Networker Отговорено 15 Декември, 2013 Доклад Сподели Отговорено 15 Декември, 2013 Попаднах на една руска статия "http://habrahabr.ru/post/110616/", в която описват метод за създаване на високо производителен щейпър. Не ми стана ясна основната идея, но разбрах само че използват "Fast u32 hashing filter generator" - "http://vcalinus.gemenii.ro/?p=9", който създава U32 хеш филтър за много бързо мачване. Автора на статията твърди, че подобен шейпър може да обслужва над 5К потребители. Предполагам, че това е метода, за който ми каза нашия администратор. На прав път си, по-горе ти загатнах за U32. Остана да удариш едно четене + тестове и си почти готов. Получаваш нужната производителност, без да бягаш на BSD. За 5k users не знам, но на ~3k е тестван и до последно работеше. “...ние, можещите водени от незнаещите, вършим невъзможното за кефа на неблагодарните. И сме направили толкова много, с толкова малко, за толкова дълго време, че сме се квалифицирали да правим всичко от нищо...”, Константин Йозеф Иречек, 13.12.1881 г. Адрес на коментара Сподели в други сайтове More sharing options...
Администратор Самуил Арсов Отговорено 16 Декември, 2013 Администратор Доклад Сподели Отговорено 16 Декември, 2013 u32 не е по лек от IPMARK но това няма кой знае какво значение защото виждам разговора отива в съвсем друга посока. Бройката на потребителите не е най важния параметър в един рутер и въобще не трябва да се смята за мерило колко е як един маршрутизатор. Преди въобще да стигнем до шейпъра трябва да си изясним няколко неща ! Какъв брой на пакети в секунда ще преминават през този рутер ................................................pps С каква големина пакети в секунда ще преминават през този рутер ...........................................64, 512, 1024, 2048, 4096 Как ще се държи рутера на преминаващи много пакети с различна големина ..........................pps bot колко конекции ще държи в conntrack таблицата рутера ..............................................................connection колко конекции за колко време може да ги държи .........................................................................connection timeout колко трафик ще завърта рутера ....................................................................................................Mbits/sec За 5000 потребителя по 20Mbits, 1000 pps и 512 byte на пакет средно хайде 3000 от тях да са онлайн сметката излиза сериозна. Тук сега е моя въпрос: - На каква X86 архитектура ще разчитате, какви мрежови карти, какъв, CPU, RAM, чипсет и така нататък ? https://itservice-bg.net Адрес на коментара Сподели в други сайтове More sharing options...
Networker Отговорено 16 Декември, 2013 Доклад Сподели Отговорено 16 Декември, 2013 Така ще влезем в съвсем други теми - хардуер и сървърна организация да го наречем. Вариантите са много - всеки си го решава както иска - колко потребителя да има на 1 GW, какво ще върти gateway-а, как ще се балансира load-а на машините/скоростите и прочие. Ако наистина се гони обслужване на над 1k users на една машина (което не е много хитро на база възможен срив на същата и xxx users без нет) то проблема с хардуера ще го има на каквато и друга OS да си. С трици маймуни не се ловят, искаш производителност, бъркаш се за хардуер. “...ние, можещите водени от незнаещите, вършим невъзможното за кефа на неблагодарните. И сме направили толкова много, с толкова малко, за толкова дълго време, че сме се квалифицирали да правим всичко от нищо...”, Константин Йозеф Иречек, 13.12.1881 г. Адрес на коментара Сподели в други сайтове More sharing options...
Администратор 111111 Отговорено 16 Декември, 2013 Администратор Доклад Сподели Отговорено 16 Декември, 2013 То ако ще да се бъркаш за по евтин хардуер винаги може да се организира VRRP Харесай поста ^^^ Форумът е за взаимопомощ а не за свършване на чужда работа ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ Адрес на коментара Сподели в други сайтове More sharing options...
Администратор kokaracha Отговорено 16 Декември, 2013 Администратор Доклад Сподели Отговорено 16 Декември, 2013 Абе не е толкова страшно,а и няма много за мислене и сравнения ( в съотношение пройзводителност/порт/цена) в тоя диапазон . От моя гледна точка Е3-12хх / E5-26хх на X9SCх/X9SRх/ с STGN-i2S / dual-quad port Chelsio 10GbE Fibre се вписват в общата картинка. Use since OpenBSD 3.x FreeBSD 4.x Centos 5.x Debian 3.x Ubuntu 7.x Аз съм фен на OpenWRT. Горчивината от лошото качество остава дълго след като е преминало удоволствието от ниската цена. _____________________________ ___|____|____|____|____|____|__ _|____|____|____|____|____|____ ___|____|_ Удряй _|____|____|__ _|____|___ главата ___|____|____ ___|____|_ си тук!! |____|____|__ _|____|____|____|____|____|____ ___|____|____|____|____|____|__ Адрес на коментара Сподели в други сайтове More sharing options...
SubmitBG Отговорено 16 Декември, 2013 Доклад Сподели Отговорено 16 Декември, 2013 Малко размисли и скромни сметки.. За последните 3-4 години скоростите и цените на домашните абонати на лан интернет доставчиците почти не са се променили, но за сметка на това цените на хардуера падат с всеки ден.. Не мисля, че при съвременния "мощен" хардуер има нужда от месеци изгубени в оптимизации и това дали ще се ползва BSD, Linux, Mikrotik и себеподобните също е без значение. С годините всеки си е "привикнал" към определена OS и е нормално да си я "хвали" и държи на нея. Още повече щом нещо е направено един път и работи добре - не се пипа! Иначе и аз в момента чакам да пристигнат две бройки http://ark.intel.com/products/75279/ за да сменят сегашните E5-2600, които вечер стигат 70-75% натоварване.. Ако е лесно, не е интересно Адрес на коментара Сподели в други сайтове More sharing options...
Администратор Велин Отговорено 17 Декември, 2013 Администратор Доклад Сподели Отговорено 17 Декември, 2013 от колегата подсказка ... for i in {1..7}; do $tc filter add dev eth1 parent 1:0 prio 10 handle ${i}: protocol ip u32 divisor 256 done $tc filter add dev eth1 parent 1:0 protocol ip prio 10 u32 ht 8:$[i]: match ip dst 192.168.${i}.0/24 hashkey mask 0x000000ff at 16 link $i: done $tc filter add dev eth1 parent 1:0 protocol ip prio 100 u32 ht 800:: match ip dst 192.168.0.0/21 hashkey mask 0x00000700 at 16 link 8: $tc class add dev eth1 parent 1:1000 classid 1:${z} htb rate 100kbit ceil 35mbit burst 1600kb cburst 1600kb $tc qdisc add dev eth1 parent 1:${z} handle ${z}: sfq perturb 10 $tc filter add dev eth1 protocol ip parent 1:0 prio 100 u32 ht ${i}:${hy}: match ip tos 0x20 0xff match ip dst 192.168.${i}.${y} flowid 1:${z} $tc class add dev eth1 parent 1:3000 classid 1:${x} htb rate 28kbit ceil 10mbit burst 1600kb cburst 1600kb $tc qdisc add dev eth1 parent 1:${x} handle ${x}: sfq perturb 10 $tc filter add dev eth1 protocol ip parent 1:0 prio 100 u32 ht ${i}:${hy}: match ip tos 0x40 0xff match ip dst 192.168.${i}.${y} flowid 1:${x} Не отговарям на постове написани с шльокавица! Адрес на коментара Сподели в други сайтове More sharing options...
