-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrc.firewall
executable file
·215 lines (162 loc) · 8.63 KB
/
rc.firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
#!/bin/bash
# humla specifics goes here for example. or somewhere else ;-)
# saloxin sub comotion krav
# set -x
echo "$0 kicking in - local config :-)"
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -P FORWARD DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
modprobe ip_conntrack hashsize=4096
iptables -I INPUT -i eth3 -j ACCEPT
iptables -I INPUT -i eth3 -j ACCEPT
# do not route from/to bogons
iptables -A FORWARD -d 192.168.0.0/16 -j ULOG --ulog-prefix 'BOGON: ' --ulog-qthreshold 10
iptables -A FORWARD -d 172.16.0.0/16 -j ULOG --ulog-prefix 'BOGON: ' --ulog-qthreshold 10
iptables -A FORWARD -d 172.16.0.0/16 -j REJECT
iptables -A FORWARD -d 192.168.0.0/16 -j REJECT
iptables -A FORWARD -s 192.168.0.0/16 -j ULOG --ulog-prefix 'BOGON: ' --ulog-qthreshold 10
iptables -A FORWARD -s 172.16.0.0/16 -j ULOG --ulog-prefix 'BOGON: ' --ulog-qthreshold 10
iptables -A FORWARD -s 172.16.0.0/16 -j REJECT
iptables -A FORWARD -s 192.168.0.0/16 -j REJECT
# nat and port forwarding
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# vestbredden outgoing
iptables --table nat --append POSTROUTING --out-interface eth1.15 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth1.15 -j SNAT --to-source 10.5.0.252
# allow established and related incoming
iptables -A FORWARD -p all -i eth1.15 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow all interfaces to establish new connections out through eth1.15
iptables -A FORWARD -p all ! -i eth1.15 -o eth1.15 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p all ! -i eth1.15 -o eth1.15 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# VNC
#iptables -A FORWARD -p 5901 -d 10.10.3.81 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p 5900 -d 10.10.3.81 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#bang exceptional interfaces
iptables -I FORWARD -o eth3 -j ACCEPT
iptables -I INPUT -i eth2 -j ACCEPT
# allow established and related incoming
iptables -A FORWARD -p all -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow all interfaces to establish new connections out through eth0
iptables -A FORWARD -p all ! -i eth0 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# bang exception eth3 outgoing
iptables -A FORWARD -p all ! -i eth3 -o eth3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# allow eth3 to do anything - humla supernett!
iptables -A FORWARD -i eth1.3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1.3 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth1.3 -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop dhcp requests and answers from crossing interfaces
iptables -A FORWARD -p udp --dport 68 -j ULOG --ulog-prefix 'DHCP xrossing: '
iptables -A FORWARD -p udp --dport 67:68 --sport 67:68 -j DROP
# microseft lan tjenester - til internett
iptables -A FORWARD -o eth0 -p tcp --dport 137:138 -j REJECT
iptables -A FORWARD -o eth0 -p udp --dport 137:138 -j REJECT
# interne addresser skal ikke krysse eth0
iptables -A FORWARD -o eth0 -d 10.10.0.0/255.255.0.0 -j REJECT
iptables -A FORWARD -i eth0 -s 10.10.0.0/255.255.0.0 -j REJECT
# vestbredden!
#iptables -A FORWARD -o eth0 -d 10.5.0.0/255.255.0.0 -j REJECT
#iptables -A FORWARD -i eth0 -s 10.5.0.0/255.255.0.0 -j REJECT
iptables -A FORWARD -d 10.5.0.0/24 -j ACCEPT
# tillatt trafikk fra og til vulcano
iptables -A FORWARD -s 10.10.10.86 -j ACCEPT
iptables -A FORWARD -d 10.10.10.86 -j ACCEPT
iptables -A FORWARD -s 10.10.3.86 -j ACCEPT
iptables -A FORWARD -d 10.10.3.86 -j ACCEPT
# samba! ports 135 137 138 139 445 and..
iptables -I INPUT 1 -p udp --dport 3544 -m state --state NEW -s 10.10.3.0/24 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 3544 -m state --state NEW -s 10.10.10.0/24 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 3544 -m state --state NEW -s 10.10.42.0/24 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 3544 -m state --state NEW -s 10.10.3.0/24 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 3544 -m state --state NEW -s 10.10.10.0/24 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 3544 -m state --state NEW -s 10.10.42.0/24 -j ACCEPT
# ping for pokker
iptables -A FORWARD -p icmp -j ACCEPT
# http
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
# stygg port
iptables -A FORWARD -p udp --dport 666 -j DROP
# log the rest - (use "dmesg" to see logs. syslog doesn't catch them)
iptables -A FORWARD -j ULOG --ulog-prefix "DROP: " --ulog-cprange 100 --ulog-qthreshold 10
# and reject them
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p all -j REJECT
# traffic shaping setup - htb
# /usr/sbin/wondershaper
wunder=/usr/local/sbin/wshaper.htb
if [ -x $wunder ]
then
echo -n "wunder shaper..."
