+++ /dev/null
-#!/bin/sh
-# Filename: /etc/init.d/firewall
-# Purpose: simple [example] configuration script for iptables
-# Authors: grml-team (grml.org), (c) Michael Prokop <mika@grml.org>
-# Bug-Reports: see http://grml.org/bugs/
-# License: This file is licensed under the GPL v2.
-# Latest change: Don Jul 20 09:53:31 CEST 2006 [mika]
-################################################################################
-### BEGIN INIT INFO
-# Provides: firewall
-# Required-Start: $remote_fs $network
-# Required-Stop: $remote_fs $network
-# Default-Start: S 2 3 4 5
-# Default-Stop:
-### END INIT INFO
-
- LANG=C
- LC_ALL=C
- IPTABLES="iptables"
-
- if [ -r /etc/grml/lsb-functions ] ; then
- source /etc/grml/lsb-functions
- else
- alias einfo='echo -n'
- alias eend='echo '
- fi
-
-# IFACE='eth0'
-# IFACE=$(ifconfig -a | awk '/^ppp/ {print $1}')
-# IPADDR=$(ifconfig "$IFACE" | awk -F: /"inet addr"/'{print $2}' | gawk '{print $1}')
-# NETMASK=$(ifconfig "$IFACE" | awk -F: /"Mask"/'{print $4}' | gawk '{print $1}')
-# BROADCAST=$(ifconfig "$IFACE" | awk -F: /"inet"/'{print $3}' | gawk '{print $1}')
-# LOOPBACK='127.0.0.0/8'
-
-###################################################################################
-startup(){
-
-einfo "Starting firewall."
-
-# Remove al chains
- $IPTABLES -F
- $IPTABLES -X
- $IPTABLES -Z
-
-# Set up a default policy for the built-in chains. -> DROP
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
-
-# allow all already established connections
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-# Allow unlimited traffic on the loopback interface.
- $IPTABLES -A INPUT -i lo -j ACCEPT
- $IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-# syn-flooding protection
- $IPTABLES -N syn-flood
- $IPTABLES -A INPUT -p tcp --syn -j syn-flood
- $IPTABLES -A syn-flood -m limit --limit 5/s --limit-burst 10 -j RETURN
- $IPTABLES -A syn-flood -j REJECT
-
-# Make sure, NEW TCP Connections are SYN packets
- $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-
-# Refuse broadcast address packets.
-# $IPTABLES -A INPUT -d $BROADCAST -j DROP
- $IPTABLES -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j DROP
-
-# AUTH server: Reject ident probes with a tcp reset.
-# This may be useful for a broken mailhost that won't accept the
-# mails if you just drop its ident probe.
-# $IPTABLES -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-
-# allow *all* output - simplifies life and keeps load low ;-)
- $IPTABLES -A OUTPUT -j ACCEPT
-
-# example for NAT/MASQUERADE (eth0: lan; eth1: to ppp0; ppp0: external):
-#
-# echo 1 > /proc/sys/net/ipv4/ip_forward
-# or
-# put 'ip_forward=yes' to /etc/network/options
-#
-# $IPTABLES -A INPUT -i eth1 -s 192.168.0.2 -d 192.168.0.1 -j ACCEPT
-# $IPTABLES -A INPUT -i eth1 -s 192.168.0.150 -d 192.168.0.1 -j ACCEPT
-# $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
-# $IPTABLES -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d $IP_OF_ETH1 -j ACCEPT
-# $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-# $IPTABLES -A FORWARD -i ppp0 -o eth1 -d $IP_OF_PPP0 -j ACCEPT
-# $IPTABLES -A FORWARD -j LOG --log-prefix "$LOGID ERROR in FORWARD: "
-# $IPTABLES -A FORWARD -j DROP
-
-# example for Source Network Address Translation (SNAT):
-# the strict way:
-# $IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPPIP
-# the liberal way:
-# $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
-
-# example for DNAT:
-# $IPTABLES -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination 192.168.0.1
-# $IPTABLES -t nat -A PREROUTING -d 10.0.0.2 -j DNAT --to-destination 192.168.0.2
-
-# allow ssh incoming
- $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-
-# create new chains
- $IPTABLES -N INPUTLOG
- $IPTABLES -N OUTPUTLOG
- $IPTABLES -A INPUT -m limit --limit 1/second --limit-burst 5 -j INPUTLOG
- $IPTABLES -A INPUT -m limit --limit 1/second --limit-burst 5 -j OUTPUTLOG
-
-# Any udp not already allowed is logged and then dropped.
