large |
# numbers of small FTP transfers would |
# overload it quickly |
# Form cleanups |
# version 2.3.7-pre1: Maybe the FTP will work now (fixes for the |
# RELATED state) |
# Now works with both LAN and DMZ iface null |
# Moved static NAT to stable options |
# Change parser to /bin/bash not /bin/sh |
# version 2.3.6: Add TTL mangling |
# Added some more EFNet servers to the list |
# Fix in the DMZOUT chain |
# Fix FTP stuff |
# version 2.3.5: Fixes to make port forwarding work again |
# version 2.3.4: USE_MASQ has been changed to MASQ_LAN in port fw |
# Fix syntax error in TCP port forwards |
# General cleanup |
# Fixes in port forwarding |
# It's LTREJECT, not TLREJECT |
# More TOS mangling |
# version 2.3.3: Fatal syntax error in IP forward detect fix |
# Don't bail on no IP forward for no LAN |
# version 2.3.3-pre1: Reject with tcp-reset for TCP option |
# Removed the huge list of censorship |
# Moved the port forwards to stable options |
# Moved the TOS mangling to stable options |
# Check before enabling IP Forwarding and |
# IP SynCookies |
# Don't run censorship loop if no rules |
# Request low latency TOS on UDP packets for |
# games on ports 4000-7000 (Diablo II) |
# Fix bad syntax in the port forwarding loops |
# Reversed DMZIN and DMZOUT fixed |
# Various syntax fixes |
# Stateful inspection on forward chain |
# Other stateful matching changes |
# version 2.3.2: Fixed bad syntax in DMZ_IFACE loop |
# version 2.3.2-pre2: Put a real liscense on it (BSD liscense) |
# Changed format of ALLOW_HOSTWISE and |
# DENY_HOSTWISE to be less confusing |
# (the ":" was changed to ">") |
# Added LOG_FLOOD option to tweak log limit |
# Added SYN_FLOOD option to tweak SYN limit |
# Added PING_FLOOD option to tweak PING limit |
# version 2.3.2-pre1: Stateful matching on active FTP and SSH |
# rules (thanks to Len Padilla) |
# Fixed a minor bug in chain creation order |
# (thanks to Peter Lindman) |
# TOS Optimizations (thanks to vesa alatalo) |
# Begin DMZ Support |
# Proofread comments and correct |
# Use BASH builtins instead of sed |
# (thanks to Craig Ludington) |
# Fixed "USE_SNAT" bug in port forwarding |
# (has been changed to "SNAT_LAN") |
# (thanks to Frédéric Marchand) |
# Tuned down default TCP allows (remove POP3) |
# version 2.3.1: Option for 1:1 or subnet:1 static NAT |
# Internet censorship options |
# version 2.3.1-pre2: Added option to deny specific ports from |
# specific hosts |
# Added limiting to logging chains to prevent |
# log DoSing |
# Spiffed up comments |
# Changed the "AUTH_ALLOW" and "DNS" options |
# to be more generic and flexible |
# version 2.3.1-pre1: Updated comments for new kernel version |
# Removed double drop setting |
# Updated for iptables-1.2 |
# Began a kernel option list |
# version 2.3.0: No changes from pre1g |
# version 2.3.0-pre1g: Tuned down default TCP allows |
# Restructure to SSH loop |
# Status Reporting Fixes (newlines, etc.) |
# Fix log prefix length on accept loops |
# version 2.3.0-pre1f: Moved the ICMP echo-request limit to where |
# it should have been |
# Allows the rest of the ICMP like it should |
# Remove the interface matching from ICMP |
# echo-request (not needed) |
# version 2.3.0-pre1e: Fixed an issue in the invalid matching |
# version 2.3.0-pre1d: Spiffed up comments |
# Port Forwarding |
# Moved the deny setting to normal options |
# version 2.3.0-pre1c: Minor fixes that don't (currently) affect |
# functionality |
# version 2.3.0-pre1b: Security fix documented in 2.1.13 |
# Slight logic change in TCP_ALLOW loop |
# Don't print allow messages if nothign is |
# allowed by that loop |
# Changed IPTables download URL |
# version 2.3.0-pre1a: Initial branch from 2.1.12 |
# Add stuff in release notes except port fw |
# ----------------------------------------------------------------------|
# USE AT YOUR OWN RISK! THIS IS WITHOUT ANY WARRANTY STATED OR IMPLIED! |
# That means NONE whatsoever, not even fitfullness for purpose! |
# ----------------------------------------------------------------------|
# You NEED to set this! |
# Configuration follows: |
# |
# Notes about configuration: |
# Some things take more than one option; separate with spaces. |
# You probably don't want all the ports I have under here open, portscan|
# yourself to find what you want open. |
# If you want to used host-based identd allowing, do NOT put 113 in |
# TCP_ALLOW and DO set ALLOW_TCP_HOSTWISE (using 113 as the port).|
# Of course, you can also put 113 in TCP_ALLOW to allow anyone. |
# The same applies to DNS zone transfers (only use port 53 and UDP). |
# MAC_MASQ is ONLY used for the purposes of masquerading and it will |
# override the MASQ_LAN setting for masquerading. However, you |
# must still define MASQ_LAN properly. |
# INTERNAL_LAN must always be properly defined. |
# You can use hostnames anywhere, but you'll need to have access to the |
# DNS server when the script runs and you might not get the expected |
# results since the DNS lookup is only done once. |
# You can mix and match hosts with public IPs and masqueraded hosts in |
# INTERNAL_LAN as long as you define the ones to use NAT later. |
# DMZ support can currently be considered (at best) PREALPHA. |
# It should work without a LAN, leave INTERNAL_LAN blank. |
# Main configuration, modify to suit your setup. Help can be found at:
# http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
IPTABLES="/sbin/iptables" # set to your iptables location, must be set
TCP_ALLOW="22" # TCP ports to allow
UDP_ALLOW="68 6112 6119 4000" # UDP ports to allow
INET_IFACE="eth1" # the interface your internet's on (one only), must be
set
LAN_IFACE="eth0" # the interface your LAN's on (one only)
INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" # The internal LAN (including
DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to be
masqueraded (this is overridden by MAC_MASQ)
SNAT_LAN="" # Internal networks/hosts to use static NAT (format is
<internal ip or network>:<external ip>) (this is overridden by MAC_SNAT)
DROP="TREJECT" # What to do with packets we don't want: DROP, REJECT,
TREJECT (Reject with tcp-reset for TCP), LDROP (log and drop), LREJECT (log
and reject), LTREJECT (log and reject with tcp-reset)
DENY_ALL="" # Internet hosts to explicitly deny from accessing your
system at all
DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP
ports; format is "IP>PORT"
DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP
ports; format is "IP>PORT"
BLACKHOLE="" # People you don't want to have anything to do with
(equivlent of my old TK_DROP). This is a bidirectional drop.
BLACKHOLE_DROP="DROP" # What to do for the blackholes (same options as
DROP directive above)
ALLOW_HOSTWISE_TCP="" # Specific hosts allowed access to specific TCP
ports; format is "IP>PORT"
ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific UDP
ports; format is "IP>PORT"
TCP_FW="" # TCP port forwards, form is "SPORT:DPORT>IP"
UDP_FW="" # UDP port forwards, form is "SPORT:DPORT>IP"
MANGLE_TOS_OPTIMIZE="TRUE" # TOS "optimizations" on or off (TRUE/FALSE
toggle)
ENABLE="Y" # Set to 'Y' when it's configured; this is for your own
saftey
# Flood Params. You will still recieve the packets and the bandwidth will
be used, but this will cause floods to be ignored (useful against SYNFLOODS
especially)
LOG_FLOOD="2/s" # Limit on logging (for LTREJECT, LREJECT and LDROP, the
packet will always take the policy regardless of logging)
SYN_FLOOD="20/s" # GLOBAL limit on SYN packets (servers will probably
need even higher sustained rates as this isn't on a per IP basis)
PING_FLOOD="1/s" # GLOBAL limit on ICMP echo-requests to reply to
# Outbound filters (they work, but are of limited functionality), probably
better to use a proxy here
ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP
(internet censorship!) (do not put this/these host/s in INTERNAL_LAN, but do
define their method of access [snat, masq] if not a public ip)
# Below here is experimental (please report your successes/failures)
MAC_MASQ="" # MAC addresses permitted to use masquerading, leave blank
to not use
MAC_SNAT="" # MAC addresses permitted to use static NAT, leave blank to
not use (format is <MAC Address>:<external ip>)
TTL_SAFE="" # How many hops packets need to make once they get on your
LAN (null disables the mangling) (requires patch from patch-o-matic)
USE_SYNCOOKIES="TRUE" # TCP SynCookies on or off (TRUE/FALSE toggle)
PROXY="" # Redirect for Squid or other transparent proxy. Syntax to
specify the proxy is "host:port".
DHCP_SERVER="FALSE" # Set to true if you run a DHCP server. DHCP clients
do not need this. This allows broadcasts to the server from potential
clients on the LAN to succeede. MUST DEFINE LAN_IFACE IF YOU USE THIS!
# Only touch these if you're daring (PREALPHA stuff, as in basically
non-functional)
DMZ_IFACE="" # Interface your DMZ is on (leave blank if you don't have
one) MUST DEFINE LAN_IFACE IF YOU USE THIS!
# ----------------------------------------------------------------------|
# These control basic script behavior, there should be no need to |
# any of these settings for normal use. |
# ----------------------------------------------------------------------|
FILTER_CHAINS="INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT
TREJECT LTREJECT"
LOOP_IFACE="lo"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here |
# Main Script Starts |
# ----------------------------------------------------------------------|
# Let's load it!
echo "Loading iptables firewall:"
# Configuration Sanity Checks
echo -n "Checking configuration..."
if ! [ -x $IPTABLES ] ; then
echo
echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
exit 1
fi
if [ "$DMZ_IFACE" = "$LAN_IFACE" ] && [ "$LAN_IFACE" != "" ]; then
echo
echo "ERROR IN CONFIGURATION: DMZ_IFACE and LAN_IFACE can't be the same!"
exit 1
fi
if [ "$DROP" = "" ] ; then
echo
echo "There needs to be a DROP policy (try TREJECT)!"
exit 1
fi
if [ "$DROP" = "ACCEPT" ] ; then
echo
echo "The DROP policy is set to ACCEPT; there is no point in loading the
firewall as there wouldn't be one."
exit 2
fi
if [ "$BLACKHOLE" != "" ] && [ "$BLACKHOLE_DROP" = "" ] ; then
echo
echo "You can't use blackholes and not have a policy for them!"
exit 1
fi
if ! [ "$ENABLE" = "Y" ] ; then
echo
echo "You need to edit your configuration and set ENABLE to Y!"
exit 99
fi
echo "passed"
# ===============================================
# -------Set some Kernel stuff via SysCTL--------
# ===============================================
# Turn on IP forwarding
if [ "$INTERNAL_LAN" != "" ] ; then
echo -n "Checking IP Forwarding..."
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "enabled."
else
echo "support not found! This will cause problems if you need to do any
routing."
fi
fi
# Enable TCP Syncookies
if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then
echo -n "Checking IP SynCookies..."