#$wunder
echo "wunder shaped."
else
echo "no wunder shaper"
fi
## set hash size as well
## grub.con: ip_conntrack.hashsize=$HASHSIZE were $HASHSIZE=~81707
#iptables -A INPUT -i eth0 -p tcp --sport 67 -j REJECT
#iptables -A INPUT -i eth0 -p udp --sport 67 -j REJECT
# port forwarding destination nat
# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.0.0.12 --dport 8888 -j DNAT --to 10.10.10.10
#iptables -A PREROUTING -t nat -p tcp -d 10.0.0.12 --dport 2222 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.4:22
#
#iptables -A PREROUTING -t nat -p tcp -d 10.0.0.12 --dport 4242 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.10.42.201:22
# ssh .. must .. work
# changed these from class 1:15
#iptables -A POSTROUTING -t mangle -o eth1 -p tcp -m tos --tos 0x10 --dport 22 -j CLASSIFY --set-class 1:10
iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m tos --tos 0x10 --sport 22 -j CLASSIFY --set-class 1:10
iptables -A POSTROUTING -t mangle -o eth0 -p tcp --sport 22 -j CLASSIFY --set-class 1:10
# port 80. dunno if the rules in /usr/local/sbin/wshaper.htb are working.. must investigate
iptables -A POSTROUTING -t mangle -o eth0 -p tcp --dport 80 -j CLASSIFY --set-class 1:10
# port 443
iptables -A POSTROUTING -t mangle -o eth0 -p tcp --dport 443 -j CLASSIFY --set-class 1:10
if [ -f /lib/xtables/libipt_ipp2p.so ]
then
echo ipp2p installed
# from deb http://puga.vdu.lt/debian sarge main ||| apt-get.org
## DROP p2p. A little drastic!
#iptables -A FORWARD -i eth1 -m ipp2p --edk --kazaa --gnu --dc --ipp2p --bit --apple --winmx --soul --ares -j DROP
#iptables -A FORWARD -i eth1 -m ipp2p --ipp2p -j DROP
## shape p2p down to lowest class
iptables -A FORWARD -i eth1 -m ipp2p --edk --kazaa --gnu --dc --ipp2p --bit --apple --winmx --soul --ares -j CLASSIFY --set-class 1:30
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -m ipp2p --ipp2p -j MARK --set-mark 1
# same shit as --ipp2p
# iptables -t mangle -A PREROUTING -m ipp2p --edk --kazaa --gnu --dc --bit --apple --winmx --soul --ares -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:30
# iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:12
else
echo ipp2p not installed
fi
# rtscp for streaming, shaped up a little
iptables -A POSTROUTING -t mangle -o eth0 -p tcp --dport 554 -j CLASSIFY --set-class 1:20
iptables -A POSTROUTING -t mangle -o eth0 -p tcp --sport 554 -j CLASSIFY --set-class 1:20
# iptables -A FORWARD -p tcp --dport 554 -j REJECT
# spammers through the humla accesspoint?
iptables -A FORWARD -s 10.10.3.156 -p tcp --dport 465 -j DROP
iptables -A FORWARD -s 10.10.3.156 -p tcp --dport 25 -j DROP
# harald.haus.mania is sending shitloads of SMTP
iptables -A FORWARD -s 10.10.10.173 -p tcp --dport 465 -j DROP
iptables -A FORWARD -s 10.10.10.173 -p tcp --dport 25 -j DROP
# shaping / banning examples
# only slowing a host down
#iptables -t mangle -A POSTROUTING -o eth0 -s 10.10.10.179 -m mark --mark 1 -j CLASSIFY --set-class 1:30
# restricting a host to known ports
# iptables -A FORWARD -i eth1 -s 10.10.10.179 -p tcp --dport ! 80:1024 -j REJECT
# iptables -A FORWARD -i eth1 -s 10.10.10.179 -p udp --dport ! 80:1000 -j REJECT
# banning a host
# iptables -A FORWARD -i eth1 -s 10.10.10.179 -p tcp -j REJECT
# iptables -A FORWARD -i eth1 -s 10.10.10.179 -p udp -j REJECT
# # ukjent .ru host...
iptables -A FORWARD -d 194.67.68.100 -j REJECT
# classify up kontoret
iptables -A POSTROUTING -t mangle -o eth0 -p tcp --src 10.10.2.0/24 -j CLASSIFY --set-class 1:10
# welcum page whitelist.
# sets up a default-shitlist
#you won't get splashed if you're on /var/local/maclist
#/usr/local/sbin/splash
# default ACCEPT, if u didn't get shitlisted!