Тодор Лазаров Отговорено 17 Декември, 2013 Доклад Сподели Отговорено 17 Декември, 2013 Малко размисли и скромни сметки.. За последните 3-4 години скоростите и цените на домашните абонати на лан интернет доставчиците почти не са се променили, но за сметка на това цените на хардуера падат с всеки ден.. Не мисля, че при съвременния "мощен" хардуер има нужда от месеци изгубени в оптимизации и това дали ще се ползва BSD, Linux, Mikrotik и себеподобните също е без значение. С годините всеки си е "привикнал" към определена OS и е нормално да си я "хвали" и държи на нея. Още повече щом нещо е направено един път и работи добре - не се пипа! Иначе и аз в момента чакам да пристигнат две бройки http://ark.intel.com/products/75279/ за да сменят сегашните E5-2600, които вечер стигат 70-75% натоварване.. тези 70-75 % при какъв трафик и колко pps, и каква OC Адрес на коментара Сподели в други сайтове More sharing options...
Balthazar Отговорено 18 Декември, 2013 Доклад Сподели Отговорено 18 Декември, 2013 Тая тема вярно се превърна на ЦСК vs Левски кво има толкова да делите едното Unix OS другото Unix Based OS Фен съм на FreeBSD но в последно време започвам все повече да се замислям защо все повече водещи компании производители на Мрежова Техника набиват нещата си върху основа с Линукски kernel а не на БСД.. Адрес на коментара Сподели в други сайтове More sharing options...
Тодор Лазаров Отговорено 18 Декември, 2013 Доклад Сподели Отговорено 18 Декември, 2013 (Редактирано) Тая тема вярно се превърна на ЦСК vs Левски кво има толкова да делите едното Unix OS другото Unix Based OS Фен съм на FreeBSD но в последно време започвам все повече да се замислям защо все повече водещи компании производители на Мрежова Техника набиват нещата си върху основа с Линукски kernel а не на БСД.. лиценза на linux e GPL Запазване на кодът, който се разпространява под него, винаги свободен. Това всъщност е основната разлика между лиценза БиЕсДи и лиценза ДжиПиЕл. Гарантиране авторските права на автора и запазване на репутацията му. Редактирано 18 Декември, 2013 от Тодор Лазаров Адрес на коментара Сподели в други сайтове More sharing options...
mysticall Отговорено 19 Декември, 2013 Автор Доклад Сподели Отговорено 19 Декември, 2013 Фен съм на FreeBSD но в последно време започвам все повече да се замислям защо все повече водещи компании производители на Мрежова Техника набиват нещата си върху основа с Линукски kernel а не на БСД.. Интересна констатация. Трябва първо да се разгледат продуктите на тези компании, които се предлагат с линукс или работят и с линукс, и за кой пазарен дял са насочени. Едвали има някой, който да се занимава малко по-сериозно с мрежи и да не може да работи с линукс или поне да е чувал за него. По-голяма част от потребителите първо се запознават и свикват да работят с линукс, за сметка на BSD, който остава на заден план. Не искам да поценявам факта, че линукс се развива много по-бързо от BSD и е по-атрактивен за използване на домашните компютри. Както Тодор Лазаров спомена, лиценза също е от значение. Факт е че много повече хора използват и разработват линукс в сравнение с BSD. Ако рагледаме домашните рутери, за които компаниите нямат интерес и немогат да вземат допълнителни пари за софтуера, а искат само да продадат продукта си, съвсем нормално е да изберат линукс. При положение, че вече голяма част от работата е свършена в проекти като http://www.dd-wrt.com/site/index, защо да се занимават тепърва да създават нещо тяхно базирано на BSD. Продукта им също би се търсел от ентусиасти, ако работи с DD-WRT. Мисля си, че когато става въпрос за нещо комерсиално и за развитие в дългосрочен план везните клонят към BSD. http://en.wikipedia.org/wiki/List_of_products_based_on_FreeBSD - интересен списък на продукти базирани на FreeBSD. BSD лиценза позволява да направите промени и да затворите кода. Поради тази причина според мен е напълно нормално корпорации като Juniper Networks и продукта им JUNOS да бъде базиран на FreeBSD. Подобряват кода и го затварят, за да няма автогол. В този случай усилията за разработка на кода са напълно оправдани, понеже клиентите плащат допълнителни пари за софтуера. Помислете дали на Red Hat им е приятно, когато от CentOS прекомпилират пакетите с техните кръпки и предлагат безплатена алтернатива на Red Hat Enterprise Linux. Адрес на коментара Сподели в други сайтове More sharing options...
Администратор Самуил Арсов Отговорено 19 Декември, 2013 Администратор Доклад Сподели Отговорено 19 Декември, 2013 (Редактирано) @mysticall в BSD я няма функционалноста на iptables и tc домашните компютри нямат нищо общо (говорим за рутери) лиценза има значение разбира се но не е наш проблем а техен (на алчните хамериканци) домашните рутери или така наречения SOHO пазар са независими проекти без Linksys/Sisco бозата VxWorks (всичко останало е Linux) JunOS е операционна система която управлява рутинг машината на Juniper Router, тя играе ролята на интерфейс и не рутира реално трафика. JunOS не е операционна система със затворен код, което прави чест на разработиците и но и това има логика. Red Hat е единствената Linux компания която печели от support в света без да има спонсори а CentOS е нейното community. Редактирано 19 Декември, 2013 от samyil https://itservice-bg.net Адрес на коментара Сподели в други сайтове More sharing options...
Администратор 111111 Отговорено 19 Декември, 2013 Администратор Доклад Сподели Отговорено 19 Декември, 2013 Никой не каза нищо за хибрида Debian GNU/kFreeBSD Харесай поста ^^^ Форумът е за взаимопомощ а не за свършване на чужда работа ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ Адрес на коментара Сподели в други сайтове More sharing options...
Администратор kokaracha Отговорено 19 Декември, 2013 Администратор Доклад Сподели Отговорено 19 Декември, 2013 @samyil Коя функционалност я няма и коя я има в сравнение с iptables и tc,като имаш предвид че имаш на разположение pf,ipf,ipfw и техните функционалности . Use since OpenBSD 3.x FreeBSD 4.x Centos 5.x Debian 3.x Ubuntu 7.x Аз съм фен на OpenWRT. Горчивината от лошото качество остава дълго след като е преминало удоволствието от ниската цена. _____________________________ ___|____|____|____|____|____|__ _|____|____|____|____|____|____ ___|____|_ Удряй _|____|____|__ _|____|___ главата ___|____|____ ___|____|_ си тук!! |____|____|__ _|____|____|____|____|____|____ ___|____|____|____|____|____|__ Адрес на коментара Сподели в други сайтове More sharing options...