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "enabled."
else
echo "support not found, but that's OK."
fi
fi
# Enable Route Verification to prevent martians and other such crud that
# seems to be commonplace on the internet today
echo -n "Checking Route Verification..."
if [ "$INET_IFACE" != "" ] ; then
if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter ] ; then
echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter
echo -n "activated:${INET_IFACE} "
else
echo "not found:${INET_IFACE} "
fi
fi
if [ "$LAN_IFACE" != "" ] ; then
if [ -e /proc/sys/net/ipv4/conf/$LAN_IFACE/rp_filter ] ; then
echo 1 > /proc/sys/net/ipv4/conf/$LAN_IFACE/rp_filter
echo -n "activated:${LAN_IFACE} "
else
echo "not found:${LAN_IFACE} "
fi
fi
if [ "$DMZ_IFACE" != "" ] ; then
if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter ] ; then
echo 1 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
echo -n "activated:${DMZ_IFACE} "
else
echo "not found:${DMZ_IFACE} "
fi
fi
echo
# Tell the Kernel to Ignore Source Routed Packets
echo -n "Refusing SSR Packets via SysCtl..."
if [ "$INET_IFACE" != "" ] ; then
if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route
echo -n "activated:${INET_IFACE} "
else
echo "not found:${INET_IFACE} "
fi
fi
if [ "$LAN_IFACE" != "" ] ; then
if [ -e /proc/sys/net/ipv4/conf/$LAN_IFACE/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/$LAN_IFACE/accept_source_route
echo -n "activated:${LAN_IFACE} "
else
echo "not found:${LAN_IFACE} "
fi
fi
if [ "$DMZ_IFACE" != "" ] ; then
if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route ] ; then
echo "0" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
echo -n "activated:${DMZ_IFACE} "
else
echo "not found:${DMZ_IFACE} "
fi
fi
echo
# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================
# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo
# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
echo -n "${chain} "
done
echo
# Default Policies
# INPUT policy is drop as of 2.3.7-pre5
# Policy can't be reject becuase of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT DROP
echo -n "INPUT:DROP "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo
# Local traffic to internet or crossing subnets
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
# obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
if [ "$INTERNAL_LAN" != "" ] ; then
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
${IPTABLES} -t filter -A INPUT -s ${subnet} -j ACCEPT
echo -n "${subnet}:ACCEPT "
done
echo
fi
# 127.0.0.0/8 used to need an entry in INTERNAL_LAN, but routing of that
isn't needed
# so an allow is placed on INPUT so that the computer can talk to itself :)
${IPTABLES} -t filter -A INPUT -i ${LOOP_IFACE} -j ACCEPT
echo -n "loopback:ACCEPT "
# DHCP server magic
# Allow broadcasts from LAN to UDP port 67 (DHCP server)
if [ "$DHCP_SERVER" = "TRUE" ] ; then
${IPTABLES} -t filter -A INPUT -i ${LAN_IFACE} -p udp --dport 67 -j ACCEPT
fi
echo #newline from local traffic rules
if [ "$PROXY" != "" ] ; then
echo -n "Setting up Transparent Proxy to ${PROXY}: "
for subnet in ${INTERNAL_LAN} ; do
echo "$PROXY" | {
IFS=':' read host port
if [ "$host" = "localhost" ] || [ "$host" =
"127.0.0.1" ] ; then
${IPTABLES} -t nat -A PREROUTING -s
${subnet} -p tcp --dport 80 -j REDIRECT --to-port ${port}
echo -n "${subnet}:PROXY "
else
${IPTABLES} -t nat -A PREROUTING -s
