2 # Filename: /etc/init.d/firewall
3 # Purpose: simple [example] configuration script for iptables
4 # Authors: grml-team (grml.org), (c) Michael Prokop <mika@grml.org>
5 # Bug-Reports: see http://grml.org/bugs/
6 # License: This file is licensed under the GPL v2.
7 # Latest change: Don Jul 20 09:53:31 CEST 2006 [mika]
8 ################################################################################
11 # Required-Start: $remote_fs $network
12 # Required-Stop: $remote_fs $network
13 # Default-Start: S 2 3 4 5
21 if [ -r /etc/grml/lsb-functions ] ; then
22 source /etc/grml/lsb-functions
29 # IFACE=$(ifconfig -a | awk '/^ppp/ {print $1}')
30 # IPADDR=$(ifconfig "$IFACE" | awk -F: /"inet addr"/'{print $2}' | gawk '{print $1}')
31 # NETMASK=$(ifconfig "$IFACE" | awk -F: /"Mask"/'{print $4}' | gawk '{print $1}')
32 # BROADCAST=$(ifconfig "$IFACE" | awk -F: /"inet"/'{print $3}' | gawk '{print $1}')
33 # LOOPBACK='127.0.0.0/8'
35 ###################################################################################
38 einfo "Starting firewall."
45 # Set up a default policy for the built-in chains. -> DROP
46 $IPTABLES -P INPUT DROP
47 $IPTABLES -P OUTPUT DROP
48 $IPTABLES -P FORWARD DROP
50 # allow all already established connections
51 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
53 # Allow unlimited traffic on the loopback interface.
54 $IPTABLES -A INPUT -i lo -j ACCEPT
55 $IPTABLES -A OUTPUT -o lo -j ACCEPT
57 # syn-flooding protection
58 $IPTABLES -N syn-flood
59 $IPTABLES -A INPUT -p tcp --syn -j syn-flood
60 $IPTABLES -A syn-flood -m limit --limit 5/s --limit-burst 10 -j RETURN
61 $IPTABLES -A syn-flood -j REJECT
63 # Make sure, NEW TCP Connections are SYN packets
64 $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
66 # Refuse broadcast address packets.
67 # $IPTABLES -A INPUT -d $BROADCAST -j DROP
68 $IPTABLES -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j DROP
70 # AUTH server: Reject ident probes with a tcp reset.
71 # This may be usefull for a broken mailhost that won't accept the
72 # mails if you just drop its ident probe.
73 # $IPTABLES -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
75 # allow *all* output - simplifies life and keeps load low ;-)
76 $IPTABLES -A OUTPUT -j ACCEPT
78 # example for NAT/MASQUERADE (eth0: lan; eth1: to ppp0; ppp0: external):
80 # echo 1 > /proc/sys/net/ipv4/ip_forward
82 # put 'ip_forward=yes' to /etc/network/options
84 # $IPTABLES -A INPUT -i eth1 -s 192.168.0.2 -d 192.168.0.1 -j ACCEPT
85 # $IPTABLES -A INPUT -i eth1 -s 192.168.0.150 -d 192.168.0.1 -j ACCEPT
86 # $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
87 # $IPTABLES -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d $IP_OF_ETH1 -j ACCEPT
88 # $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
89 # $IPTABLES -A FORWARD -i ppp0 -o eth1 -d $IP_OF_PPP0 -j ACCEPT
90 # $IPTABLES -A FORWARD -j LOG --log-prefix "$LOGID ERROR in FORWARD: "
91 # $IPTABLES -A FORWARD -j DROP
93 # example for Source Network Address Translation (SNAT):
95 # $IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPPIP
97 # $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
100 # $IPTABLES -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination 192.168.0.1
101 # $IPTABLES -t nat -A PREROUTING -d 10.0.0.2 -j DNAT --to-destination 192.168.0.2
104 $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
107 $IPTABLES -N INPUTLOG
108 $IPTABLES -N OUTPUTLOG
109 $IPTABLES -A INPUT -m limit --limit 1/second --limit-burst 5 -j INPUTLOG
110 $IPTABLES -A INPUT -m limit --limit 1/second --limit-burst 5 -j OUTPUTLOG
112 # Any udp not already allowed is logged and then dropped.
113 $IPTABLES -A INPUTLOG -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
114 $IPTABLES -A INPUTLOG -p udp -j REJECT
115 $IPTABLES -A OUTPUTLOG -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
116 $IPTABLES -A OUTPUTLOG -p udp -j REJECT
117 # Any icmp not already allowed is logged and then dropped.
118 $IPTABLES -A INPUTLOG -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
119 $IPTABLES -A INPUTLOG -p icmp -j REJECT
120 $IPTABLES -A OUTPUTLOG -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
121 $IPTABLES -A OUTPUTLOG -p icmp -j REJECT
122 # Any tcp not already allowed is logged and then dropped.
123 $IPTABLES -A INPUTLOG -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
124 $IPTABLES -A INPUTLOG -p tcp -j REJECT
125 $IPTABLES -A OUTPUTLOG -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
126 $IPTABLES -A OUTPUTLOG -p tcp -j REJECT
127 # Anything else not already allowed is logged and then dropped.
128 # It will be dropped by the default policy anyway... but let's be paranoid.
129 $IPTABLES -A INPUTLOG -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
130 $IPTABLES -A INPUTLOG -j REJECT
131 $IPTABLES -A OUTPUTLOG -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
132 $IPTABLES -A OUTPUTLOG -j REJECT
137 ###################################################################################
141 einfo "Shutting down Firewall."
144 $IPTABLES -t mangle -F
145 $IPTABLES -t filter -F
146 $IPTABLES -P INPUT ACCEPT
147 $IPTABLES -P OUTPUT ACCEPT
148 $IPTABLES -P FORWARD ACCEPT
154 einfo "Setting Firewall to modus panic."
157 $IPTABLES -t mangle -F
158 $IPTABLES -t filter -F
159 $IPTABLES -P INPUT DROP
160 $IPTABLES -P OUTPUT DROP
161 $IPTABLES -P FORWARD DROP
176 echo "------------------------------------------------------------------------------------"
177 echo "Program: $0 $(date)"
178 echo "PID: $$ grml-team [mika] (c) 2004++"
179 echo "$(iptables --version)"
180 echo "Identity: whoami: $(whoami)"
182 echo " groups: $(groups)"
183 echo "Uptime: $(uptime)"
184 echo "------------------------------------------------------------------------------------"
186 echo "------------------------------------------------------------------------------------"
189 echo "------------------------------------------------------------------------------------"
192 echo "------------------------------------------------------------------------------------"
195 echo "------------------------------------------------------------------------------------"
196 echo "# $IPTABLES -L -n -v"
198 echo "------------------------------------------------------------------------------------"
199 echo 'for i in /proc/sys/net/*/*; do echo -n "$i: " ; cat $i; done 2>/dev/null'
200 for i in /proc/sys/net/*/*; do
204 echo "------------------------------------------------------------------------------------"
205 echo "# lsmod | grep '^ip'"
214 echo "Usage: $0 [start|stop|restart|panic|status|analyse]";
219 ## END OF FILE #################################################################