Администратор Самуил Арсов Отговорено 19 Декември, 2013 Администратор Доклад Сподели Отговорено 19 Декември, 2013 #!/bin/sh # # firewall Firewall startup/shutdown script # # Version: @(#) /etc/init.d/firewall.iptables 01-August-2010 # # # Translated to iptables format, with many additions and modifications, # from Craig Zeller's (zeller@fatpenguin.com) ipchains-based firewall script, by # Bob Sully (rcs@malibyte.net) # # Thanks to Jeff Carlson (jeff@ultimateevil.org) for his assistance re: DHCP and several other issues, # Rohan Amin (rohan@rohanamin.com) and Erik Wasser (erik.wasser@iquer.com) for help with the port-forwarding # routine, and Chris Fincham for his work on the PPTP client routine. # # Latest revision: 01-August-2010 # # chkconfig: 345 11 91 # # description: IP Firewall startup/shutdown script for iptables # # probe: true # # # CONSTANTS - Do not edit # ANYWHERE="0.0.0.0/0" # Match any IP address BROADCAST_SRC="0.0.0.0" # Broadcast Source Address BROADCAST_DEST="255.255.255.255" # Broadcast Destination Address CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks CLASS_D_MULTICAST="224.0.0.0/4" # Class-D Multicast Addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # Class-E Reserved Addresses PRIVPORTS="0:1023" # Well-Known, Privileged Port Range UNPRIVPORTS="1024:65535" # Unprivileged Port Range TRACEROUTE_SRC_PORTS="32769:65535" # Traceroute Source Ports TRACEROUTE_DEST_PORTS="33434:33523" # Traceroute Destination Ports # # The Loopback interface defines should not be # edited unless your Linux distribution defines # these differently. # LOOPBACK_INTERFACE="lo" # The loopback interface LOOPBACK_NETWORK="127.0.0.0/8" # Reserved Loopback Address Range ####################################################################### # # # Notes for those running Debian or its derivatives (Ubuntu, etc.): # # # # (1) Delete or comment out the following lines: # # # ## # ## Source function library. # ## # # . /etc/rc.d/init.d/functions # # # # (2) As root, mkdir /var/lock/subsys # # # ####################################################################### ## ## Source function library. ## #. /etc/rc.d/init.d/functions # # See how we were called. # case "$1" in start) echo "Starting Firewall services" echo "firewall: Configuring Firewall Rules using iptables" # Remove any existing rules from all chains iptables -F iptables -F -t nat iptables -F -t mangle # Remove any pre-existing user-defined chains iptables -X iptables -X -t nat iptables -X -t mangle # Zero counts iptables -Z # Set the default policy to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow unlimited traffic on the loopback interface iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT # A bug that showed up as of the Red Hat 7.2 release results in # the following 5 default policies breaking the firewall # initialization: # fgrep -q '7.2' /etc/redhat-release # if [ $? -ne 0 ] ; then # iptables -t nat -P PREROUTING DROP # iptables -t nat -P OUTPUT DROP # iptables -t nat -P POSTROUTING DROP # iptables -t mangle -P PREROUTING DROP # iptables -t mangle -P OUTPUT DROP # fi # Open the configuration file if [ -f /etc/firewall/firewall.conf.iptables ]; then . /etc/firewall/firewall.conf.iptables else # Turn off IP Forwarding & Masquerading echo 0 >/proc/sys/net/ipv4/ip_forward # Turn off dynamic IP hacking echo "0" > /proc/sys/net/ipv4/ip_dynaddr echo "firewall: No configuration file found at /etc/firewall/firewall.conf.iptables; " echo "firewall: default policies set to DROP on INPUT/OUTPUT/FORWARD chains." exit 1 fi # # If your IP address is dynamically assigned by a DHCP server, # your DHCP server's IP address and this machine's IP address are # obtained from /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or # /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info. # if [ $DHCP -gt 0 ]; then # Grab external IP address if already assigned EXTERNAL_IP=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $1}' ) if [ -n $EXTERNAL_IP ]; then EXT_NETMASK=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $3}' ) # For RedHat, Mandrake, etc. #EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | cut -d= -f2 ) #BROADCAST_NET=$( ipcalc -b $EXTERNAL_IP $EXT_NETMASK | cut -d= -f2 ) # For Debian/Ubuntu, etc.: EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | grep Network | sed 's//[0-9].*//g' | awk '{print $2}' ) BROADCAST_NET=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $2}' ) fi # Turn on dynamic IP hacking echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Incoming DHCPOFFER from available DHCP servers iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT # Initialization of rebinding: No lease or Lease time expired. iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # Fall back to initialization # The client knows its server, but has either lost its # lease, or else needs to reconfirm the IP address after # rebooting. iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $DHCP_SERVER_IP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER_IP --dport 67 -j ACCEPT # As a result of the above, we're supposed to change our IP # address with this message, which is addressed to our new # address before the dhcp client has received the update. # Depending on the server implementation, the destination # address can be the new IP address, the subnet address, or # the limited broadcast address. # If the network subnet address is used as the destination, # the next rule must allow incoming packets destined to the # subnet address, and the rule must preceed any general rules # that block such incoming broadcast packets. iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $DHCP_SERVER_IP --sport 67 --dport 68 -j ACCEPT # Lease renewal iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $DHCP_SERVER_IP --sport 67 -d $EXTERNAL_IP --dport 68 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $EXTERNAL_IP --sport 68 -d $DHCP_SERVER_IP --dport 67 -j ACCEPT echo "firewall: DHCP Client configured" else # External IP assigned without DHCP (i.e. static); get netmask EXT_NETMASK=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $3}' ) fi # # Refuse directed broadcasts; you may choose not to log these, as they can fill up your logs quickly # # iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK # -m limit --limit 1/s # -j LOG --log-prefix "[Directed Broadcast] " iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK -j DROP # iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET # -m limit --limit 1/s # -j LOG --log-prefix "[Directed Broadcast] " iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP # Refuse limited broadcasts # iptables -A INPUT -i $EXTERNAL_INTERFACE -d 255.255.255.255 # -m limit --limit 1/s # -j LOG --log-prefix "[Limited Broadcast] " iptables -A INPUT -i $EXTERNAL_INTERFACE -d 255.255.255.255 -j DROP # # Edit these to match the number of servers or connections # you support. # # X Window port allocation begins at 6000 and increments # for each additional server running from 6000 to 6063. XWINDOW_PORTS="6000:6063" # (TCP) X Windows # SSH starts at 1023 and works down to 513 for each additional # simultaneous incoming connection. SSH_HI_PORTS="513:1023" # SSH Simultaneous Connections # # Iptables allows creation of customized chains. The -l (log) flag no longer # exists. This is a custom chain which allows logging of DROPped packets. # iptables -N LnD # Define custom DROP chain iptables -A LnD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP drop] " --log-level=info iptables -A LnD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP drop] " --log-level=info iptables -A LnD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP drop] " --log-level=info iptables -A LnD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG drop] " --log-level=info iptables -A LnD -j DROP # # This custom chain logs, then REJECTs packets. # iptables -N LnR # Define custom REJECT chain iptables -A LnR -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP reject] " --log-level=info iptables -A LnR -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP reject] " --log-level=info iptables -A LnR -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP reject] " --log-level=info iptables -A LnR -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG reject] " --log-level=info iptables -A LnR -j REJECT # # This chain logs, then DROPs "Xmas" and Null packets which might indicate a port-scan attempt # iptables -N ScanD # Define custom chain for possible port-scans iptables -A ScanD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Scan?] " iptables -A ScanD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Scan?] " iptables -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Scan?] " iptables -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Scan?] " iptables -A ScanD -j DROP # # This chain limits the number of new incoming connections to limit the effectiveness of DDoS attacks # iptables -N DDoS # Define custom chain for possible DDoS attack or SYN-flood scan iptables -A DDoS -m limit --limit 1/s --limit-burst 10 -j RETURN # Comment the next line out if you don't want to fill up your logs with these. #iptables -A DDoS -j LOG --log-prefix "[DOS Attack/SYN Scan?] " iptables -A DDoS -j DROP # ipv6 traffic - allows ONLY icmp and established/related and loopback traffic on ipv6 ip6tables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT ip6tables -A INPUT -p icmpv6 -i $EXTERNAL_INTERFACE -j ACCEPT ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -j DROP echo "firewall: allowing ONLY icmp and established/related and loopback traffic on ipv6" # # This chain drops connections from IANA reserved IP blocks # iptables -N IANA iptables -A IANA -p tcp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - TCP] " --log-level=info iptables -A IANA -p udp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - UDP] " --log-level=info iptables -A IANA -p icmp -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - ICMP] " --log-level=info iptables -A IANA -f -m limit --limit 1/s -j LOG --log-prefix "[IANA Reserved - FRAG] " --log-level=info iptables -A IANA -j DROP # # This chain drops connections from IPs in the firewall.banned file # iptables -N Banned iptables -A Banned -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Banned] " --log-level=info iptables -A Banned -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Banned] " --log-level=info iptables -A Banned -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Banned] " --log-level=info iptables -A Banned -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Banned] " --log-level=info iptables -A Banned -j DROP # # Disallow packets frequently used by port-scanners # # All of the bits are cleared iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD # SYN and FIN are both set iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD # SYN and RST are both set iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD # FIN and RST are both set iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD # FIN is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD # PSH is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD # URG is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD # SYN-Flood # (Request for new connection; large number indicate possible DDoS-type attack; same as --syn) iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # Disallow fragmented packets. This may not be as necessary as it once was. # Comment it out with # if desired. # iptables -A INPUT -f -i $EXTERNAL_INTERFACE -j LnD # iptables -A INPUT -f -i $INTERNAL_INTERFACE -j LnD # # Loopback # # Unlimited traffic on the loopback interface (lo) iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT # # Refuse any connections to/from problem sites. # # /etc/firewall/firewall.banned contains a list of IPs # to block all access, both inbound and outbound. # The file should contain IP addresses with CIDR # netmask, one per line: # # NOTE: No comments are allowed in the file. # # 111.0.0.0/8 - To block a Class-A network # 111.222.0.0/16 - To block a Class-B network # 111.222.254.0/24 - To block a Class-C network # 111.222.254.244/32 - To block a single IP address # # The CIDR netmask number describes the number of bits # in the network portion of the address, and may be on # any boundary. # if [ -f /etc/firewall/firewall.banned ]; then while read BANNED; do iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j Banned iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j Banned iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j Banned iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j Banned iptables -A FORWARD -d $BANNED -j Banned iptables -A FORWARD -s $BANNED -j Banned done < /etc/firewall/firewall.banned echo "firewall: Banned addresses added to rule set" else echo "firewall: Banned address/network file not found." fi # # Refuse connections from IANA-reserved blocks # if [ -f /etc/firewall/firewall.iana-reserved ]; then while read RESERVED; do iptables -A INPUT -i $EXTERNAL_INTERFACE -s $RESERVED -j IANA iptables -A INPUT -i $EXTERNAL_INTERFACE -d $RESERVED -j IANA iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $RESERVED -j IANA iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $RESERVED -j IANA done < /etc/firewall/firewall.iana-reserved echo "firewall: Connections from IANA-reserved addresses blocked" else echo "firewall: IANA-reserved address/network file not found." fi # # Localizations # # The /etc/firewall/firewall.local file should contain rules in # standard 'iptables' format. # if [ -f /etc/firewall/firewall.local.iptables ]; then . /etc/firewall/firewall.local.iptables echo "firewall: Local rules added" else echo "firewall: Local rules file not found." fi # # ICMP # # (4) Source Quench. # Incoming & outgoing requests to slow down (flow control) iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 4 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 4 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p ICMP --icmp-type 4 -j ACCEPT fi # (12) Parameter Problem. # Incoming & outgoing error messages iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 12 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 12 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p ICMP --icmp-type 12 -j ACCEPT fi # (3) Destination Unreachable, Service Unavailable. # Incoming & outgoing size negotiation, service or # destination unavailability, final traceroute response iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 3 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 3 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type fragmentation-needed -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p ICMP --icmp-type 3 -j ACCEPT iptables -A FORWARD -p ICMP --icmp-type fragmentation-needed -j ACCEPT fi # (11) Time Exceeded. # Incoming & outgoing timeout conditions, # also intermediate TTL response to traceroutes iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 11 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 11 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p ICMP --icmp-type 11 -j ACCEPT fi # (0 | Allow OUTPUT pings to anywhere. if [ $OUTBOUND_PING -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 8 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 0 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p ICMP --icmp-type 8 -s $INTERNAL_NETWORK -j ACCEPT iptables -A FORWARD -p ICMP --icmp-type 0 -d $INTERNAL_NETWORK -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Outbound ping enabled" fi fi # (0 | Allow incoming pings from anywhere # (stops at firewall). if [ $INBOUND_PING -gt 0 ]; then iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP --icmp-type 8 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP --icmp-type 0 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Inbound ping enabled" fi fi # # Unprivileged Ports # Avoid ports subject to protocol and system administration problems. # NFS_PORT="2049" # (TCP/UDP) NFS OPENWINDOWS_PORT="2000" # (TCP) Openwindows SOCKS_PORT="1080" # (TCP) Socks # Openwindows: establishing a connection iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $OPENWINDOWS_PORT -s $EXTERNAL_IP -d $ANYWHERE -j LnR # Openwindows: incoming connection iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $OPENWINDOWS_PORT -d $EXTERNAL_IP -j LnD # X Window: establishing a remote connection iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $XWINDOW_PORTS -s $EXTERNAL_IP -d $ANYWHERE -j LnR # X Window: incoming connection attempt iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $XWINDOW_PORTS -d $EXTERNAL_IP -j LnD # SOCKS: establishing a connection iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $SOCKS_PORT -s $EXTERNAL_IP -d $ANYWHERE -j LnR # SOCKS: incoming connection iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $SOCKS_PORT -d $EXTERNAL_IP -j LnD # NFS: TCP connections iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $NFS_PORT -d $EXTERNAL_IP -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW --dport $NFS_PORT -d $ANYWHERE -j LnR # NFS: UDP connections iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --dport $NFS_PORT -d $EXTERNAL_IP -j LnD # NFS: incoming request (normal UDP mode) iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --dport $NFS_PORT -d $ANYWHERE -j LnR # # DNAT/SNAT Port Forwarding # if [ $PORT_FORWARD -gt 0 ]; then if [ -f /etc/firewall/firewall.nat ]; then while read IP_PORT; do # extract the protocols, IPs and ports NAT_TYPE=$(echo "$IP_PORT" | awk '{print $1}') NAT_EXT_PORT=$(echo "$IP_PORT" | awk '{print $2}') NAT_INT_IP=$(echo "$IP_PORT" | awk '{print $3}') NAT_INT_PORT=$(echo "$IP_PORT" | awk '{print $4}') # write the rules! # this is the prerouting dnat iptables -A PREROUTING -t nat -p $NAT_TYPE -d $EXTERNAL_IP --dport $NAT_EXT_PORT -j DNAT --to-destination $NAT_INT_IP:$NAT_INT_PORT # This allows packets from external->internal iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p $NAT_TYPE -d $NAT_INT_IP --dport $NAT_INT_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # This allows packets from internal->external iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p $NAT_TYPE -s $NAT_INT_IP --sport $NAT_INT_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # This enables access to the 'public' server from the internal network iptables -t nat -A POSTROUTING -d $NAT_INT_IP -s $INTERNAL_NETWORK -p $NAT_TYPE --dport $NAT_INT_PORT -j SNAT --to $INTERNAL_IP echo firewall: dnat: $NAT_TYPE:$EXTERNAL_IP:$NAT_EXT_PORT - $NAT_INT_IP:$NAT_INT_PORT done < /etc/firewall/firewall.nat # unset some variables unset IP_PORT unset NAT_TYPE unset NAT_EXT_PORT unset NAT_INT_IP unset NAT_INT_PORT else echo "firewall.nat (port-forwarding table) not found! Port-forwarding not enabled." fi fi # # NOTE: # The symbolic names used in /etc/services for the port numbers # vary by supplier. # # Required Services # # DNS client modes (53) # if [ $DNS_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport $UNPRIVPORTS --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -p UDP --sport 53 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 53 -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 53 --dport $UNPRIVPORTS -j ACCEPT fi # TCP client-to-server requests are allowed by the protocol # if UDP requests fail. This is rarely seen. Usually, clients # use TCP as a secondary name server for zone transfers from # their primary name servers, and as hackers. iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 53 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 53 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 53 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: DNS client enabled" fi fi # # DNS server modes (53) # # # DNS caching & forwarding name server # if [ $DNS_CACHING_SERVER -gt 0 ]; then # Server-to-server query or response # Caching only name server uses UDP, not TCP iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport 53 --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport 53 --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: DNS Caching server enabled" fi fi # # DNS full name server # if [ $DNS_FULL_SERVER -gt 0 ]; then # Client-to-server DNS transaction. iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport $UNPRIVPORTS --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport 53 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport 53 --dport 53 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport 53 --dport 53 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT # Zone Transfers. # Due to the potential danger of zone transfers, # allow TCP traffic to only specific secondaries. # /etc/firewall/firewall.dns contains a list of # secondary, tertiary, etc. domain name servers with which # zone transfers are allowed. The file should contain IP # addresses with CIDR netmask, one per line: if [ -f /etc/firewall/firewall.dns ]; then while read DNS_SECONDARY; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 53 -s $DNS_SECONDARY -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 53 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $DNS_SECONDARY -j ACCEPT done < /etc/firewall/firewall.dns else echo "firewall: ** No secondary DNS configured **" fi if [ $VERBOSE -gt 0 ]; then echo "firewall: DNS Full server enabled" fi fi # # AUTH (113) - Allowing your outgoing AUTH requests as a client # if [ $AUTH_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 113 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 113 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 113 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 113 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Auth client enabled" fi fi # AUTH server (113) if [ $AUTH_SERVER -gt 0 ]; then # Accepting incoming AUTH requests iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 113 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 113 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Auth server enabled" fi else # Rejecting incoming AUTH requests iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --dport 113 -d $EXTERNAL_IP -j LnR if [ $VERBOSE -gt 0 ]; then echo "firewall: Auth server requests will be rejected" fi fi # # TCP Services on selected ports. # # # Sending Mail through a remote SMTP server (25) # if [ $SMTP_REMOTE_SERVER -gt 0 ]; then # SMTP client to an ISP account without a local server for SMTP_SRVR in ${SMTP_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 25 -s $EXTERNAL_IP -d $SMTP_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 25 --dport $UNPRIVPORTS -s $SMTP_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SMTP_SRVR --sport $UNPRIVPORTS --dport 25 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SMTP_SRVR -d $INTERNAL_NETWORK --sport 25 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote SMTP server: ${SMTP_SRVR}" fi done fi # # Sending Mail through a local SMTP server (25) # if [ $SMTP_LOCAL_SERVER -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 25 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 25 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT # Receiving Mail as a Local SMTP server (25) iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 25 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 25 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: SMTP Local server enabled" fi fi # # Sending Mail through a remote Secure SMTP server (465) # if [ $SSMTP_REMOTE_SERVER -gt 0 ]; then # SSMTP client to an ISP account without a local server for SSMTP_SRVR in ${SSMTP_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 465 -s $EXTERNAL_IP -d $SSMTP_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 465 --dport $UNPRIVPORTS -s $SSMTP_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SSMTP_SRVR --sport $UNPRIVPORTS --dport 465 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SSMTP_SRVR -d $INTERNAL_NETWORK --sport 465 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote Secure SMTP server: ${SSMTP_SRVR}" fi done fi # # Sending Mail through a local Secure SMTP server (465) # if [ $SSMTP_LOCAL_SERVER -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 465 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 465 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT # Receiving Mail as a Local Secure SMTP server (465) iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 465 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 465 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Secure SMTP Local server enabled" fi fi # # Sending Mail through a remote TLS server (587) # if [ $TLS_REMOTE_SERVER -gt 0 ]; then # TLS client to an ISP account without a local server for TLS_SRVR in ${TLS_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 587 -s $EXTERNAL_IP -d $TLS_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 587 --dport $UNPRIVPORTS -s $TLS_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $TLS_SRVR --sport $UNPRIVPORTS --dport 587 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $TLS_SRVR -d $INTERNAL_NETWORK --sport 587 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote TLS server: ${TLS_SRVR}" fi done fi # # Sending Mail through a local TLS server (587) # if [ $TLS_LOCAL_SERVER -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 587 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 587 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT # Receiving Mail as a Local TLS server (587) iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 587 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 587 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: TLS Local server enabled" fi fi # # POP3 (110) - Retrieving Mail as a POP3 client # if [ $POP3_CLIENT -gt 0 ]; then for POP_SRVR in ${POP_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 110 -s $EXTERNAL_IP -d $POP_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 110 --dport $UNPRIVPORTS -s $POP_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $POP_SRVR --sport $UNPRIVPORTS --dport 110 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $POP_SRVR -d $INTERNAL_NETWORK --sport 110 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote POP-3 server: ${POP_SRVR}" fi done fi # # POP3 (110) - Hosting a POP3 server for remote clients # if [ $POP3_SERVER -gt 0 ]; then for MY_POP3_CLIENT in ${MY_POP3_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 110 -s $MY_POP3_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 110 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_POP3_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote site ${MY_POP3_CLIENT} may access local POP-3 server" fi done fi # # POP3S (995) - Retrieving Mail as a POP3S client # if [ $POP3S_CLIENT -gt 0 ]; then for POP3S_SRVR in ${POP3S_SERVERS}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 995 -s $EXTERNAL_IP -d $POP3S_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 995 --dport $UNPRIVPORTS -s $POP3S_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $POP3S_SRVR --sport $UNPRIVPORTS --dport 995 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $POP3S_SRVR -d $INTERNAL_NETWORK --sport 995 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote POP-3 secure server: ${POP3S_SRVR}" fi done fi # # POP3S (995) - Hosting a secure POP3 server for remote clients # if [ $POP3S_SERVER -gt 0 ]; then for MY_POP3S_CLIENT in ${MY_POP3S_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 995 -s $MY_POP3S_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 995 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_POP3S_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote site ${MY_POP3S_CLIENT} may access local secure POP-3 server" fi done fi # # IMAP (143) - Retrieving Mail as an IMAP client # if [ $IMAP_CLIENT -gt 0 ]; then for IMAP_SRVR in ${MY_IMAP_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 143 -s $EXTERNAL_IP -d $IMAP_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 143 --dport $UNPRIVPORTS -s $IMAP_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $IMAP_SRVR --sport $UNPRIVPORTS --dport 143 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $IMAP_SRVR -d $INTERNAL_NETWORK --sport 143 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote IMAP server: ${IMAP_SRVR}" fi done fi # # IMAP (143) - Hosting an IMAP server for remote clients # if [ $IMAP_SERVER -gt 0 ]; then for MY_IMAP_CLIENT in ${MY_IMAP_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 143 -s $MY_IMAP_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 143 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_IMAP_CLIENTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote site ${MY_IMAP_CLIENT} may access local IMAP server" fi done fi # # IMAPS (993) - Retrieving Mail as an Secure IMAP client # if [ $IMAPS_CLIENT -gt 0 ]; then for IMAPS_SRVR in ${MY_IMAPS_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 993 -s $EXTERNAL_IP -d $IMAPS_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 993 --dport $UNPRIVPORTS -s $IMAPS_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $IMAPS_SRVR --sport $UNPRIVPORTS --dport 993 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $IMAPS_SRVR -d $INTERNAL_NETWORK --sport 993 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote Secure IMAP server: ${IMAPS_SRVR}" fi done fi # # IMAPS (993) - Hosting a Secure IMAP server for remote clients # if [ $IMAPS_SERVER -gt 0 ]; then for MY_IMAPS_CLIENT in ${MY_IMAPS_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 993 -s $MY_IMAPS_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 993 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_IMAPS_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote site ${MY_IMAPS_CLIENT} may access local Secure IMAP server" fi done fi # # NNTP (119) - Reading and posting news as a Usenet client # if [ $NNTP_CLIENT -gt 0 ]; then for NEWS_SRVR in ${NEWS_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 119 -s $EXTERNAL_IP -d $NEWS_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 119 --dport $UNPRIVPORTS -s $NEWS_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $NEWS_SRVR --sport $UNPRIVPORTS --dport 119 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $NEWS_SRVR -d $INTERNAL_NETWORK --sport 119 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote NNTP server: ${NEWS_SRVR}" fi done fi # # NNTP (119) - Hosting a Usenet news server for remote clients # if [ $NNTP_SERVER -gt 0 ]; then for NNTP_CLIENT in ${MY_NNTP_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 119 -s $NNTP_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 119 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $NNTP_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote client ${NNTP_CLIENT} may access local NNTP server" fi done fi # # NNTP (119) - Allowing peer news feeds for a local Usenet server # if [ $NNTP_NEWS_FEED -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 119 -s $EXTERNAL_IP -d $MY_NEWS_FEED -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 119 --dport $UNPRIVPORTS -s $MY_NEWS_FEED -d $EXTERNAL_IP -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: External NNTP News feed access enabled" fi fi # # Secure NNTP (563) - Reading and posting news as a Usenet client over SSL # Submitted by Renaud Colinet # if [ $NNTPS_CLIENT -gt 0 ]; then for SNEWS_SRVR in ${SNEWS_SERVER}; do iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 563 -s $EXTERNAL_IP -d $SNEWS_SRVR -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 563 --dport $UNPRIVPORTS -s $SNEWS_SRVR -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK -d $SNEWS_SRVR --sport $UNPRIVPORTS --dport 563 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -s $SNEWS_SRVR -d $INTERNAL_NETWORK --sport 563 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote secure NNTP server: ${SNEWS_SRVR}" fi done fi # # TELNET (23) - Allowing outgoing client access to remote sites # if [ $TELNET_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 23 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 23 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 23 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 23 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote TELNET servers" fi fi # # TELNET (23) - Allowing incoming access to your local server # Note: Not recommended! Suggest SSH instead! # if [ $TELNET_SERVER -gt 0 ]; then for MY_TELNET_CLIENT in ${MY_TELNET_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 23 -s $MY_TELNET_CLIENTS -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 23 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_TELNET_CLIENTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote site ${MY_TELNET_CLIENT} may access local TELNET server" fi done fi # # SSH Client (22) - Allowing client access to remote SSH servers # if [ $SSH_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 22 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 22 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $SSH_HI_PORTS --dport 22 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 22 --dport $SSH_HI_PORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 22 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 22 --dport $UNPRIVPORTS -j ACCEPT iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $SSH_HI_PORTS --dport 22 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 22 --dport $SSH_HI_PORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote SSH servers" fi fi # # SSH (see config) - Allowing remote client access to your local SSH server # if [ $SSH_SERVER -gt 0 ]; then for MY_SSH_CLIENT in ${MY_SSH_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport $SSH_PORT -s $MY_SSH_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport $SSH_PORT --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_SSH_CLIENT -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $SSH_HI_PORTS --dport $SSH_PORT -s $MY_SSH_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport $SSH_PORT --dport $SSH_HI_PORTS -s $EXTERNAL_IP -d $MY_SSH_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote site ${MY_SSH_CLIENT} may access local SSH server" fi done fi # # FTP (20, 21) - Allowing outgoing client access to remote FTP servers # See note for FTP server, below. We will simply load up the modules below: if [ $FTP_CLIENT -gt 0 ]; then /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp # /sbin/modprobe ip_nat_ftp # Outgoing request iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 21 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED --sport $UNPRIVPORTS --dport 21 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT # Normal Port mode FTP data channels # iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state NEW # --sport 20 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport $UNPRIVPORTS --dport 20 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT # Passive mode FTP data channels iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED --sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 20:21 -j ACCEPT iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport 20:21 --dport $UNPRIVPORTS -j ACCEPT iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote FTP servers" fi fi # # FTP (20, 21) - Allowing incoming access to your local FTP server # if [ $FTP_SERVER -gt 0 ]; then /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp # /sbin/modprobe ip_nat_ftp # load if FTP server behind NATted firewall for MY_FTP_CLIENT in ${MY_FTP_CLIENTS}; do iptables -A INPUT -p tcp -i $EXTERNAL_INTERFACE -s $MY_FTP_CLIENT --sport 1024:65535 -d $EXTERNAL_IP --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE -s $EXTERNAL_IP --sport 21 -d $MY_FTP_CLIENT --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -i $EXTERNAL_INTERFACE -s $MY_FTP_CLIENT --sport 1024:65535 -d $EXTERNAL_IP --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE -s $EXTERNAL_IP --sport 1024:65535 -d $MY_FTP_CLIENT --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE -s $EXTERNAL_IP --sport 20 -d $MY_FTP_CLIENT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -i $EXTERNAL_INTERFACE -s $MY_FTP_CLIENT --sport 1024:65535 -d $EXTERNAL_IP --dport 20 -m state --state ESTABLISHED -j ACCEPT done if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local FTP server" fi fi # # HTTP (80) - Accessing remote web sites as a client # if [ $HTTP_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 80 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 80 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 80 -j ACCEPT iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK --sport 80 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote HTTP servers" fi fi # # HTTP (80) - Allowing remote access to a local web server # if [ $HTTP_SERVER -gt 0 ]; then for HTTP_CLIENT in ${MY_HTTP_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 80 -s $HTTP_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 80 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTP_CLIENT -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 8080 -s $HTTP_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 8080 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTP_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote client ${HTTP_CLIENT} may access local HTTP server" fi done fi # # HTTPS (443) - Accessing remote web sites over SSL as a client # if [ $HTTPS_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 443 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 443 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 443 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 443 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote HTTPS servers" fi fi # # HTTPS (443) - Allowing remote access to a local SSL web server # if [ $HTTPS_SERVER -gt 0 ]; then for HTTPS_CLIENT in ${MY_HTTPS_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 443 -s $HTTPS_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 443 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $HTTPS_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote client ${HTTPS_CLIENT} may access local HTTPS server" fi done fi # # HTTP Proxy Client (8008/8080) # if [ $HTTP_PROXY -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport $WEB_PROXY_PORT -s $EXTERNAL_IP -d $WEB_PROXY_SERVER -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport $WEB_PROXY_PORT --dport $UNPRIVPORTS -s $WEB_PROXY_SERVER -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport $WEB_PROXY_PORT -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport $WEB_PROXY_PORT --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote sites via HTTP Proxy Server" fi fi # # FINGER (79) - Accessing remote finger servers as a client # if [ $FINGER_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 79 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 79 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 79 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 79 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote FINGER servers" fi fi # # FINGER (79) - Allowing remote client access to a local finger server (dangerous!) # if [ $FINGER_SERVER -gt 0 ]; then for FINGER_CLIENT in ${MY_FINGER_CLIENTS}; do iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 79 -s $FINGER_CLIENT -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 79 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $FINGER_CLIENT -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote client ${FINGER_CLIENT} may access local FINGER server" fi done fi # # WHOIS (43) - Accessing a remote WHOIS server as a client # if [ $WHOIS_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 43 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 43 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 43 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 43 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote WHOIS servers" fi fi # # GOPHER (70) - Accessing a remote GOPHER server as a client # if [ $GOPHER_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 70 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 70 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 70 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 70 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote GOPHER servers" fi fi # # WAIS (210) - Accessing a remote WAIS server as a client # if [ $WAIS_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 210 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED --sport 210 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 210 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 210 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote WAIS servers" fi fi # # Real Video (554) - Real Video Client # if [ $RV_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 554 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport 554 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 554 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p TCP -d $INTERNAL_NETWORK --sport 554 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Real Video client enabled" fi fi # # PPTP (1723) - Accessing PPTP servers as a client # if [ $PPTP_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP --sport $UNPRIVPORTS --dport 1723 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP --sport 1723 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p 47 -m state --state NEW -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 47 -m state --state NEW -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p 47 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 47 -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A INPUT -i $INTERNAL_INTERFACE -p 47 -m state --state NEW -j DROP iptables -A OUTPUT -o $INTERNAL_INTERFACE -p 47 -m state --state NEW -j DROP iptables -A INPUT -i $INTERNAL_INTERFACE -p 47 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p 47 -j ACCEPT iptables -A FORWARD -p TCP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 1723 -j ACCEPT iptables -A FORWARD -p TCP -d $INTERNAL_NETWORK -m state --state ESTABLISHED,RELATED --sport 1723 --dport $UNPRIVPORTS -j ACCEPT iptables -A FORWARD -p 47 -s $INTERNAL_NETWORK -j ACCEPT iptables -A FORWARD -p 47 -d $INTERNAL_NETWORK -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote PPTP servers" fi fi # # UDP - Accept only on selected ports # # # TRACEROUTE # # Traceroute usually uses -s 32769:65535 -d 33434:33523 # if [ $OUTBOUND_TRACEROUTE -gt 0 ]; then # Enable outgoing TRACEROUTE requests iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport $TRACEROUTE_DEST_PORTS --dport $TRACEROUTE_SRC_PORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Outbound TRACEROUTE enabled" fi fi if [ $INBOUND_TRACEROUTE -gt 0 ]; then # Enable incoming TRACEROUTE query iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Inbound TRACEROUTE enabled" fi fi # # DHCP Server # # This assumes that you're running a DHCP server on your firewall to # supply IP addresses to your internal network using dhcpd. See any # of several DHCP HowTo sites for the actual server setup. # if [ $DHCP_SERVER -gt 0 ]; then iptables -A INPUT -i $INTERNAL_INTERFACE -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 67:68 --dport 67:68 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p udp -s $INTERNAL_IP --sport 67:68 --dport 67:68 -j ACCEPT iptables -A FORWARD -p udp -s $INTERNAL_NETWORK --sport 67:68 --dport 67:68 -j ACCEPT iptables -A FORWARD -p udp -d $INTERNAL_NETWORK --sport 67:68 --dport 67:68 -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: DHCP Server enabled" fi fi # # NTP (123) - Accessing remote Network Time Servers # if [ $NTP_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport $UNPRIVPORTS --dport 123 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport 123 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport 123 --dport 123 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport 123 --dport 123 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 123 -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 123 --dport $UNPRIVPORTS -j ACCEPT iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport 123 --dport 123 -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 123 --dport 123 -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: NTP Client enabled" fi fi # # ICQ (4000) - The Miribilis ICQ Client # if [ $ICQ_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport $UNPRIVPORTS --dport 4000 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport 4000 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 4000 -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 4000 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: ICQ Client enabled" fi fi # # GAMES # # # Game Consoles - XBox 360, PS2, Wii, etc. - these talk to outside servers and need essentially # unfettered access. This essentially allows everything out from their internal # IP addresses, and allows ESTABLISHED, RELATED packets in. Multicast may also # be necessary. # You may also need to consider using the linux-igd package. # You may also need to open specific ports via: # /etc/firewall/firewall.nat: # XBox Live: UDP 88, 3074 and TCP 3074 if [ $CONSOLE -gt 0 ]; then strlen=${#CONSOLE_IPs} if [ "$strlen" -gt 0 ]; then for CONSOLE_IP in ${CONSOLE_IPs}; do # Outbound iptables -A FORWARD -p TCP -s $CONSOLE_IP -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p UDP -s $CONSOLE_IP -m state --state NEW,ESTABLISHED -j ACCEPT # Inbound iptables -A FORWARD -p TCP -d $CONSOLE_IP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p UDP -d $CONSOLE_IP -m state --state ESTABLISHED,RELATED -j ACCEPT echo "firewall: Game console at "$CONSOLE_IP" given full access." done fi fi # # Half-Life/CounterStrike # if [ $HALF_LIFE -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport 27000:27050 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP -m state --state RELATED,ESTABLISHED,NEW --dport 27000:27050 -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport 27000:27050 --dport $UNPRIVPORTS -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK -m state --state RELATED,ESTABLISHED,NEW --dport 27000:27050 -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Half-Life/CounterStrike game ports enabled" fi fi # # Return to Castle Wolfenstein # if [ $WOLF_CLIENT -gt 0 ]; then iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP --sport $UNPRIVPORTS --dport 27950:27965 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP --sport 27950:27965 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT if [ $MASQUERADING -gt 0 ]; then iptables -A FORWARD -p UDP -s $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 27950:27965 -j ACCEPT iptables -A FORWARD -p UDP -d $INTERNAL_NETWORK --sport 27950:27965 --dport $UNPRIVPORTS -j ACCEPT fi if [ $VERBOSE -gt 0 ]; then echo "firewall: Castle Wolfenstein game ports enabled" fi fi # ------------------------------------------------------------- # # Spoofing and Bad Addresses # # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from # the external interface's IP address. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -j LnD # Get first two octets of external IP address OCT1=$( ifconfig $EXTERNAL_INTERFACE | sed -n '2s/^.*inet addr:([0-9][0-9]*).*/1/p' ) OCT2=$( ifconfig $EXTERNAL_INTERFACE | sed -n '2s/^.*inet addr:([0-9][0-9]*.[0-9][0-9]*).*/1/p' ) OCT3=$( echo $OCT2 | sed 's/^[0-9]..//g' ) if [ $OCT1 != "10" ]; then # Refuse packets claiming to be to or from a Class-A private network. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_A -j LnD iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_A -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_A -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_A -j LnD fi if [ $OCT1 != "172" ]; then # Refuse packets claiming to be to or from a Class-B private network. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LnD iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_B -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_B -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_B -j LnD fi if [ $OCT1 = "172" ]; then if [ $OCT3 -lt "15" ] || [ $OCT3 -gt "31" ]; then # Refuse packets claiming to be to or from a Class-B private network. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_B -j LnD iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_B -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_B -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_B -j LnD fi fi if [ $OCT2 != "192.168" ]; then # Refuse packets claiming to be to or from a Class-C private network. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_C -j LnD iptables -A INPUT -i $EXTERNAL_INTERFACE -d $CLASS_C -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_C -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_C -j LnD fi # Refuse packets claiming to be from the loopback. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -j LnD # Refuse malformed broadcast packets. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD # Refuse Class-D Multicast addresses. # Multicast is only illegal as a source address. # Multicast uses UDP. # Game consoles accessing outside servers likely require multicast to be enabled. if [ $CONSOLE -eq 0 ]; then iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j LnR fi # Refuse Class-E reserved IP addresses. iptables -A INPUT -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET -j LnR # ------------------------------------------------------------- # # DROP (on input), REJECT (output) and LOG anything else on the external (red) interface # iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -s $ANYWHERE -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -s $ANYWHERE -j LnR iptables -A INPUT -i $EXTERNAL_INTERFACE -p UDP -s $ANYWHERE -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP -s $ANYWHERE -j LnR iptables -A INPUT -i $EXTERNAL_INTERFACE -p ICMP -s $ANYWHERE -j LnD iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p ICMP -s $ANYWHERE -j LnR # # Masquerade internal traffic # if [ $MASQUERADING -gt 0 ]; then # All internal traffic is masqueraded externally iptables -t nat -A POSTROUTING -s $INTERNAL_NETWORK -o $EXTERNAL_INTERFACE -j SNAT --to $EXTERNAL_IP # Note: some may find this works better on machines with non-static # external IP addresses: # iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE # Enable IP Forwarding echo 1 >/proc/sys/net/ipv4/ip_forward # # Unlimited traffic within the local network # # All internal machines have access to the firewall machine iptables -A INPUT -i $INTERNAL_INTERFACE -s $INTERNAL_NETWORK -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d $INTERNAL_NETWORK -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Masquerading internal network" fi fi # ------------------------------------------------------------- # Zero counts iptables -Z # ------------------------------------------------------------- echo "done" touch /var/lock/subsys/firewall echo ;; status) if [ -f /var/lock/subsys/firewall ]; then echo "Firewall started and configured" else echo "Firewall stopped" fi exit 0 ;; restart|reload) $0 stop $0 start ;; stop) echo "Shutting down Firewall services" # Turn off IP Forwarding echo 0 >/proc/sys/net/ipv4/ip_forward # Turn off dynamic IP hacking echo 0 > /proc/sys/net/ipv4/ip_dynaddr # Flush the rule chains iptables -F # Delete custom chains iptables -X # Zero counts iptables -Z # Set the default policy to DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow unlimited traffic on the loopback interface iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT # Open the configuration file if [ -f /etc/firewall/firewall.conf.iptables ]; then . /etc/firewall/firewall.conf.iptables if [ $MASQUERADING -gt 0 ]; then # Allow unlimited local traffic on the internal interface iptables -A INPUT -i $INTERNAL_INTERFACE -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -j ACCEPT fi else echo "firewall: No configuration file found at /etc/firewall/firewall.conf.iptables" exit 1 fi rm -f /var/lock/subsys/firewall echo ;; *) echo "Usage: /etc/rc.d/init.d/firewall.iptables {start|stop|status|restart|reload}" exit 1 esac exit 0 https://itservice-bg.net Адрес на коментара Сподели в други сайтове More sharing options...
Recommended Posts
Създайте нов акаунт или се впишете, за да коментирате
За да коментирате, трябва да имате регистрация
Създайте акаунт
Присъединете се към нашата общност. Регистрацията става бързо!
Регистрация на нов акаунтВход
Имате акаунт? Впишете се оттук.
Вписване