${subnet} -p tcp --dport 80 -j DNAT --to ${host}:${port}
echo -n "${subnet}:PROXY "
fi
}
done
echo
fi
if [ "$ALLOW_OUT_TCP" != "" ] ; then
echo -n "Internet censorship TCP allows: "
for rule in ${ALLOW_OUT_TCP} ; do
echo "$rule" | {
IFS=':' read intip destip
${IPTABLES} -t filter -A FORWARD -s ${intip} -d ${destip} -o
${INET_IFACE} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${intip} -s ${destip} -i
${INET_IFACE} -j ACCEPT
echo -n "${intip}:${destip} "
}
done
echo
fi
# Set up basic NAT if the user wants it
if [ "$MASQ_LAN" != "" ] ; then
echo -n "Setting up masquerading: "
if [ "$MAC_MASQ" = "" ] ; then
for subnet in ${MASQ_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j
MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
else
for address in ${MAC_MASQ} ; do
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o
${INET_IFACE} -j MASQUERADE
echo -n "${address}:MASQUERADE "
done
fi
echo
fi
if [ "$SNAT_LAN" != "" ] ; then #Static NAT used
echo -n "Setting up static NAT: "
if [ "$MAC_SNAT" = "" ] ; then
for rule in ${SNAT_LAN} ; do
echo "$rule" | {
IFS=':' read host destip
${IPTABLES} -t nat -A POSTROUTING -s ${host} -o
${INET_IFACE} -j SNAT --to-source ${destip}
echo -n "${subnet}:SNAT "
}
done
else
for rule in ${MAC_SNAT} ; do
echo "$rule" | {
IFS=':' read address destip
${IPTABLES} -t nat -A POSTROUTING -m
mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${destip}
echo -n "${address}:SNAT "
}
done
fi
echo
fi
#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
echo -n "TCP Port Forwards: "
for rule in ${TCP_FW} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
echo "$srcport" | {
IFS='-' read fsp lsp
if [ "$lsp" != "" ] ; then
echo "$destport" | {
IFS='-' read fdp ldp
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport
${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport
${fdp}:${ldp} -j ACCEPT
}
else
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport
${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport
${destport} -j ACCEPT
fi
echo -n "${rule} "
}
}
done
echo
fi
#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
echo -n "UDP Port Forwards: "
for rule in ${UDP_FW} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
echo "$srcport" | {
IFS='-' read fsp lsp
if [ "$lsp" != "" ] ; then
echo "$destport" | {
IFS='-' read fdp ldp
${IPTABLES} -t nat -A PREROUTING -p udp -i
${INET_IFACE} --dport ${fsp}:${lsp} -j DNAT --to-destination
${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport
${fdp}:${ldp} -j ACCEPT
}
else
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport
${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport
${destport} -j ACCEPT
fi
echo -n "${rule} "
}
}
done
echo
fi
# ===============================================
# -------Chain setup before jumping to them------
# ===============================================
# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo
# For now we'll subject the DMZ to the same rules as the internet when going
onto the trusted LAN
# And we'll let it go anywhere on the internet
if [ "$DMZ_IFACE" != "" ] ; then
echo -n "Setting up DMZ Chains: "
${IPTABLES} -A OUTPUT -o ${DMZ_IFACE} -j DMZOUT
echo -n "DMZOUT "
${IPTABLES} -A INPUT -i ${DMZ_IFACE} -j DMZIN
echo -n "DMZIN "
echo
echo -n "DMZ for LAN Forwarding to INETIN..."
${IPTABLES} -A DMZOUT -o ${LAN_IFACE} -j INETIN
echo "done"
echo -n "DMZ for Internet Forwarding to INETOUT..."
${IPTABLES} -A DMZOUT -o ${INET_IFACE} -j INETOUT
echo -n "done"
fi
#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up drop chains chains: "
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit ${LOG_FLOOD} -j
LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "
#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -m limit --limit ${LOG_FLOOD} -j
LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "
#Don't forget TREJECT
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p udp -j REJECT --reject-with
icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -p icmp -j DROP
${IPTABLES} -t filter -A TREJECT -j REJECT
echo -n "TREJECT "
#And LTREJECT
${IPTABLES} -t filter -A LTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j
LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LTREJECT -f -m limit --limit ${LOG_FLOOD} -j
LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A LTREJECT -p udp -j REJECT --reject-with
icmp-port-unreachable
${IPTABLES} -t filter -A LTREJECT -p icmp -j DROP
${IPTABLES} -t filter -A LTREJECT -j REJECT
echo -n "LTREJECT "
#newline
echo
# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "
# TCPACCEPT
# SYN Flood "Protection"
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit
${SYN_FLOOD} -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit
${LOG_FLOOD} -j LOG --log-prefix "Possible SynFlood "
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ${DROP}
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since it isn't TCP and
shouldn't be here
${IPTABLES} -t filter -A TCPACCEPT -m limit --limit ${LOG_FLOOD} -j
LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "
#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not UDP and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -m limit --limit ${LOG_FLOOD} -j
LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "
#Done
echo
# ===============================================
# --------------Apply configuration--------------
# ===============================================
#Blackholes will not be overridden by hostwise allows
if [ "$BLACKHOLE" != "" ] ; then
echo -n "Blackholes: "
for host in ${BLACKHOLE} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j ${BLACKHOLE_DROP}
${IPTABLES} -t filter -A INETOUT -d ${host} -j ${BLACKHOLE_DROP}
echo -n "${host} "
done
echo
fi
#Hostwise allows (to bypass explicit denies)
if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
echo -n "Hostwise TCP Allows: "
for rule in ${ALLOW_HOSTWISE_TCP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j
ACCEPT
echo -n "${rule} "
}
done
echo
fi
if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
echo -n "Hostwise UDP Allows: "
for rule in ${ALLOW_HOSTWISE_UDP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j
ACCEPT
echo -n "${rule} "
}
done
echo
fi
# =================================================
# ----------------Explicit Denies------------------
# =================================================
if [ "$DENY_ALL" != "" ] ; then
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
echo -n "${host}:${DROP}"
done
echo
fi
if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
echo -n "Hostwise TCP Denies: "
for rule in ${DENY_HOSTWISE_TCP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j
${DROP}
echo -n "${rule} "
}
done
echo
fi
if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
echo -n "Hostwise UDP Denies: "
for rule in ${DENY_HOSTWISE_UDP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j
${DROP}
echo -n "${rule} "
}
done
echo
fi
#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"
# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================
# Flood "security"
# You'll still respond to these if they comply with the limits (set in
config)
# There is a more elegant way to set this using sysctl, however this has the
# advantage that the kernel ICMP stack never has to process it, lessening
# the chance of a very serious flood overloading your kernel.
# This is just a packet limit, you still get the packets on the interface
and
# still may experience lag if the flood is heavy enough
echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m
limit --limit ${PING_FLOOD} -j ACCEPT
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -j ${DROP}
echo -n "ICMP-PING "
echo
# Probably shouldn't let em all back in, someone give me a good list of the
# WORTHWHILE ICMP messages.
echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"
if [ "$TCP_ALLOW" != "" ] ; then
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
echo -n "${port} "
done
echo
fi
if [ "$UDP_ALLOW" != "" ] ; then
echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT
echo -n "${port} "
done
echo
fi
echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
echo "done"
# RELATED on high ports only for security
echo -n "Allowing related inbound connections..."
${IPTABLES} -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
${IPTABLES} -t filter -A INETIN -p udp --dport 1024:65535 -m state --state
RELATED -j UDPACCEPT
echo "done"
# =================================================
# ----------------Packet Mangling------------------
# =================================================
# TTL mangling
# This is probably just for the paranoid, but hey, isn't that what
# all security guys are? :)
if [ "$TTL_SAFE" != "" ] ; then
${IPTABLES} -t mangle -A PREROUTING -i ${INET_IFACE} -j TTL --ttl-set
${TTL_SAFE}
fi
# Type of Service mangle optimizations (the ACTIVE FTP one will only work
for uploads)
if [ "$MANGLE_TOS_OPTIMIZE" = "TRUE" ] ; then
echo -n "Optimizing traffic: "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos
Minimize-Delay
echo -n "telnet "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos
Minimize-Delay
echo -n "ssh "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos
Minimize-Cost
echo -n "ftp-data "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos
Minimize-Delay
echo -n "ftp-control "
${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos
Minimize-Delay
echo -n "diablo2 "
echo
fi
#What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
#Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo
#All done!
echo "Done loading the firewall!"
Anyone have an idea?
David