Hi!
I'm having problems with forwarding with my new iptables shell script. All the
things works fine for me, except the forwarding of the machines in my LAN (I
think is something with the return of the packages).
Thanks everyone !!!
(sugestions are welcome !!)
BillieGDJoe
Here is the script (my lan class is 10.0.0.0/8):
#! /bin/sh
# Firewall Script v.0.2 - By BillieGDJoe (billiegdjoe at gmail.com)
# Created in 15/11/05
# Setting script variables:
# Finding the path of IPTables:
IPTABLES=`which iptables`
# Finding the path of echo:
ECHO=`which echo`
# Finding the path of whoami:
WHOAMI=`which whoami`
# List of TCP and UDP ports which have services running in localhost, like
SSHD and DNS:
ALLOW_TCP="22"
ALLOW_UDP="53"
# Our private network address with mask, like 192.168.0.0/24:
OUR_NETWORKS="10.0.0.0/8"
# Allow comunication with this ports from localhost, like DNS:
ALLOW_CONNECT_TCP="21 22"
ALLOW_CONNECT_UDP="53"
# Allowed TCP ports that could be forwarded (used) in our network:
LAN_TCP_PORT="21 22 25 80 110"
# Allowed UDP ports that could be forwarded (used) in our network:
LAN_UDP_PORT="53"
# Non-routeable networks (protection against IP Spoofing):
#NON_ROUTEABLE="192.168.0.0/16 127.0.0.0/8 172.16.0.0/12 10.0.0.0/8 0.0.0.0/8
169.254.0.0/16 192.0.2.0/24 255.255.255.255/32"
NON_ROUTEABLE=""
# Setting interfaces and their MAC addresses:
ETH_WAN="eth0"
ETH_LAN="eth1"
ETH_WAN_MAC="00:40:33:AA:9E:53"
ETH_LAN_MAC="00:40:F4:7C:95:07"
# Setting TCP and UDP PORT FORWARDING, like 6180:6180>192.168.0.3:
TCP_FORWARD=""
UDP_FORWARD=""
# Setting SSH Service to minimum delay, only if is true (only can be TRUE or
FALSE):
SSH_ACCESS="TRUE"
# All variables set up, initialising IPTables:
if [ `$WHOAMI` = "root" ]
then
case "$1" in
'start')
# Cleaning old rules:
for TABLES in filter nat mangle
do
$IPTABLES -t $TABLES -F
$IPTABLES -t $TABLES -Z
done
# Allowing interface loopback to have access to system:
$IPTABLES -A INPUT -i lo -j ACCEPT
# Setting filter polices to drop:
for TABLES in INPUT FORWARD OUTPUT
do
$IPTABLES -t filter -P $TABLES DROP
done
# Setting nat polices to drop:
for TABLES in PREROUTING POSTROUTING OUTPUT
do
$IPTABLES -t nat -P $TABLES DROP
done
# Setting mangle polices to drop:
for TABLES in INPUT PREROUTING POSTROUTING FORWARD OUTPUT
do
$IPTABLES -t mangle -P $TABLES DROP
done
# Enabling tcp forward in kernel:
$ECHO "1" >/proc/sys/net/ipv4/ip_forward
# Blocking packets coming from non-routeable networks:
if [ "$NON_ROUTEABLE" != "" ]
then
for NETWORKS in $NON_ROUTEABLE
do
${IPTABLES} -A INPUT -s $NETWORKS -i $ETH_WAN -j LOG --log-prefix="TRYING
TO FORGE A PRIVATE IP "
${IPTABLES} -A INPUT -s $NETWORKS -i $ETH_WAN -j REJECT
${IPTABLES} -A FORWARD -s $NETWORKS -i ETH_WAN -m mac --mac-source
$ETH_WAN_MAC -j REJECT
done
fi
# Setting SSH to minimize-delay:
if [ "$SSH_ACCESS" = "TRUE" ]
then
$IPTABLES -t mangle -A OUTPUT -o $ETH_WAN -p tcp --dport 22 -j TOS
--set-tos 16
$IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p tcp --sport 22 -j TOS
--set-tos 16
$IPTABLES -t mangle -A OUTPUT -o $ETH_LAN -p tcp --dport 22 -j TOS
--set-tos 16
$IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p tcp --sport 22 -j TOS
--set-tos 16
fi
# TOS (dns = 8, http = 4, ftp = 2):
$IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p udp --dport 53 -j TOS
--set-tos 8
$IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p udp --sport 53 -j TOS
--set-tos 8
$IPTABLES -t mangle -A POSTROUTING -o $ETH_WAN -p udp --dport 53 -j TOS
--set-tos 8
$IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -j TOS
--set-tos 4
$IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p tcp --sport 80 -j TOS
--set-tos 4
$IPTABLES -t mangle -A POSTROUTING -o $ETH_WAN -p tcp --dport 80 -j TOS
--set-tos 4
$IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p tcp --dport 21 -j TOS
--set-tos 2
$IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p tcp --sport 21 -j TOS
--set-tos 2
$IPTABLES -t mangle -A POSTROUTING -o $ETH_WAN -p tcp --dport 21 -j TOS
--set-tos 2
# Allowing ICMP (ping) packets, TCP and UDP ports:
$IPTABLES -t mangle -A PREROUTING -p icmp -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p icmp -j ACCEPT
$IPTABLES -t mangle -A INPUT -p icmp -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p icmp -j ACCEPT
$IPTABLES -t nat -A OUTPUT -p icmp -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p icmp -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p icmp -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p icmp -j ACCEPT
for PORTS in $ALLOW_CONNECT_TCP
