2 # Filename: /etc/init.d/firewall
3 # Purpose: simple [example] configuration script for iptables
4 # Authors: grml-team (grml.org), (c) Michael Prokop <mika@grml.org>
5 # Bug-Reports: see http://grml.org/bugs/
6 # License: This file is licensed under the GPL v2.
7 # Latest change: Don Jul 20 09:53:31 CEST 2006 [mika]
8 ################################################################################
14 if [ -r /etc/grml/lsb-functions ] ; then
15 source /etc/grml/lsb-functions
22 # IFACE=$(ifconfig -a | awk '/^ppp/ {print $1}')
23 # IPADDR=$(ifconfig "$IFACE" | awk -F: /"inet addr"/'{print $2}' | gawk '{print $1}')
24 # NETMASK=$(ifconfig "$IFACE" | awk -F: /"Mask"/'{print $4}' | gawk '{print $1}')
25 # BROADCAST=$(ifconfig "$IFACE" | awk -F: /"inet"/'{print $3}' | gawk '{print $1}')
26 # LOOPBACK='127.0.0.0/8'
28 ###################################################################################
31 einfo "Starting firewall."
38 # Set up a default policy for the built-in chains. -> DROP
39 $IPTABLES -P INPUT DROP
40 $IPTABLES -P OUTPUT DROP
41 $IPTABLES -P FORWARD DROP
43 # allow all already established connections
44 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
46 # Allow unlimited traffic on the loopback interface.
47 $IPTABLES -A INPUT -i lo -j ACCEPT
48 $IPTABLES -A OUTPUT -o lo -j ACCEPT
50 # syn-flooding protection
51 $IPTABLES -N syn-flood
52 $IPTABLES -A INPUT -p tcp --syn -j syn-flood
53 $IPTABLES -A syn-flood -m limit --limit 5/s --limit-burst 10 -j RETURN
54 $IPTABLES -A syn-flood -j REJECT
56 # Make sure, NEW TCP Connections are SYN packets
57 $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
59 # Refuse broadcast address packets.
60 # $IPTABLES -A INPUT -d $BROADCAST -j DROP
61 $IPTABLES -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j DROP
63 # AUTH server: Reject ident probes with a tcp reset.
64 # This may be usefull for a broken mailhost that won't accept the
65 # mails if you just drop its ident probe.
66 # $IPTABLES -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
68 # allow *all* output - simplifies life and keeps load low ;-)
69 $IPTABLES -A OUTPUT -j ACCEPT
71 # example for NAT/MASQUERADE (eth0: lan; eth1: to ppp0; ppp0: external):
73 # echo 1 > /proc/sys/net/ipv4/ip_forward
75 # put 'ip_forward=yes' to /etc/network/options
77 # $IPTABLES -A INPUT -i eth1 -s 192.168.0.2 -d 192.168.0.1 -j ACCEPT
78 # $IPTABLES -A INPUT -i eth1 -s 192.168.0.150 -d 192.168.0.1 -j ACCEPT
79 # $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
80 # $IPTABLES -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d $IP_OF_ETH1 -j ACCEPT
81 # $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
82 # $IPTABLES -A FORWARD -i ppp0 -o eth1 -d $IP_OF_PPP0 -j ACCEPT
83 # $IPTABLES -A FORWARD -j LOG --log-prefix "$LOGID ERROR in FORWARD: "
84 # $IPTABLES -A FORWARD -j DROP
86 # example for Source Network Address Translation (SNAT):
88 # $IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPPIP
90 # $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
93 # $IPTABLES -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination 192.168.0.1
94 # $IPTABLES -t nat -A PREROUTING -d 10.0.0.2 -j DNAT --to-destination 192.168.0.2
97 $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
100 $IPTABLES -N INPUTLOG
101 $IPTABLES -N OUTPUTLOG
102 $IPTABLES -A INPUT -m limit --limit 1/second --limit-burst 5 -j INPUTLOG
103 $IPTABLES -A INPUT -m limit --limit 1/second --limit-burst 5 -j OUTPUTLOG
105 # Any udp not already allowed is logged and then dropped.
106 $IPTABLES -A INPUTLOG -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
107 $IPTABLES -A INPUTLOG -p udp -j REJECT
108 $IPTABLES -A OUTPUTLOG -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
109 $IPTABLES -A OUTPUTLOG -p udp -j REJECT
110 # Any icmp not already allowed is logged and then dropped.
111 $IPTABLES -A INPUTLOG -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
112 $IPTABLES -A INPUTLOG -p icmp -j REJECT
113 $IPTABLES -A OUTPUTLOG -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
114 $IPTABLES -A OUTPUTLOG -p icmp -j REJECT
115 # Any tcp not already allowed is logged and then dropped.
116 $IPTABLES -A INPUTLOG -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
117 $IPTABLES -A INPUTLOG -p tcp -j REJECT
118 $IPTABLES -A OUTPUTLOG -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
119 $IPTABLES -A OUTPUTLOG -p tcp -j REJECT
120 # Anything else not already allowed is logged and then dropped.
121 # It will be dropped by the default policy anyway... but let's be paranoid.
122 $IPTABLES -A INPUTLOG -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
123 $IPTABLES -A INPUTLOG -j REJECT
124 $IPTABLES -A OUTPUTLOG -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
125 $IPTABLES -A OUTPUTLOG -j REJECT
130 ###################################################################################
134 einfo "Shutting down Firewall."
137 $IPTABLES -t mangle -F
138 $IPTABLES -t filter -F
139 $IPTABLES -P INPUT ACCEPT
140 $IPTABLES -P OUTPUT ACCEPT
141 $IPTABLES -P FORWARD ACCEPT
147 einfo "Setting Firewall to modus panic."
150 $IPTABLES -t mangle -F
151 $IPTABLES -t filter -F
152 $IPTABLES -P INPUT DROP
153 $IPTABLES -P OUTPUT DROP
154 $IPTABLES -P FORWARD DROP
169 echo "------------------------------------------------------------------------------------"
170 echo "Program: $0 $(date)"
171 echo "PID: $$ grml-team [mika] (c) 2004++"
172 echo "$(iptables --version)"
173 echo "Identity: whoami: $(whoami)"
175 echo " groups: $(groups)"
176 echo "Uptime: $(uptime)"
177 echo "------------------------------------------------------------------------------------"
179 echo "------------------------------------------------------------------------------------"
182 echo "------------------------------------------------------------------------------------"
185 echo "------------------------------------------------------------------------------------"
188 echo "------------------------------------------------------------------------------------"
189 echo "# $IPTABLES -L -n -v"
191 echo "------------------------------------------------------------------------------------"
192 echo 'for i in /proc/sys/net/*/*; do echo -n "$i: " ; cat $i; done 2>/dev/null'
193 for i in /proc/sys/net/*/*; do
197 echo "------------------------------------------------------------------------------------"
198 echo "# lsmod | grep '^ip'"
207 echo "Usage: $0 [start|stop|restart|panic|status|analyse]";
212 ## END OF FILE #################################################################