- $IPTABLES -A INPUTLOG -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
- $IPTABLES -A INPUTLOG -p udp -j REJECT
- $IPTABLES -A OUTPUTLOG -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
- $IPTABLES -A OUTPUTLOG -p udp -j REJECT
-# Any icmp not already allowed is logged and then dropped.
- $IPTABLES -A INPUTLOG -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
- $IPTABLES -A INPUTLOG -p icmp -j REJECT
- $IPTABLES -A OUTPUTLOG -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
- $IPTABLES -A OUTPUTLOG -p icmp -j REJECT
-# Any tcp not already allowed is logged and then dropped.
- $IPTABLES -A INPUTLOG -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
- $IPTABLES -A INPUTLOG -p tcp -j REJECT
- $IPTABLES -A OUTPUTLOG -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
- $IPTABLES -A OUTPUTLOG -p tcp -j REJECT
-# Anything else not already allowed is logged and then dropped.
-# It will be dropped by the default policy anyway... but let's be paranoid.
- $IPTABLES -A INPUTLOG -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
- $IPTABLES -A INPUTLOG -j REJECT
- $IPTABLES -A OUTPUTLOG -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
- $IPTABLES -A OUTPUTLOG -j REJECT
-
-# end of script
- eend $?
-}
-###################################################################################
-
-case "$1" in
- stop)
- einfo "Shutting down Firewall."
- $IPTABLES -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -F
- $IPTABLES -t filter -F
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- $IPTABLES -X
- eend $?
- ;;
-
- panic)
- einfo "Setting Firewall to modus panic."
- $IPTABLES -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -F
- $IPTABLES -t filter -F
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- $IPTABLES -X
- eend $?
- ;;
-
- status)
- $IPTABLES -L -n -v
- ;;
-
- restart)
- $0 stop
- $0 start
- ;;
-
- analyse)
- echo "------------------------------------------------------------------------------------"
- echo "Program: $0 $(date)"
- echo "PID: $$ grml-team [mika] (c) 2004++"
- echo "$(iptables --version)"
- echo "Identity: whoami: $(whoami)"
- echo " id: $(id)"
- echo " groups: $(groups)"
- echo "Uptime: $(uptime)"
- echo "------------------------------------------------------------------------------------"
- echo "$(vmstat)"
- echo "------------------------------------------------------------------------------------"
- echo "# ifconfig -a"
- ifconfig -a
- echo "------------------------------------------------------------------------------------"
- echo "# route -n"
- route -n
- echo "------------------------------------------------------------------------------------"
- echo "# ip a s"
- ip a s
- echo "------------------------------------------------------------------------------------"
- echo "# $IPTABLES -L -n -v"
- $IPTABLES -L -n -v
- echo "------------------------------------------------------------------------------------"
- echo 'for i in /proc/sys/net/*/*; do echo -n "$i: " ; cat $i; done 2>/dev/null'
- for i in /proc/sys/net/*/*; do
- echo -n "$i: "
- cat $i;
- done 2>/dev/null
- echo "------------------------------------------------------------------------------------"
- echo "# lsmod | grep '^ip'"
- lsmod | grep '^ip'
- ;;
-
- start)
- startup
- ;;
-
- *)
- echo "Usage: $0 [start|stop|restart|panic|status|analyse]";
- exit 1;
- ;;
-esac
-
-## END OF FILE #################################################################