#!/bin/sh #------------------------------------------------------------ # DO NOT MODIFY THIS FILE! It is updated automatically by the # SME Server software. Instead, modify the source template in # an /etc/e-smith/templates-custom directory. For more # information, see http://www.e-smith.org/custom/ # # copyright (C) 1999-2003 Mitel Networks Corporation #------------------------------------------------------------ INTERNALIF=eth0 OUTERIF=ppp0 OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP) if [ -z "$OUTERNET" ] then # Make sure that OUTERNET value is set to syntactly valid value # to ensure that iptables syntax is at least correct OUTERNET=1.2.3.4 fi adjust_tcp_in() { local dport=$1 local target=$2 local chain=$3 local dnet=$4 # Add the rule requested. rule="/sbin/iptables --append $chain --protocol tcp --dport $dport" if [ -n "$dnet" ]; then rule="$rule --destination $dnet" fi rule="$rule --in-interface $OUTERIF --jump $target" $rule } adjust_udp_in() { local dport=$1 local target=$2 local chain=$3 local dnet=$4 # Add the rule requested. rule="/sbin/iptables --append $chain --protocol udp --dport $dport" if [ -n "$dnet" ]; then rule="$rule --destination $dnet" fi rule="$rule --in-interface $OUTERIF --jump $target" $rule } get_safe_id() { # Expect arguments of, chain_name, table, mode, where mode can be either # find or new local chain_name=$1 local table=$2 local mode=$3 # Find the existing numbered chain. current=$(/sbin/iptables --table $table --list $chain_name --numeric |\ sed -n '3s/ .*//p') if [ "x$current" = "x" ]; then # We didn't find it. echo "ERROR: Cannot find chain $chain_name in table $table" 1>&2 exit 1 fi # If we're in find mode, return this chain. case "$mode" in find) echo $current ;; new) # Make sure the number on this chain doesn't conflict with our # process ID. current_id=$(echo $current |\ sed -n -e "s/^$chain_name//" -e "s/^_//p") if [ "x$current_id" = "x" ] then echo "ERROR: Cannot find process ID on chain name" 1>&2 exit 1 fi # If it conflicts with our process ID, add one to ours. if [ $current_id -eq $$ ] then echo ${chain_name}_$(expr $$ + 1) else echo ${chain_name}_$$ fi ;; esac } case "$1" in start) echo -n "Enabling IP masquerading: " /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -F -t mangle /sbin/iptables -X -t filter /sbin/iptables -X -t nat /sbin/iptables -X -t mangle /sbin/iptables --flush FORWARD /sbin/iptables --flush INPUT /sbin/iptables --flush OUTPUT /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/iptables --new-chain denylog /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP # Set telnet, www, smtp, pop3 and FTP for minimum delay for port in 21 22 23 25 80 110 do /sbin/iptables --table mangle --append OUTPUT \ --protocol tcp --dport $port \ -j TOS --set-tos Minimize-Delay done # Set ftp-data for maximum throughput /sbin/iptables --table mangle --append OUTPUT \ --protocol tcp --dport 20 \ -j TOS --set-tos Maximize-Throughput # TODO - this hasn't yet been converted for iptables - does it # need to be? # set timeouts for tcp tcpfin udp #/sbin/iptables --masquerading --set 14400 60 600 /sbin/iptables --table nat --new-chain SMTPProxy /sbin/iptables --table nat --append PREROUTING\ -p tcp --dport 25 -j SMTPProxy /sbin/iptables --table nat --append SMTPProxy \ --destination 127.0.0.1 --jump ACCEPT /sbin/iptables --table nat --append SMTPProxy \ --destination 192.168.1.1 --jump ACCEPT /sbin/iptables --table nat --append SMTPProxy \ --destination $OUTERNET --jump ACCEPT /sbin/iptables --table nat --append SMTPProxy\ -p TCP -j DNAT --to 192.168.1.1:25 /sbin/iptables --table nat --new-chain TransProxy /sbin/iptables --table nat --append PREROUTING\ -p tcp --dport 80 -j TransProxy /sbin/iptables --table nat --append TransProxy \ --destination 127.0.0.1 --jump ACCEPT /sbin/iptables --table nat --append TransProxy \ --destination 192.168.1.1 --jump ACCEPT /sbin/iptables --table nat --append TransProxy \ --destination $OUTERNET --jump ACCEPT /sbin/iptables --table nat --append TransProxy\ --jump ACCEPT /sbin/iptables --new-chain state_chk # Allow any already established or related connection /sbin/iptables --append state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT # We filter all input and forwarded traffic this way /sbin/iptables --append INPUT -j state_chk /sbin/iptables --append FORWARD -j state_chk # Create a new chain to handle local traffic /sbin/iptables --new-chain local_chk /sbin/iptables --new-chain local_chk_1 # Accept any traffic initiated on "local" interfaces /sbin/iptables --append local_chk_1 \ --in-interface ! $OUTERIF -j ACCEPT /sbin/iptables --append local_chk -j local_chk_1 # We filter all input and forwarded traffic this way /sbin/iptables --append INPUT -j local_chk /sbin/iptables --append FORWARD -j local_chk # Create new chain to handle PPP interfaces from PPTP connections. # Note: We cannot simply permit ppp+, as that would put a huge hole in the # firewall for PPPoE users. /sbin/iptables --new-chain PPPconn /sbin/iptables --new-chain PPPconn_1 /sbin/iptables --append INPUT -j PPPconn /sbin/iptables --append OUTPUT -j PPPconn /sbin/iptables --append PPPconn -j PPPconn_1 # Drop all multicast traffic. Note that anything on from a local network # will have already been accepted via the local_chk chain. /sbin/iptables --append INPUT -s 224.0.0.0/4 -j DROP /sbin/iptables --append INPUT -d 224.0.0.0/4 -j DROP /sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j DROP /sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j DROP /sbin/iptables --table nat --new-chain PostroutingOutbound /sbin/iptables --table nat --append PostroutingOutbound \ --source $OUTERNET -j ACCEPT /sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE /sbin/iptables --append POSTROUTING -t nat \ --out-interface $OUTERIF -j PostroutingOutbound /sbin/iptables --new-chain InboundICMP /sbin/iptables --new-chain InboundICMP_1 /sbin/iptables --append INPUT --protocol icmp --jump InboundICMP /sbin/iptables --append InboundICMP --protocol icmp --jump InboundICMP_1 # Catch any returns, just in case /sbin/iptables --append INPUT --protocol icmp --jump denylog /sbin/iptables --append InboundICMP --protocol icmp --jump denylog /sbin/iptables --new-chain OutboundICMP /sbin/iptables --new-chain OutboundICMP_1 /sbin/iptables --append OUTPUT --protocol icmp --jump OutboundICMP /sbin/iptables --append OutboundICMP --protocol icmp --jump OutboundICMP_1 # Catch any returns, just in case /sbin/iptables --append OUTPUT --protocol icmp --jump denylog /sbin/iptables --append OutboundICMP --protocol icmp --jump denylog /sbin/iptables --new-chain ForwardedTCP /sbin/iptables --new-chain ForwardedTCP_1 /sbin/iptables --append FORWARD --protocol tcp --syn --jump ForwardedTCP /sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump ForwardedTCP_1 # Catch any returns. /sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump denylog /sbin/iptables --new-chain InboundTCP /sbin/iptables --new-chain InboundTCP_1 /sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP /sbin/iptables --append InboundTCP --protocol tcp --syn --jump InboundTCP_1 # Catch any returns, just in case /sbin/iptables --append INPUT --protocol tcp --syn --jump denylog /sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog /sbin/iptables --new-chain ForwardedUDP /sbin/iptables --new-chain ForwardedUDP_1 /sbin/iptables --append FORWARD --protocol udp --jump ForwardedUDP /sbin/iptables --append ForwardedUDP --protocol udp --jump ForwardedUDP_1 # Catch any returns. /sbin/iptables --append ForwardedUDP --protocol udp --jump denylog /sbin/iptables --new-chain InboundUDP /sbin/iptables --new-chain InboundUDP_1 /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \ --jump InboundUDP /sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1 # Catch any returns, just in case /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \ --jump denylog /sbin/iptables --append InboundUDP --protocol udp --jump denylog /sbin/iptables -t nat --new-chain IcpPortForward /sbin/iptables -t nat --insert PREROUTING --jump IcpPortForward /sbin/iptables -t nat --new-chain PortForwarding /sbin/iptables -t nat --new-chain PortForwarding_1 /sbin/iptables -t nat --insert PREROUTING --jump PortForwarding /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \ --jump PortForwarding_1 /sbin/iptables --append INPUT -p udp --sport 67:68 -i $INTERNALIF -j ACCEPT /sbin/iptables --new-chain ESPin /sbin/iptables -A INPUT -p 50 --jump ESPin /sbin/iptables -A INPUT -p 50 --jump denylog /sbin/iptables --new-chain ESPin_1 /sbin/iptables -A ESPin -j ESPin_1 /sbin/iptables --new-chain AHin /sbin/iptables -A INPUT -p 51 --jump AHin /sbin/iptables -A INPUT -p 51 --jump denylog /sbin/iptables --new-chain AHin_1 /sbin/iptables -A AHin -j AHin_1 /sbin/iptables --new-chain gre-in /sbin/iptables --append INPUT -p 47 -j gre-in /sbin/iptables --append INPUT -p 47 -j denylog /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog /sbin/iptables --append gre-in -j denylog /sbin/iptables --policy FORWARD DROP /sbin/iptables --append FORWARD --jump denylog /sbin/iptables --policy INPUT DROP /sbin/iptables --append INPUT --jump denylog /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables --append OUTPUT --jump ACCEPT $0 adjust echo "done" ;; adjust) OLD_ForwardedTCP=$(get_safe_id ForwardedTCP filter find) NEW_ForwardedTCP=$(get_safe_id ForwardedTCP filter new) /sbin/iptables --new-chain $NEW_ForwardedTCP /sbin/iptables --replace ForwardedTCP 1 \ --jump $NEW_ForwardedTCP /sbin/iptables --flush $OLD_ForwardedTCP /sbin/iptables --delete-chain $OLD_ForwardedTCP OLD_ForwardedUDP=$(get_safe_id ForwardedUDP filter find) NEW_ForwardedUDP=$(get_safe_id ForwardedUDP filter new) /sbin/iptables --new-chain $NEW_ForwardedUDP /sbin/iptables --replace ForwardedUDP 1 \ --jump $NEW_ForwardedUDP /sbin/iptables --flush $OLD_ForwardedUDP /sbin/iptables --delete-chain $OLD_ForwardedUDP OLD_InboundTCP=$(get_safe_id InboundTCP filter find) NEW_InboundTCP=$(get_safe_id InboundTCP filter new) /sbin/iptables --new-chain $NEW_InboundTCP /sbin/iptables --append $NEW_InboundTCP \! --destination $OUTERNET --jump denylog adjust_tcp_in 113 ACCEPT $NEW_InboundTCP adjust_tcp_in 53 ACCEPT $NEW_InboundTCP adjust_tcp_in 21 denylog $NEW_InboundTCP adjust_tcp_in 80 ACCEPT $NEW_InboundTCP adjust_tcp_in 443 ACCEPT $NEW_InboundTCP adjust_tcp_in 143 denylog $NEW_InboundTCP adjust_tcp_in 389 denylog $NEW_InboundTCP adjust_tcp_in 110 denylog $NEW_InboundTCP adjust_tcp_in 1723 ACCEPT $NEW_InboundTCP adjust_tcp_in 25 ACCEPT $NEW_InboundTCP adjust_tcp_in 22 ACCEPT $NEW_InboundTCP adjust_tcp_in 23 denylog $NEW_InboundTCP # No remote administration hosts specified /sbin/iptables --replace InboundTCP 1 \ --jump $NEW_InboundTCP /sbin/iptables --flush $OLD_InboundTCP /sbin/iptables --delete-chain $OLD_InboundTCP OLD_InboundUDP=$(get_safe_id InboundUDP filter find) NEW_InboundUDP=$(get_safe_id InboundUDP filter new) /sbin/iptables --new-chain $NEW_InboundUDP /sbin/iptables --append $NEW_InboundUDP \! --destination $OUTERNET --jump denylog adjust_udp_in 53 ACCEPT $NEW_InboundUDP adjust_udp_in 500 ACCEPT $NEW_InboundUDP /sbin/iptables --replace InboundUDP 1 \ --jump $NEW_InboundUDP /sbin/iptables --flush $OLD_InboundUDP /sbin/iptables --delete-chain $OLD_InboundUDP /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP /sbin/iptables --replace denylog 4 --jump LOG --log-prefix "denylog:" /sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog /sbin/iptables --replace gre-in 2 -j ACCEPT # Find the current InboundICMP_$$ chain, and create a new one. IBI=$(get_safe_id InboundICMP filter find) new=$(get_safe_id InboundICMP filter new) /sbin/iptables --new-chain $new /sbin/iptables --append $new --proto icmp \ --icmp-type echo-request --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type echo-reply --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type destination-unreachable --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type source-quench --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type time-exceeded --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type parameter-problem --jump ACCEPT /sbin/iptables --append $new --jump denylog /sbin/iptables --replace InboundICMP 1 --jump $new /sbin/iptables --flush "$IBI" /sbin/iptables --delete-chain "$IBI" # Find the current OutboundICMP_$$ chain, and create a new one. OBICMP=$(get_safe_id OutboundICMP filter find) new=$(get_safe_id OutboundICMP filter new) /sbin/iptables --new-chain $new /sbin/iptables --append $new --proto icmp \ --icmp-type echo-request --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type echo-reply --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type destination-unreachable --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type source-quench --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type time-exceeded --jump ACCEPT /sbin/iptables --append $new --proto icmp \ --icmp-type parameter-problem --jump ACCEPT /sbin/iptables --append $new --jump denylog /sbin/iptables --replace OutboundICMP 1 --jump $new /sbin/iptables --flush $OBICMP /sbin/iptables --delete-chain $OBICMP OLD_ESPin=$(get_safe_id ESPin filter find) NEW_ESPin=$(get_safe_id ESPin filter new) /sbin/iptables --new-chain $NEW_ESPin /sbin/iptables -A $NEW_ESPin -d \! $OUTERNET -j denylog OLD_AHin=$(get_safe_id AHin filter find) NEW_AHin=$(get_safe_id AHin filter new) /sbin/iptables --new-chain $NEW_AHin /sbin/iptables -A $NEW_AHin -d \! $OUTERNET -j denylog /sbin/iptables -A $NEW_ESPin -j ACCEPT /sbin/iptables -A $NEW_AHin -j ACCEPT /sbin/iptables --replace ESPin 1 --jump $NEW_ESPin /sbin/iptables --flush $OLD_ESPin /sbin/iptables --delete-chain $OLD_ESPin /sbin/iptables --replace AHin 1 --jump $NEW_AHin /sbin/iptables --flush $OLD_AHin /sbin/iptables --delete-chain $OLD_AHin /sbin/iptables --table nat --replace PostroutingOutbound 1 \ --source $OUTERNET -j ACCEPT /sbin/iptables --table nat \ --replace SMTPProxy 3\ --destination $OUTERNET --jump ACCEPT /sbin/iptables --table nat --replace SMTPProxy 4 /sbin/iptables --table nat \ --replace TransProxy 3\ --destination $OUTERNET --jump ACCEPT /sbin/iptables --table nat --replace TransProxy 4\ --jump ACCEPT OLD_local_chk=$(get_safe_id local_chk filter find) NEW_local_chk=$(get_safe_id local_chk filter new) /sbin/iptables --new-chain $NEW_local_chk /sbin/iptables -A $NEW_local_chk --in-interface lo -j ACCEPT for network in 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 192.168.3.0/255.255.255.0 do /sbin/iptables -A $NEW_local_chk -s $network -j ACCEPT done /sbin/iptables --replace local_chk 1 \ --jump $NEW_local_chk /sbin/iptables --flush $OLD_local_chk /sbin/iptables --delete-chain $OLD_local_chk # Create a new PortForwarding chain PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\ sed -n '3s/ .*//p') /sbin/iptables --table nat --new-chain PortForwarding_$$ /sbin/iptables --table nat --append PortForwarding_$$ --protocol tcp \ --destination-port 8000 -j DNAT --to-destination 192.168.1.12:8000 adjust_tcp_in 8000 ACCEPT ForwardedTCP_$$ 192.168.1.12/32 /sbin/iptables --table nat --append PortForwarding_$$ --protocol tcp \ --destination-port 8001 -j DNAT --to-destination 192.168.1.12:80 adjust_tcp_in 80 ACCEPT ForwardedTCP_$$ 192.168.1.12/32 /sbin/iptables --table nat --replace PortForwarding 1 --destination $OUTERNET --jump PortForwarding_$$ /sbin/iptables --table nat --flush $PFC /sbin/iptables --table nat --delete-chain $PFC ;; masqstop) echo "" echo -n "Shuting down IP Masquerading:" /sbin/iptables -F FORWARD /sbin/iptables -P FORWARD DROP echo " Done!" echo "" ;; restart) $0 stop $0 start ;; status) echo $"Table: filter" /sbin/iptables --list -n echo $"Table: nat" /sbin/iptables -t nat --list -n echo $"Table: mangle" /sbin/iptables -t mangle --list -n ;; stop) echo "" echo -n "Shutting down IP masquerade and firewall rules:" /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P INPUT DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -F /sbin/iptables --append FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT /sbin/iptables --append FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT /sbin/iptables --append FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -j ACCEPT /sbin/iptables --append FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT /sbin/iptables --append FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j ACCEPT /sbin/iptables -X echo " Done!" echo "" ;; *) echo "Usage: masq {start|stop|restart|...}" exit 1 esac exit 0