Daily thoughts - 3

Тази събота и неделя си поиграх да си направя firewall ето и резултата:

#!/bin/bash

#INSTALL(Debian rulez)
#      1. write this file as /etc/init.d/firewall
#      2. chmod 755 /etc/init.d/firewall
#      3. update-rc.d firewall defaults
#
#REMOVE
#    update-rc.d -f firewall remove
#
# Author: zlatozar@gmail.com
# Date: 2007/03/04



#Our complete stateful firewall script.  This firewall can be customized for 
#a laptop, workstation, router or even a server. :)

#change this to the name of the interface that provides your "uplink"
#(connection to the Internet)

UPLINK="eth0"

#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"

ROUTER="yes"

#change this next line to the static IP of your uplink interface for static SNAT, or
#"dynamic" if you have a dynamic IP.  If you don't need any NAT, set NAT to "" to
#disable it.

NAT="dynamic"

#change this next line so it lists all your network interfaces, including lo

INTERFACES="lo eth0 eth1"

#change this line so that it lists the assigned numbers or symbolic names (from
#/etc/services) of all the services that you'd like to provide to the general
#public.  If you don't want any services enabled, set it to ""

SERVICES="http https ftp smtp ssh rsync"
# SRVICES_SAMBA="netbios-ssn microsoft-ds"

start() {

    echo "Starting firewall..."
    iptables -P INPUT DROP
    iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #enable public access to certain services
    for x in ${SERVICES}
      do
      iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
    done
 
    # SAMBA ---------
    iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
    iptables -A INPUT -p tcp --dport 445 -j ACCEPT

    iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
    iptables -A INPUT -p udp --dport 1025:65535 -j ACCEPT
    # --------- 

    iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 

    #explicitly disable ECN
    if [ -e /proc/sys/net/ipv4/tcp_ecn ]
 then
 echo 0 > /proc/sys/net/ipv4/tcp_ecn
    fi   

    #disable spoofing on all interfaces
    for x in ${INTERFACES} 
      do 
      echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter     
    done

    if [ "$ROUTER" = "yes" ]
 then
 #we're a router of some kind, enable IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 if [ "$NAT" = "dynamic" ]
     then
     #dynamic IP address, use masquerading 
     echo "Enabling masquerading (dynamic ip)..."
     iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
 elif [ "$NAT" != "" ]
     then
     #static IP, use SNAT
     echo "Enabling SNAT (static ip)..."
     iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
 fi
    fi
}

stop() {
    echo "Stopping firewall..."
    iptables -F INPUT
    iptables -P INPUT ACCEPT
    
    #turn off NAT/masquerading, if any
    iptables -t nat -F POSTROUTING
}

# Menu

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    *)
        echo "Usage: /etc/init.d/firewall {start|stop}"
        exit 1
esac

exit 0

PS. Това е firewall за моята работна станция затова се наложи да добавя специялна секция за SAMBA. Ако ще го ползвате за сервър я махнете.