Archief - Scriptje zorgt voor kopzorgen

#!/bin/bash
# chkconfig: 345 10 90
# firewall -- firewall script for a bastion firewall with DMZ and 

#-----------------------------------------------------------------------------
# Variables
#-----------------------------------------------------------------------------
IPTABLES="/sbin/iptables"

# Network interface names
EXTERNAL_INTERFACE="eth0"
DMZ_INTERFACE="eth1"
INTERNAL_INTERFACE="eth2"

# Network addresses (in CIDR notation)
EXTERNAL_NETWORK="172.168.1.253/30"
DMZ_NETWORK="192.0.126.126/29"
INTERNAL_NETWORK="10.0.0.1/8"

# Router IP addresses
EXTERNAL_IP="172.16.1.253"
DMZ_IP="192.0.2.126"
INTERNAL_IP="10.0.0.1"

# DMZ IP addresses
NS1_IP="192.0.2.121"
NS2_IP="192.0.2.122"
WEBSERVER_IP="192.0.2.123"
MAILSERVER_IP="192.0.2.124"

# "wildcard" for all IP Addresses
UNIVERSE="0.0.0.0/0"

#-----------------------------------------------------------------------------
# Functions
#-----------------------------------------------------------------------------

#---------- Show current firewall configuration ------------------------------
status() {
    # Show rules for filter table
        $IPTABLES -L -v -t filter -n
    # Show rules for nat table
        $IPTABLES -L -v -t nat -n
}

#---------- Stopping the firewall --------------------------------------------
stop() {
 echo 'Clearing all rules...'
        $IPTABLES -F
        $IPTABLES -F -t nat

    echo 'Removing custom chains...'
        $IPTABLES -X drop-and-log-it

    echo 'Setting all policies to "ACCEPT"...'
        $IPTABLES -P INPUT   ACCEPT
        $IPTABLES -P OUTPUT  ACCEPT
        $IPTABLES -P FORWARD ACCEPT

        $IPTABLES -A INPUT  -i lo -p all -j ACCEPT
        $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT

    echo 'Disabling general firewall settings...'
	echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
        echo "0" > /proc/sys/net/ipv4/tcp_syncookies
        echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
        echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
}
    
#---------- Panic rules ------------------------------------------------------
# Block all traffic
panic() {
 
    echo 'Stopping route...'
        echo "0" >  /proc/sys/net/ipv4/ip_forward

    echo 'Clearing all rules...'
        $IPTABLES -F
        $IPTABLES -F -t nat
        
    echo 'Removing all custom chains...'
        $IPTABLES -X drop-and-log-it
        
    echo 'Setting all policies to "DROP"...'
        $IPTABLES -P INPUT   DROP
        $IPTABLES -P OUTPUT  DROP  
        $IPTABLES -P FORWARD DROP  
        
    echo 'Allowing traffic to/from loopback interface...'
        $IPTABLES -A INPUT  -i lo -p all -j ACCEPT
        $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT

    echo 'Disabling general firewall settings...'
        echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
        echo "0" > /proc/sys/net/ipv4/tcp_syncookies
        echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
        echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all 
        
    echo 'Disabling NAT...'
        echo "0" >  /proc/sys/net/ipv4/ip_forward
}

#---------- Starting the firewall --------------------------------------------
start() {
   echo 'Setting default policies to DROP...'
        $IPTABLES -P INPUT   DROP
        $IPTABLES -P OUTPUT  ACCEPT
        $IPTABLES -P FORWARD DROP

   echo 'Creating drop&log chain...'
        $IPTABLES -N drop-and-log-it
        $IPTABLES -A drop-and-log-it -j LOG --log-level info
        $IPTABLES -A drop-and-log-it -j DROP
    
   echo 'Accepting loopback traffic from/to all addresses...'
        $IPTABLES -A INPUT  -i lo -p all -j ACCEPT
        $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
        
   echo 'Accepting all traffic from internal network to DMZ/external network...'
        $IPTABLES -A FORWARD -o $DMZ_INTERFACE -d $WEBSERVER_IP -p tcp --dport 80 -j ACCEPT
	$IPTABLES -A FORWARD -o $DMZ_INTERFACE -d $MAILSERVER_IP -p tcp --dport 25 -j ACCEPT
	$IPTABLES -A FORWARD -o $DMZ_INTERFACE -d $NS1_IP -p udp --dport 53 -j ACCEPT
	$IPTABLES -A FORWARD -o $DMZ_INTERFACE -d $NS2_IP -p udp --dport 53 -j ACCEPT

   echo 'Drop and log traffic from external network claiming to come from DMZ or internal network...'
        $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s $DMZ_NETWORK -d $EXTERNAL_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -s $INTERNAL_NETWORK -d $EXTERNAL_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT

   echo 'Accepting all traffic from external network to internal network that was initialised by an internal host (related, established)...'
        $IPTABLES -A FORWARD -o $INTERNAL_INTERFACE -s $EXTERNAL_NETWORK -d $INTERNAL_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT

    echo 'Enabling NAT...'
        echo "1" >  /proc/sys/net/ipv4/ip_forward
        $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE

    echo 'Dropping and logging all other traffic...'
        $IPTABLES -A INPUT -j drop-and-log-it

    echo 'Enabling general firewall settings...'
        echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies
        echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
        echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

    echo 'Preventing flooding on DMZ...'
        $IPTABLES -A FORWARD -p tcp  -i $DMZ_INTERFACE --syn -m limit --limit 1/s -j ACCEPT
}

#-----------------------------------------------------------------------------
# Process command line arguments
#-----------------------------------------------------------------------------

case $1 in
    start|restart)
        stop
	start
	info
	;;
    stop)
        stop
	info
	;;
    status)
	status
	info
	;;
    panic)
        panic
	info
	;;
    *)
      	echo 'Usage: firewall {start,stop,panic,restart,status}'
esac

info(){
#Set exit status. If one command failed, exit status will be 1
if [ "${status}" == "1" ]; then
    echo 'WARNING: configuring the firewall failed!'
else
    echo 'Firewall command processed!'
fi
}