Pejman Moghadam / Scripts

Deny-Base Stateful Firewall with iptables

Public domain


/etc/rc.d/init.d/firewall

#!/bin/bash
#
# startup script for sateful-firwall
#
# chkconfig: - 91 15
# description: stateful-firewall designed by Pejman Moghadam.
# load appropriate modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# some definitions
IPTABLES=/sbin/iptables
LOCALNET=192.168.0.0/24
INTIF=eth0
EXTIF=eth1
start() {
        echo "Starting firewall . . ."
        echo -e "\t Kerlnel flags:"
            echo -e "\t\t IP forwarding."
            echo 1 > /proc/sys/net/ipv4/ip_forward
            echo -e "\t\t Anti smurf amplifier."
            echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
            echo -e "\t\t Anti synflood DoS."
            echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
    echo -e "\t Flush filter table."
    $IPTABLES -t filter -F
    echo -e "\t Remove user defined chains."
    $IPTABLES -t filter -X
    echo -e "\t Zero filter table counters."
    $IPTABLES -t filter -Z
    echo -e "\t Change filter policy to DROP."
    $IPTABLES -t filter -P INPUT DROP
    $IPTABLES -t filter -P OUTPUT DROP
    $IPTABLES -t filter -P FORWARD DROP
    echo -e "\t Allow self-connection on firewall box."
    $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
    echo -e "\t ----------SSH----------"
    echo -e "\t Allow SSH(tcp/22) connection from localnet to firewall box."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------DNS----------"
    echo -e "\t Allow DNS(udp/53) query from firewall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -e "\t Allow DNS(udp/53) query from localnet to firewall box."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow DNS(udp/53) qurey transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------HTTP----------"
    echo -e "\t Allow HTTP(tcp/80) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/80) connection from firewall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/80) connection from localnet to firewall box."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/800) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 800 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 800 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/8000) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 8000 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 8000 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/8080) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/8383) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 8383 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 8383 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/3000) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 3000 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/2082) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 2082 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 2082 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/2095) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 2095 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 2095 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTPS(tcp/443) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------ICMP----------"
    echo -e "\t Allow PING(icmp) echo request from/to localnet to/from firewall box."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p icmp -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p icmp -j ACCEPT
    echo -e "\t Allow PING(icmp) echo request from firwall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-reply -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p icmp --icmp-type echo-request -j ACCEPT
    echo -e "\t Allow PING(icmp) echo request transit from localnet to internet(192.9.9.3)."
    $IPTABLES -t filter -A FORWARD -i $INTIF -d 192.9.9.3 -p icmp --icmp-type echo-request -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -s 192.9.9.3 -p icmp --icmp-type echo-reply -j ACCEPT
    echo -e "\t Allow TRACEROUTE(icmp) from firwall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT
    echo -e "\t Allow TRACEROUTE(icmp) tansit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT
    echo -e "\t ----------FTP----------"
    echo -e "\t Allow FTP(tcp/21) connection from firewall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -e "\t Allow ACTIVE FTP(tcp/20) data flow connection from firewall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow PASSIVE FTP(tcp/client-port>=1024) data flow connection from firewall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p tcp --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo -e "\t Allow FTP(tcp/21) connection from firewall box to localnet."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -e "\t Allow ACTIVE FTP(tcp/20) data flow connection from firewall box to localnet."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow PASSIVE FTP(tcp/client-port>=1024) data flow connection from firewall box to localnet."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo -e "\t Allow FTP(tcp/21) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow ACTIVE FTP(tcp/20) data flow connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo -e "\t Allow PASSIVE FTP(tcp/client-port>=1024) data flow connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------MAIL----------"
    echo -e "\t Allow SMTP(tcp/25) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow POP3(tcp/110) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------TELNET----------"
    echo -e "\t Allow TELNET(tcp/23) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------SNMP----------"
    echo -e "\t Allow SNMP(udp/161) query from firewall box to internet."
    $IPTABLES -t filter -A INPUT -i $EXTIF -p udp --sport 161 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXTIF -p udp --dport 161 -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -e "\t ----------PCAnyWhere----------"
    echo -e "\t Allow PCAnyWhere(tcp/5631-udp/5632) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 5631 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 5631 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p udp --dport 5632 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p udp --sport 5632 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------RealPlayer----------"
    echo -e "\t Allow RealPlayer(tcp/554-tcp/7070) connection transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 554 -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 554 -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 7070 -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 7070 -j ACCEPT
    # $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p udp --dport 6970:7170 -j ACCEPT
    # $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p udp --sport 6970:7170 -j ACCEPT
    echo -e "\t ----------Squid----------"
    echo -e "\t Allow Proxy(tcp/3128) connection from localnet to firwall box."
    $IPTABLES -t filter -A INPUT -i $INTIF -s $LOCALNET -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $INTIF -d $LOCALNET -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow Proxy(tcp/d=9202,s=4028) connection from firwall box to internet."
    $IPTABLES -A INPUT -i $EXTIF -p tcp --sport 4028 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 9202 -m state --state NEW,ESTABLISHED -j ACCEPT
    echo -e "\t ----------Yahoo----------"
    echo -e "\t Allow YM connection(tcp/5050) transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -s $LOCALNET -p tcp --dport 5050 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -d $LOCALNET -p tcp --sport 5050 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow YM voice(tcp/5001-udp/5000) transit form localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 5001 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $INTIF -p udp --dport 5000 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p udp --sport 5000 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow YM video(tcp/5100) transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 5100 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 5100 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow Y-Game(tcp/11999) transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 11999 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 11999 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t ----------MSN----------"
    echo -e "\t Allow MSN Messenger(tcp/1863) connection from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 1863 -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 1863 -j ACCEPT
    echo -e "\t ----------RADIUS----------"
    echo -e "\t Allow RADIUS data flow between Remote-Access-Server and Secure-Server."
    iptables -t filter -A FORWARD -s 192.168.0.66 -d 192.168.0.130 -j ACCEPT
    iptables -t filter -A FORWARD -s 192.168.0.130 -d 192.168.0.66 -j ACCEPT
    echo " -[Ok]-"
    echo -e "\t ----------Corporation----------"
    echo -e "\t Allow JAP (tcp/6544,6543) transit from localnet to internet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 6544 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 6544 -m state --state ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $INTIF -p tcp --dport 6543 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $EXTIF -p tcp --sport 6543 -m state --state ESTABLISHED -j ACCEPT
    echo -e "\t Allow HTTP(tcp/80) connection transit from localnet to localnet."
    $IPTABLES -t filter -A FORWARD -i $INTIF -o $INTIF -s $LOCALNET -d $LOCALNET -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $INTIF -o $INTIF -d $LOCALNET -s $LOCALNET -j ACCEPT
    echo " -[Ok]-"
}
stop() {
    echo "Stopping firewall . . ."
    echo -e "\t Flush filter table."
    $IPTABLES -t filter -F
    echo -e "\t Remove user defined chains."
    $IPTABLES -t filter -X
    echo -e "\t Zero filter table counters."
    $IPTABLES -t filter -Z
    echo -e "\t Change filter policy to ACCEPT."
    $IPTABLES -t filter -P INPUT ACCEPT
    $IPTABLES -t filter -P OUTPUT ACCEPT
    $IPTABLES -t filter -P FORWARD ACCEPT
    echo " -[Ok]-"
}
case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  status)
        $IPTABLES -L -nxv | less
    ;;
  *)
    echo "Usage: $0 {start|stop|status}"
esac
exit

BY: Pejman Moghadam
TAG: firewall, iptables, bash-script, bash
DATE: 2003-11-17 17:25:10


Pejman Moghadam / Scripts [ TXT ]