---

#!/bin/bash
#
#
# some typical Security aspects that don't lie in firewall:
#
# - mailserver must be set up correctly (do NOT allow relay from outside).
# - squid/proxy server must be set up so that it can only be
# used from the inside->outside.
# - telnet is not a good idea - but if so - use strong passwords
# (/etc/shadow may be read protected - but always assume it gets
# into the hands of outside sources).
# - make sure that you always update and check ftp / bind / pop3/imap
# (goes for all servers - but these are especially prone to vul-
# nerabilities).

#####################
################## Configuration ###################
#####################

# TRUSTEDIFS - interfaces that are trusted not to contain black hats.
#
#
TRUSTEDIFS="eth2 eth3 lo"

# TRUSTEDHOSTS - which hosts do we explicitly trust (can connect
# to any port (and possibly route our internal nets).
#
# input-if:network
#
TRUSTEDHOSTS="ppp+:10.151.0.0/16
eth0:10.0.232.32/27
    "

# SPOOFEXCEPTIONS - the networks that are exempt from spoof checking
# it is neccesary that if you use one of the test
# networks then the net is named here!
#
# input-if:network
#
SPOOFEXCEPTIONS="ppp+:10.151.0.0/16
       eth0:10.0.232.32/27
    "

# FWPORTS - what ports are open on this box (the firewall)?
#
FWPORTS="tcp::auth
tcp::telnet
tcp::ssh
    tcp::65533
    tcp::65534
    tcp::65535
"

# ICMPTYPES - which ICMP types will we forward (and accept?)
#
ICMPTYPES="0 1 3 5 8"

# NATRULES - which networks do we nat (and to which interfaces...)
#
# outputif:network:ip-to-nat-to
#
NATRULES="eth0:192.168.1.0/24:193.12.234.25
    eth0:172.16.81.201/32:193.12.234.26
    eth0:172.16.81.202/32:193.12.234.26
    eth0:172.16.81.0/24:193.12.234.25
"

# NOCHANGE - exceptions to the transparent proxy rules.
#
NOCHANGE="0.0.0.0:195.197.133.116:80
172.16.81.1:22:0.0.0.0:25
   "

# TRANSPARENT_PROXY
#
# input-if:network:remote-port:proxy-port
#
TRANSPARENT_PROXY="
eth3:192.168.1.0/24:80:3128
eth3:192.168.1.0/24:8080:3128
eth3:192.168.1.0/24:3128:3128
eth3:192.168.1.0/24:25:25
eth3:172.16.81.0/24:80:3128
eth3:172.16.81.0/24:8080:3128
eth3:172.16.81.0/24:3128:3128
eth3:172.16.81.0/24:25:25"

# PORT_FORWARD
#
# input-if:input-ip:input-port:output-ip:output-port
#
# hmm - add to forward as well?
#
PORT_FORWARD="eth0:10.0.232.35:65535:172.16.81.201:23
    eth0:10.0.232.35:65534:172.16.81.202:23
    eth0:10.0.232.35:65533:172.16.81.202:22
    eth0:193.12.234.25:65535:172.16.81.201:23
    eth0:193.12.234.25:65534:172.16.81.202:23
    eth0:193.12.234.25:65533:172.16.81.202:22
eth0:193.12.234.26:20:172.16.81.202:20
    eth0:193.12.234.26:21:172.16.81.202:21
    eth0:193.12.234.26:22:172.16.81.202:22
    eth0:193.12.234.26:23:172.16.81.202:23
    eth0:193.12.234.26:540:172.16.81.202:540
    "

# INT_PORTS - connections that we will allow from the outside
# into hosts on our networks...
#
# protocol:allowed-hosts:port:local-host
#
INT_PORTS="tcp::telnet:172.16.81.201
    tcp::ftp:172.16.81.202
    tcp::uucp:172.16.81.202
    tcp::telnet:172.16.81.202
tcp::ssh:172.16.81.202
    tcp::uucp:172.16.81.202"

# Spoof nets - IETF test networks - these we won't route _unless_
# existing in SPOOFEXCEPTIONS
SPOOFNETS="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

#
# Location of programs needed by script
#

IP=/sbin/ip
IPT=/sbin/iptables
MODPROBE=/sbin/modprobe
export IP IPT MODPROBE

# Set this to get some amount of debugging info
#
DEBUG_RULES=0
export DEBUG_RULES

############################################################################
### NO CHANGES BELOW HERE NEEDED (be carefull)
############################################################################
#
# Description of chains...
#
# trustif - trusted interfaces, no firewalling done on these
# except possibly transparent proxying.
# trusthosts - trusted hosts, like interfaces - but may specify
# hosts on any interface (beware spoofing).
# common - common rules applying to INPUT and FORWARD, things
# like making sure that NAT works as expected.
#


DEBUG() {
if [ $DEBUG_RULES -ge 1 ]; then
   echo $*
fi
}

if [ $DEBUG_RULES -ge 2 ]; then
do_iptables() {
echo $IPT_1 $*
$IPT_1 $*
}
IPT_1=$IPT
IPT=do_iptables
export IPT_1 IPT
fi

getarg() {
echo $1|cut -d':' -f$2
}


interfaces() {
$IP addr list|sed -n 's/^[0-9][0-9]*: \([^:]*\).*$/\1/p'
}

netof() {
$IP addr show dev $1|sed -n 's/.*inet \([^ ]*\).*/\1/p'
}

ipof() {
netof $1 | sed -n 's|\(.*\)/.*|\1|p'
}


$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

#
#
#

# flush standard chains
DEBUG Flushing standard chains
#(
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F PREROUTING
$IPT -t nat -F OUTPUT
$IPT -t nat -F POSTROUTING
#) >/dev/null 2>&1

# flush and delete special chains
DEBUG Flushing and deleting special chains
#(
for CHAIN in common trustif trusthosts; do
   $IPT -F $CHAIN
   $IPT -X $CHAIN
done
for CHAIN in spoof; do
   $IPT -t nat -F $CHAIN
   $IPT -t nat -X $CHAIN
done
#) >/dev/null 2>&1

###
### chain trustif
### trusted interfaces
DEBUG "trustif"

$IPT -N trustif 2>/dev/null
$IPT -F trustif
RULE="$IPT -A trustif"
for IF in $TRUSTEDIFS; do
$RULE -j ACCEPT -i $IF
done

###
### chain trusthosts
### trusted hosts

### NOTE: we should scan our own interfaces here and add the IP's available
### pr. automagic (even if already covered in another rule!).
DEBUG "trusthosts"

$IPT -N trusthosts 2>/dev/null
$IPT -F trusthosts
RULE="$IPT -A trusthosts"
for DATA in $TRUSTEDHOSTS; do
IF=`getarg $DATA 1`
NET=`getarg $DATA 2`
$RULE -j ACCEPT -i $IF -s $NET
done
for IF in `interfaces`; do
for IPADDR in `ipof $IF`; do
   $RULE -j ACCEPT -i $IF -s $IPADDR
done
done

###
### chain common
### common rules for both INPUT and FORWARD
DEBUG "common"

$IPT -N common 2>/dev/null
$IPT -F common
RULE="$IPT -A common"
$RULE -j ACCEPT -m state --state ESTABLISHED,RELATED
$RULE -j DROP -m state --state INVALID
$RULE -j trustif
$RULE -j trusthosts

###
### chain spoof
### catch spoofed hosts immediatly
DEBUG "spoof"

$IPT -t nat -N spoof 2>/dev/null
$IPT -t nat -F spoof
RULE="$IPT -t nat -A spoof"
for DATA in $SPOOFEXCEPTIONS; do
IF=`getarg $DATA 1`
NET=`getarg $DATA 2`
$RULE -j RETURN -i $IF -s $NET
done
for NET in $SPOOFNETS; do
$RULE -j DROP -s $NET
done

# rules to catch spoofed internal addresses here (from another interface)
INTERFACES=`interfaces`
for IF0 in $INTERFACES; do
for IF1 in $INTERFACES; do
   if [ $IF0 != $IF1 ]; then
    for NET in `netof $IF1`; do
      $RULE -j DROP -i $IF0 -s $NET
    done
   fi
done
done

########################
### PREROUTING chain ###
########################
DEBUG "PREROUTING"

$IPT -t nat -F PREROUTING
RULE="$IPT -t nat -A PREROUTING"
$RULE -j spoof
# no redir/forward
for DATA in $NOCHANGES; do
SRCIP=`getarg $DATA 1`
DSTIP=`getarg $DATA 2`
DSTPORT=`getarg $DATA 3`
$RULE -j ACCEPT -p tcp -s $SRCIP -d $DSTIP --dport $DSTPORT
done
# port redirection
for DATA in $TRANSPARENT_PROXY; do
IF=`getarg $DATA 1`
SRC=`getarg $DATA 2`
DSTPORT=`getarg $DATA 3`
REDIR=`getarg $DATA 4`
$RULE -j REDIRECT -i $IF -p tcp -s $SRC --dport $DSTPORT --to-port
$REDIR
done
# port forwarding
for DATA in $PORT_FORWARD; do
IF=`getarg $DATA 1`
DST=`getarg $DATA 2`
DSTPORT=`getarg $DATA 3`
REDIR=`echo $DATA|cut -d':' -f4-`
$RULE -j DNAT -i $IF -d $DST -p tcp --dport $DSTPORT
--to-destination $REDIR
done

#########################
### INPUT chain ###
#########################
DEBUG "INPUT"

$IPT -F INPUT
$IPT -P INPUT DROP
RULE="$IPT -A INPUT"
$RULE -j common
for DATA in $FWPORTS; do
PROTO=`getarg $DATA 1`
HOSTS=`getarg $DATA 2|sed 's/,/ /g'`
PORT=`getarg $DATA 3`
if [ "$HOSTS" = "" ]; then
   $RULE -j ACCEPT -p $PROTO --dport $PORT
else
   for HOST in $HOSTS; do
    $RULE -j ACCEPT -p $PROTO -s $HOST --dport $PORT
   done
fi
done
for TYPE in $ICMPTYPES; do
$RULE -j ACCEPT -p icmp --icmp-type $TYPE
done

#########################
### FORWARD chain ###
#########################
DEBUG "FORWARD"

$IPT -F FORWARD
$IPT -P FORWARD DROP
RULE="$IPT -A FORWARD"
$RULE -j common
for DATA in $INT_PORTS; do
PROTO=`getarg $DATA 1`
HOSTS=`getarg $DATA 2|sed 's/,/ /g'`
PORT=`getarg $DATA 3`
DSTIP=`getarg $DATA 4`
if [ "$HOSTS" != "" ]; then
   $RULE -j ACCEPT -p $PROTO -d $DSTIP --dport $PORT
else
   for HOST in $HOSTS; do
    $RULE -j ACCEPT -p $PROTO -s $HOST -d $DSTIP --dport $PORT
   done
fi
done

#########################
### OUTPUT chain ###
#########################
DEBUG "OUTPUT"

$IPT -F OUTPUT
$IPT -P OUTPUT ACCEPT
RULE="$IPT -A OUTPUT"
$RULE -j DROP -o eth0 -p udp --dport router # we don't want RIP on WAN!

#########################
### POSTROUTING chain ###
#########################
DEBUG "POSTROUTING"

$IPT -t nat -F POSTROUTING
RULE="$IPT -t nat -A POSTROUTING"
# internal natting (source NAT)
for DATA in $NATRULES; do
DSTIF=`getarg $DATA 1`
SRCIP=`getarg $DATA 2`
NATIP=`getarg $DATA 3`
$RULE -j SNAT -o $DSTIF -s $SRCIP --to-source $NATIP
done

---

Kim Petersen <kp@kyborg.dk> wrote:
.....

Vi skal vide en masse om dit netvaerk og dine systemer foer vi kan
begynde at kommentere dine firewall regler. Du har vel et design- eller
kravdokument som du har skrevet reglerne ud fra? Det ville vaere en
start, til at nogen kan hjaelpe dig. Typisk vil dette vaere en stoerre
men triviel opgave som du ikke skal forvente at Usenet brugere vil bruge
deres egen tid paa. Brug penge til en haandfuld konsulenttimer.

Uden viden om dit netvaerk, kan jeg kun hjaelpe med foelgende:

Hvorfor indeholder dine regler en (ukomplet) liste over opgaver som en
firewall ikke loeser?

Selve ideen om, at der findes interfaces som man ved, at der ikke er
black hats paa er da interessant, men det holder vist kun i meget smaa
firmaer hvor alle har kendt hinanden i mange aar. Og selv da ville jeg
ikke antage, at der ikke var interne trusler.

Du er kommet til at skrive svenske IP adresser i NAT reglerne, men det
lader til, at du poster fra Danmark.

Hvis en kunde fremviste saadan et regelsaet ville jeg staerkt anbefale
at skifte til et IP filter produkt som tillader at man kan laese, skrive
og bekraefte regler uden at have kendskab til programmering i bourne shell.
KISS princippet virker.

--
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow. http://a.mongers.org

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Holst <a@mongers.org> writes:

> Hvor meget er et IP filter vaerd hvis det er sat op af en person der kun
> forstaar nok til at indtaste net oplysninger? Vedkommende kunne nok
> ikke engang genkende sine egne tastefejl, for slet ikke at tale om at
> genkende logiske fejl eller mangler i reglerne. Det er en meget farlig
> form for brugervenlighed.

Jeg er i bund og grund enig med dig, men denne slags hjælpemidler er
gode til folk, der er i færd med at tilegne sig viden om firewalls
generelt og iptables i særdeleshed. Det er væsentligt lettere at
modificere et eksisterende regelsæt, end at skrive sit eget fra
bunden, så selv om man kan argumentere for, at det hjælper til at
fordre uvidenhed, er der altså også mere nyttige anvendelser.

Martin

- --
Homepage: http://www.cs.auc.dk/~factotum/
GPG public key: http://www.cs.auc.dk/~factotum/gpgkey.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using Mailcrypt+GnuPG <http://www.gnupg.org>

iEYEARECAAYFAj3ScNIACgkQYu1fMmOQldWUogCgq42pf7xa7Z4rJLV90I7hGuyt
G9kAoNQXTQPxztrWYNiQ+FKzE2Rd37Df
=08yu
-----END PGP SIGNATURE-----