do
$IPTABLES -t mangle -A PREROUTING -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A INPUT -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t nat -A OUTPUT -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p tcp --dport $PORTS -j ACCEPT
$IPTABLES -t nat -A OUTPUT -p tcp --dport $PORTS -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp --dport $PORTS -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport $PORTS -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --dport $PORTS -j ACCEPT
done
for PORTS in $ALLOW_CONNECT_UDP
do
$IPTABLES -t mangle -A PREROUTING -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A INPUT -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t nat -A OUTPUT -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p udp --sport $PORTS -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p udp --dport $PORTS -j ACCEPT
$IPTABLES -t nat -A OUTPUT -p udp --dport $PORTS -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p udp --dport $PORTS -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p udp --dport $PORTS -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p udp --dport $PORTS -j ACCEPT
done
# Opening TCP ports:
if [ "$ALLOW_TCP" != "" ]
then
for PORT in $ALLOW_TCP
do
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t mangle -A INPUT -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT
done
fi
# Opening UDP ports:
if [ "$ALLOW_UDP" != "" ]
then
for PORT in $ALLOW_UDP
do
$IPTABLES -t mangle -A PREROUTING -p udp --dport $PORT -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp --dport $PORT -j ACCEPT
$IPTABLES -t mangle -A INPUT -p udp --dport $PORT -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp --dport $PORT -j ACCEPT
done
fi
# Enabling our networks to communicate with world:
if [ "$OUR_NETWORKS" != "" ]
then
for NET in $OUR_NETWORKS
do
for PORT in $LAN_TCP_PORT
do
$IPTABLES -t mangle -A PREROUTING -s $NET -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $NET -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t mangle -A FORWARD -s $NET -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t filter -A FORWARD -s $NET -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -s $NET -p tcp --dport $PORT -j
ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $NET -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -d $NET -p tcp --sport $PORT -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d $NET -p tcp --sport $PORT -j ACCEPT
$IPTABLES -t mangle -A FORWARD -d $NET -p tcp --sport $PORT -j ACCEPT
$IPTABLES -t filter -A FORWARD -d $NET -p tcp --sport $PORT -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -d $NET -p tcp --sport $PORT -j
ACCEPT
$IPTABLES -t nat -A POSTROUTING -d $NET -p tcp --sport $PORT -j ACCEPT
done
#for PORT in $LAN_UDP_PORT
#do
#done
# Now, accepting all packets with flag ESTABLISHED,RELATED (connections
already established or related):
$IPTABLES -t filter -A FORWARD -d $NET -m state --state
ESTABLISHED,RELATED -j ACCEPT
done
fi
# Setting TCP forward:
if [ "$TCP_FORWARD" != "" ]
then
for RULE in $TCP_FORWARD
do
echo "$RULE" | {
IFS=':>' read srcport destport host
$IPTABLES -t filter -A FORWARD -p tcp -d $host --dport $destport -i
$ETH_WAN -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH_WAN --dport $srcport -j
DNAT --to-destination $host:$destport
}
done
fi
# Setting UDP forward:
if [ "$UDP_FORWARD" != "" ]
then
for RULE in $UDP_FORWARD
do
echo "$RULE" | {
IFS=':>' read srcport destport host
$IPTABLES -t filter -A FORWARD -p udp -d $host --dport $destport -j
ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH_WAN --dport $srcport -j
DNAT --to-destination $host:$destport
}
done
fi
;;
'stop')
# Cleaning old rules:
for TABLES in filter nat mangle
do
$IPTABLES -t $TABLES -F
done
# Allowing interface loopback to have access to system:
$IPTABLES -A INPUT -i lo -j ACCEPT
;;
'open')
# Opening firewall:
# Cleaning old rules:
for TABLES in filter nat mangle
do
$IPTABLES -t $TABLES -F
done
# Allowing interface loopback to have access to system:
$IPTABLES -A INPUT -i lo -j ACCEPT
# Setting filter polices:
for TABLES in INPUT FORWARD OUTPUT
do
$IPTABLES -t filter -P $TABLES ACCEPT
done
# Setting nat polices:
for TABLES in PREROUTING POSTROUTING OUTPUT
do
$IPTABLES -t nat -P $TABLES ACCEPT
done
# Setting mangle polices:
for TABLES in INPUT FORWARD OUTPUT PREROUTING POSTROUTING
do
$IPTABLES -t mangle -P $TABLES ACCEPT
done
;;
*)
$ECHO "usage $0 start|stop|open"
;;
esac
else
$ECHO "This script must be run as root!"
fi
