######################################################################### # Simon's home FW script for Paradise cable.i (External) # # # # Release: 26.4.04 Simon R Anderson # # # # This script is for the external firewall 'Henderson.' # # Network diagram at http://oob.freeshell.org/network.html # # # # Non RFC-1918 addresses have been replaced with strings. # # # # Network Topology: # # 192.168.0.0/24 DMZ # # 192.168.1.0/24 LAN # # 192.168.2.0/24 IPSEC (Disabled) # # 192.168.3.0/24 WiFi (Private) # # 192.168.4.0/24 WiFi (Public) # # 192.168.5.0/24 Flatmate # # 192.168.6.0/24 Voice # # # # Firewall Interfaces: # # x.x.x.x ETH-0 => Internet # # 192.168.0.1 ETH-1 => DMZ, [LAN, IPSec, WIFIs, Flatmate] # # 192.168.6.1 ETH-2 => Voice # ######################################################################### ######################################################################### # Variables Section. # ######################################################################### IPTABLES=/sbin/iptables ROUTE=/sbin/route OUR_IP=xxx.xxx.xxx.xxx DNS_SERVER_1=xxx.xxx.xxx.xxx DNS_SERVER_2=xxx.xxx.xxx.xxx REMOTE_1=xxx.xxx.xxx.xxx REMOTE_NET_1=xxx.xxx.xxx.xxx/24 REMOTE_NET_2=xxx.xxx.xxx.xxx/24 ######################################################################### # Kernel options. # ######################################################################### # Enable IP forwarding. echo "1" > /proc/sys/net/ipv4/ip_forward # Enable TCP SYN cookies. echo "1" >/proc/sys/net/ipv4/tcp_syncookies # Limit buffer size for incoming connctions. echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog # Ignore ICMP broadcasts. echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignore ICMP garbage. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses for i in /proc/sys/net/ipv4/conf/*; do # Drop all source-routed packets. echo "0" >$i/accept_source_route # Deactivate ICMP Redirect accept/send. echo "0" >$i/accept_redirects echo "0" >$i/send_redirects # Activate secure ICMP redirects. echo "1" >$i/secure_redirects # Enable source-address verification (prevent spoofing.) echo "1" >$i/rp_filter done ######################################################################### # Routing Section. # ######################################################################### /sbin/route add default gw $OUR_IP /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.0.2 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.0.2 /sbin/route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.0.4 /sbin/route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.0.5 ######################################################################### # Firewall Section # ######################################################################### # Flush current firewall rules. $IPTABLES -F $IPTABLES -X ################ # Nat Section. # ################ # PAT inbound SSH connections from work and a shell server to a DMZ server. # NOTE: These rules require a corresponding FORWARD rule below. $IPTABLES -t nat -A PREROUTING -i eth0 -s $REMOTE_1 -d $OUR_IP -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.4:22 $IPTABLES -t nat -A PREROUTING -i eth0 -s $REMOTE_NET_1 -d $OUR_IP -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.4:22 $IPTABLES -t nat -A PREROUTING -i eth0 -s $REMOTE_NET_2 -d $OUR_IP -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.4:22 # PAT inbound HTTPS connections from the Internet to a DMZ server. # NOTE: This rule requires a corresponding FORWARD rule below. #$IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.4:443 # PAT inbound IAX2 connections from the Internet to the PABX server. # NOTE: This rule requires a corresponding FORWARD rule below. $IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p udp -m udp --dport 4569 -j DNAT --to-destination 192.168.6.2:4569 # PAT inbound IAX1 connections from the Internet to the PABX server. (DEPRECIATED) # NOTE: This rule requires a corresponding FORWARD rule below. #$IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p udp -m udp --dport 5036 -j DNAT --to-destination 192.168.6.2:4569 # PAT inbound SIP connections from the Internet to the PABX server. # NOTE: These rules requires a corresponding FORWARD rule below. $IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.6.2:5060 $IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p tcp -m tcp --dport 5060 -j DNAT --to-destination 192.168.6.2:5060 $IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p tcp -m tcp --dport 2000 -j DNAT --to-destination 192.168.6.2:2000 $IPTABLES -t nat -A PREROUTING -i eth0 -d $OUR_IP -p udp -m udp --dport 10000:20000 -j DNAT --to-destination 192.168.6.2 # NAT traffic from all internal networks to our assigned IP address out to the Internet. $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $OUR_IP ################### # Filter section. # ################### # Set default policies of the inbuilt chains. $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Create a new Chain to deal with TCP flags. $IPTABLES -N tcpchk $IPTABLES -A tcpchk -p tcp --sport 0:19 -j DROP $IPTABLES -A tcpchk -p tcp --dport 0:19 -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags RST,FIN RST,FIN -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags SYN,URG SYN,URG -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN,PSH -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ACK,URG URG -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags SYN,ACK NONE -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state --state NEW,RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state --state NEW,RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state NEW -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m state --state ESTABLISHED -j RETURN $IPTABLES -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m state --state NEW,RELATED -j DROP $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST,ACK,PSH $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST,ACK,URG $IPTABLES -A tcpchk -p tcp --tcp-flags ALL RST,ACK,PSH,URG $IPTABLES -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK,URG $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ACK,URG $IPTABLES -A tcpchk -p tcp --tcp-flags ALL ACK,URG,FIN # Push TCP traffic to the firewall or forwarded across it through the TCP check. $IPTABLES -A INPUT -i ! lo -p tcp -j tcpchk $IPTABLES -A FORWARD -p tcp -j tcpchk #$IPTABLES -A OUTPUT -p tcp -j tcpchk # Accept all traffic from the loopback address. $IPTABLES -A INPUT -i lo -j ACCEPT # Log traffic to syslog (NOTE: increases I/O significantly.) #$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "PRIV PORT TCP CONNECTION: " #$IPTABLES -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 0:1023 -j LOG --log-prefix "PRIV PORT UDP CONNECTION: " #$IPTABLES -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: " #$IPTABLES -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION: " #$IPTABLES -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:" #$IPTABLES -A INPUT -i eth0 -p icmp -j LOG --log-prefix "ECHO: " # Drop all inbound connections to the FW from the Internet. $IPTABLES -A INPUT -i eth0 -m state --state INVALID,NEW -j DROP # Drop all inbound connections to the FW from the voice network. $IPTABLES -A INPUT -i eth2 -m state --state INVALID,NEW -j DROP # Accept responses to connections initiated by the firewall. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Explicilty allow zone transfers from the two Paradise DNS servers (not strictly necessary.) $IPTABLES -A INPUT -s $DNS_SERVER_1 -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT $IPTABLES -A INPUT -s $DNS_SERVER_2 -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT # Accept SSH connections to the FW from machines on the LAN. $IPTABLES -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT # Accept SSH connections to the FW from a DMZ server. $IPTABLES -A INPUT -s 192.168.0.4/255.255.255.255 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT # Explicitly drop inbound SSH connections which don't come from the LAN. #$IPTABLES -A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP # Allow ICMP to the FW from the LAN and DMZ. $IPTABLES -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT $IPTABLES -A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT # Forward rules for all of the Internal networks. $IPTABLES -A FORWARD -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.4.0/255.255.255.0 -d ! 192.168.4.0/255.255.255.0 -i eth1 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.5.0/255.255.255.0 -d ! 192.168.5.0/255.255.255.0 -i eth1 -j ACCEPT # Allow DNS requests from the Voice network to a DMZ server. $IPTABLES -A FORWARD -s 192.168.6.0/255.255.255.0 -d 192.168.0.4 -i eth2 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.6.0/255.255.255.0 -d 192.168.0.4 -i eth2 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT # Foward rule for the Voice network. $IPTABLES -A FORWARD -s 192.168.6.0/255.255.255.0 -d ! 192.168.6.0/255.255.255.0 -i eth2 -o eth0 -j ACCEPT # Allow forward responses to connections generated by systems allowed by other rules. $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Block all traffic from the Voice network to the Internal networks. $IPTABLES -A FORWARD -s 192.168.6.0/255.255.255.0 -i eth2 -o eth1 -j DROP # Allow forward SSH connections to a DMZ server from work networks and one remote system. # NOTE: These rules require a corresponding PREROUTING rule above. $IPTABLES -A FORWARD -s $REMOTE_1 -p tcp -m tcp --dport 22 -d 192.168.0.4 -i eth0 -j ACCEPT $IPTABLES -A FORWARD -s $REMOTE_NET_1 -p tcp -m tcp --dport 22 -d 192.168.0.4 -i eth0 -j ACCEPT $IPTABLES -A FORWARD -s $REMOTE_NET_2 -p tcp -m tcp --dport 22 -d 192.168.0.4 -i eth0 -j ACCEPT # Allow forward HTTPS connections to a DMZ server from the Internet. # NOTE: This rule requires a corresponding PREROUTING rule above. #$IPTABLES -A FORWARD -p tcp -m tcp --dport 443 -d 192.168.0.4 -i eth0 -j ACCEPT # Allow forward IAX2 connections to a DMZ server from the Internet. # NOTE: This rule requires a corresponding PREROUTING rule above. $IPTABLES -A FORWARD -p udp -m udp --dport 4569 -d 192.168.6.2 -i eth0 -j ACCEPT # Allow forward IAX1 connections to a DMZ server from the Internet (DEPRECIATED.) # NOTE: This rule requires a corresponding PREROUTING rule above. #$IPTABLES -A FORWARD -p udp -m udp --dport 5036 -d 192.168.6.2 -i eth0 -j ACCEPT # PAT inbound SIP connections from the Internet to the PABX server. # NOTE: These rules requires a corresponding PREROUTING rule above. $IPTABLES -A FORWARD -p udp -m udp --dport 5060 -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --dport 5060 -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --dport 2000 -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp --dport 10000:20000 -j ACCEPT # Explicitly drop inbound forward connections to all networks from the Internet. $IPTABLES -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth0 -m state --state INVALID,NEW -j DROP $IPTABLES -A FORWARD -d 192.168.1.0/255.255.255.0 -i eth0 -m state --state INVALID,NEW -j DROP $IPTABLES -A FORWARD -d 192.168.4.0/255.255.255.0 -i eth0 -m state --state INVALID,NEW -j DROP $IPTABLES -A FORWARD -d 192.168.5.0/255.255.255.0 -i eth0 -m state --state INVALID,NEW -j DROP $IPTABLES -A FORWARD -d 192.168.6.0/255.255.255.0 -i eth0 -m state --state INVALID,NEW -j DROP # Explicitly allow outbound connections form the FW to the Paradise DNS server (not strictly necessary.) $IPTABLES -A OUTPUT -d $DNS_SERVER_1 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -d $DNS_SERVER_2 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT