################################################################################# # Simon's home FW script (Internal) # # # # # # Release: 27.4.04 Simon R Anderson # # # # This script is for the the internal firewall 'Meads.' # # Network diagram at http://oob.freeshell.org/network.html # # # # Network Topology: # # 192.168.0.0/24 DMZ # # 192.168.1.0/24 LAN # # 192.168.2.0/24 IPSEC (Disabled) # # 192.168.3.0/24 WiFi (Private) # # 192.168.4.0/24 WiFi (Public) # # 192.168.5.0/24 Flatmate # # 192.168.6.0/24 Voice # # # # Firewall Interfaces: # # 192.168.0.2 ETH-0 => DMZ, [Wifi-Public, Flatmate, Voice, Internet] # # 192.168.1.1 ETH-1 => LAN # # 192.168.3.1 ETH-2 => Wifi-Private # # 10.8.1.9 PPP-0 => Work # ################################################################################# ################################################################################# # Variables Section. # ################################################################################# # Path to iptables userland tool. IPTABLES=/sbin/iptables # Path to route. ROUTE=/sbin/route # Our external Gateway. GATEWAY=xxx.xxx.xxx.xxx # Our DNS Servers. #DNS_SERVER_1=xxx.xxx.xxx.xxx #DNS_SERVER_2=xxx.xxx.xxx.xxx #DNS_SERVER_3=xxx.xxx.xxx.xxx #DNS_SERVER_4=xxx.xxx.xxx.xxx DNS_SERVER_1=203.96.152.4 DNS_SERVER_2=203.96.152.12 DNS_SERVER_3=10.19.0.14 DNS_SERVER_4=10.3.0.19 ################################################################################# # Kernel options. # ################################################################################# # Enable IP forwarding. echo "1" > /proc/sys/net/ipv4/ip_forward # Enable TCP SYN cookies. echo "1" >/proc/sys/net/ipv4/tcp_syncookies # Limit buffer size for incoming connctions. echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog # Ignore ICMP broadcasts. echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignore ICMP garbage. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses for i in /proc/sys/net/ipv4/conf/*; do # Drop all source-routed packets. echo "0" >$i/accept_source_route # Deactivate ICMP Redirect accept/send. echo "0" >$i/accept_redirects echo "0" >$i/send_redirects # Activate secure ICMP redirects. echo "1" >$i/secure_redirects # Enable source-address verification (prevent spoofing.) echo "1" >$i/rp_filter done ################################################################################# # Routing Section. # ################################################################################# /sbin/route add default gw $GATEWAY /sbin/route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.0.4 /sbin/route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.0.5 ################################################################################# # Firewall Section # ################################################################################# # Flush current firewall rules. $IPTABLES -L $IPTABLES -F ################ # Nat Section. # ################ # NAT outbound connections to the dialup interface. # NOTE: Only operates when PPP link is up. $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ################### # Filter section. # ################### # Set default policies of the inbuilt chains. $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Accept all traffic from the loopback address. $IPTABLES -A INPUT -i lo -j ACCEPT # Log traffic to syslog (NOTE: increases I/O significantly.) #$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "PRIV PORT TCP CONNECTION: " #$IPTABLES -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 0:1023 -j LOG --log-prefix "PRIV PORT UDP CONNECTION: " #$IPTABLES -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: " #$IPTABLES -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION: " #$IPTABLES -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:" #$IPTABLES -A INPUT -i eth0 -p icmp -j LOG --log-prefix "ECHO: " # Accept responses to connections initiated by the firewall. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Explicilty allow zone transfers from the two Paradise DNS servers (not strictly necessary.) $IPTABLES -A INPUT -s $DNS_SERVER_1 -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT $IPTABLES -A INPUT -s $DNS_SERVER_2 -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT # Drop all inbound connections to the FW from external networks. $IPTABLES -A INPUT -i eth0 -m state --state INVALID,NEW -j DROP # Accept SSH connections to the FW from the LAN $IPTABLES -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT # Explicitly drop inbound SSH cpnnections that are not from the LAN $IPTABLES -A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP # Accept ICMP to the FW from the LAN $IPTABLES -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT # Forward rules for the LAN and the Wifi-Private networks $IPTABLES -A FORWARD -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.3.0/255.255.255.0 -d ! 192.168.3.0/255.255.255.0 -i eth2 -j ACCEPT # Accept forward responses to connections generated by systems allowed by other rules. $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Explicitly allow outbound connections form the FW to the Paradise DNS server (not strictly necessary.) $IPTABLES -A OUTPUT -d $DNS_SERVER_1 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -d $DNS_SERVER_2 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT # PPP Specific stuff for work dial-up. # Drop inbound connections to the FW from the work network $IPTABLES -A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP # Accept DNS from the work servers $IPTABLES -A INPUT -s $DNS_SERVER_3 -i ppp0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT $IPTABLES -A INPUT -s $DNS_SERVER_4 -i ppp0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -s $DNS_SERVER_3 -o ppp0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -s $DNS_SERVER_4 -o ppp0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT