#!/bin/bash # par FRLinux # revision : v0.2 # 30/03/2004 - v0.1 : creation script # 06/04/2004 - v0.2 : correction ports # 14/04/2004 - v0.3 : support ipv6 & bittorrent start() { echo -n "Demarrage du firewall routeur : " # On definit ici les deux interfaces # INTERFACE_LOCALE : votre carte reseau INTERFACE_LOCALE="eth0" # INTERFACE_INTERNET : l'interface vous connectant a internet INTERFACE_INTERNET="ppp0" # Entrez ici l'adresse IP locale du serveur Quake si vous en avez un SERVEUR_QUAKE="192.168.0.1" # Active le forwarding pour les paquets ipv4 echo 1 > /proc/sys/net/ipv4/ip_forward modprobe ip_tables modprobe ip_nat_ftp modprobe ip_nat_irc modprobe iptable_filter modprobe iptable_mangle modprobe iptable_nat iptables -F iptables -X # Regles definissant la syntaxe des paquets dropped dans le /var/log/messages iptables -N LOG_DROP iptables -A LOG_DROP -j LOG \ --log-prefix '[IPTABLES DROP] : ' iptables -A LOG_DROP -j DROP iptables -N LOG_ACCEPT iptables -A LOG_ACCEPT -j LOG \ --log-prefix '[IPTABLES ACCEPT] : ' iptables -A LOG_ACCEPT -j ACCEPT # On commence par rejeter toutes les regles iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # On acceptes les requetes locales iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Autorise icmp (ping) iptables -A INPUT -i ${INTERFACE_INTERNET} -p icmp -j ACCEPT iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p icmp -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Autorise ipv6 (tunnels) via ${INTERFACE_INTERNET} iptables -A INPUT -i ${INTERFACE_INTERNET} --proto 41 -j ACCEPT # Autorise bittorrent iptables -A INPUT -i ${INTERFACE_INTERNET} -p tcp --sport 6881 -j ACCEPT iptables -A INPUT -i ${INTERFACE_INTERNET} -p udp --sport 6881 -j ACCEPT # Cette regle autorise toutes les machines du reseau interne vers votre # interface internet iptables -A OUTPUT -o ${INTERFACE_INTERNET} -s 192.168.0.254/24 -j ACCEPT # on accepte les requetes sur les ports specifies en sortant vers votre # interface internet # ssh iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --sport 22 -j ACCEPT # smtp iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --dport 25 -j ACCEPT # dns iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p udp --sport 53 -j ACCEPT # http iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --sport 80 -j ACCEPT #auth (irc) iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --sport 113 -j ACCEPT # ntp iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --sport 123 -j ACCEPT iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p udp --dport 123 -j ACCEPT # https iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --sport 993 -j ACCEPT iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --dport 993 -j ACCEPT # imap ssl iptables -A OUTPUT -o ${INTERFACE_INTERNET} -p tcp --dport 993 -j ACCEPT # on autorise le trafique etablit a entrer vers votre interface internet iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ --state ESTABLISHED -j ACCEPT #on autorise uniquement l'adresse interne de votre passerelle a sortir # vers l'interface locale iptables -A OUTPUT -o ${INTERFACE_LOCALE} -s 192.168.0.254 -j ACCEPT # Restreinds l'interface locale en entrant vers seulement certains ports # ssh iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --sport 22 -j ACCEPT # smtp iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 25 -j ACCEPT # dns tcp iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 53 -j ACCEPT # dns udp iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p udp --dport 53 -j ACCEPT # http iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 80 -j ACCEPT # ntp iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 123 -j ACCEPT # https iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 443 -j ACCEPT # imap-ssl iptables -A INPUT -i ${INTERFACE_LOCALE} -m state \ --state NEW,ESTABLISHED -p tcp --dport 993 -j ACCEPT # Restreinds les paquets entrants depuis l'interface internet # (la plupart sont volontairement commentes car non necessaires) # ssh #iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ # --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT # smtp #iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ # --state NEW,ESTABLISHED -p tcp --dport 25 -j ACCEPT #dns tcp iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ --state NEW,ESTABLISHED,RELATED -p tcp --dport 53 -j ACCEPT # dns udp iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ --state NEW,ESTABLISHED,RELATED -p udp --dport 53 -j ACCEPT # http iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ --state NEW,ESTABLISHED -p tcp --dport 80 -j ACCEPT # https #iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ #--state NEW,ESTABLISHED -p tcp --dport 443 -j ACCEPT # bittorrent iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ --state NEW,ESTABLISHED -p tcp --dport 6881 -j ACCEPT iptables -A INPUT -i ${INTERFACE_INTERNET} -m state \ --state NEW,ESTABLISHED -p udp --dport 6881 -j ACCEPT # active le forwarding entre l'interface locale et internet iptables -A FORWARD -i ${INTERFACE_LOCALE} -o ${INTERFACE_INTERNET} -j ACCEPT iptables -A FORWARD -o ${INTERFACE_LOCALE} -i ${INTERFACE_INTERNET} -j ACCEPT # route et nat les paquets du reseau interne iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE # route les paquets entrants vers un serveur quake sur le reseau interne iptables -A PREROUTING -t nat -p udp -i ${INTERFACE_INTERNET} --dport 27960 -j DNAT --to 192.168.0.101:27960 # log tous les autres paquets bloques iptables -A FORWARD -j LOG_DROP iptables -A INPUT -j LOG_DROP iptables -A OUTPUT -j LOG_DROP echo " [Fini.]" touch /var/lock/firewall echo } stop() { echo -n "Nettoie les regles IPtable : " iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -X iptables -t nat -X echo " [Fini.]" rm -f /var/lock/firewall echo } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; status) iptables -L iptables -t nat -L RETVAL=? ;; *) echo "Usage: firewall {start|stop|restart|status}" RETVAL=1 esac exit