diff options
Diffstat (limited to 'rules.sh')
| -rwxr-xr-x | rules.sh | 268 |
1 files changed, 268 insertions, 0 deletions
diff --git a/rules.sh b/rules.sh new file mode 100755 index 0000000..d2f0405 --- /dev/null +++ b/rules.sh @@ -0,0 +1,268 @@ +#!/bin/sh -e +# +# saswall +# +# saswall is a simple and safe firewall loader. After reloading a +# new ruleset it ask for a confirmation and reverts all changes if +# this confirmation times out. +# +# Copyright (C) 2013 Christian Pointner <equinox@spreadspace.org> +# +# This file is part of saswall. +# +# saswall is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# any later version. +# +# saswall is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with saswall. If not, see <http://www.gnu.org/licenses/>. +# +## Sample rules.sh for saswall +## +## this file gets sourced by /usr/local/sbin/saswall +## - please add your rules here +## - redfined the variable SASWALL_CONFIRM_TIMEOUT if you want +## a different timout (default: 20 -> 20s) +## - don't use variable and function names starting with +## saswall or SASWALL +## - functions ipv4_up, ipv4_down, ipv6_up and ipv6_down must +## be defined here as they get called by the saswall script +## - don't use exit!! +## + +####################### +# Definitions # +####################### + +IPTABLES="/sbin/iptables" +IP6TABLES="/sbin/ip6tables" + +[ -x $IPTABLES ] || exit 0 +[ -x $IP6TABLES ] || exit 0 + +FILTER="$IPTABLES -t filter" +NAT="$IPTABLES -t nat" +MANGLE="$IPTABLES -t mangle" + +FILTER6="$IP6TABLES -t filter" +MANGLE6="$IP6TABLES -t mangle" + + + +EXT_IF=eth0 +EXT_IP=1.2.3.4 + +INT_IF=eth1 +LOCAL_IP=192.168.1.1 +LOCAL_NET=192.168.1.0/24 + +PORTFW="" +PORTFW="$PORTFW udp,1234,192.168.1.1:1234" +PORTFW="$PORTFW tcp,80,192.168.1.2:8080" + +PORTFW6="" # well not really port forwardings but allowed traffic +PORTFW6="$PORTFW tcp,80,1234::1.8080" + +TCP_IN_PORTS="22000" +UDP_IN_PORTS="" + + +######################### +# IPv4 UP # +######################### + +ipv4_up() { +# FORWARD + # local traffic + + # nothing here + + # outbound traffic + + # main NAT + $NAT -A POSTROUTING -s $LOCAL_NET -o $EXT_IF -j SNAT --to $EXT_IP + + # allow forwarded outbound traffic + $FILTER -A FORWARD -i lo -j ACCEPT + $FILTER -A FORWARD -i $INT_IF -j ACCEPT + + # inbound traffic + + # allow icmp and active connections + $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT + $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + + # install port forwardings and allow traffic through it + for fw in $PORTFW; do + proto=${fw%%,*} + port=${fw#*,} + port=${port%%,*} + to=${fw##*,} + to_ip=${to%%:*} + if [ "$to_ip" = "$to" ]; then + to_port=$port + else + to_port=${to##*:} + fi + $NAT -A PREROUTING -i $EXT_IF -d $EXT_IP -p $proto --dport $port -j DNAT --to $to + $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -d $to_ip -p $proto --dport $to_port -j ACCEPT + done + + # Policy -> DROP + + $FILTER -P FORWARD DROP + + + +# INPUT + + # allow everything from internal interfaces + $FILTER -A INPUT -i lo -j ACCEPT + $FILTER -A INPUT -i $INT_IF -j ACCEPT + + + # allow icmp and active connections from external + $FILTER -A INPUT -i $EXT_IF -p icmp -j ACCEPT + $FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + + # allow + for port in $TCP_IN_PORTS; do + $FILTER -A INPUT -i $EXT_IF -p tcp --dport $port -j ACCEPT + done + for port in $UDP_IN_PORTS; do + $FILTER -A INPUT -i $EXT_IF -p udp --dport $port -j ACCEPT + done + + + # Policy -> DROP + + $FILTER -P INPUT DROP + + + +# OUTPUT + + # nothing here + + + +# END + echo -n "success" +} + + +######################### +# IPv6 UP # +######################### + +ipv6_up() { +# FORWARD + # local traffic + + # nothing here + + # outbound traffic + + # allow forwarded outbound traffic + $FILTER6 -A FORWARD -i lo -j ACCEPT + $FILTER6 -A FORWARD -i $INT_IF -j ACCEPT + + # inbound traffic + + # allow icmp and active connections + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + + # allow traffic to internal hosts + for fw in $PORTFW6; do + proto=${fw%%,*} + port=${fw#*,} + port=${port%%,*} + to=${fw##*,} + to_ip=${to%%:*} + if [ "$to_ip" = "$to" ]; then + to_port=$port + else + to_port=${to##*:} + fi + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -d $to_ip -p $proto --dport $to_port -j ACCEPT + done + + # Policy -> DROP + + $FILTER6 -P FORWARD DROP + + + +# INPUT + + # allow everything form internal interface + $FILTER6 -A INPUT -i lo -j ACCEPT + $FILTER6 -A INPUT -i $INT_IF -j ACCEPT + + + # allow icmp and active connections + $FILTER6 -A INPUT -i $EXT_IF -p icmpv6 -j ACCEPT + $FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + + # allow + for port in $TCP_IN_PORTS; do + $FILTER6 -A INPUT -i $EXT_IF -p tcp --dport $port -j ACCEPT + done + for port in $UDP_IN_PORTS; do + $FILTER6 -A INPUT -i $EXT_IF -p udp --dport $port -j ACCEPT + done + + + # Policy -> DROP + + $FILTER6 -P INPUT DROP + + + +# OUTPUT + + # nothing here + + + +# END + echo -n "success" +} + + +######################### +# IPv4 DOWN # +######################### + +ipv4_down() { + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + + echo -n "success" +} + + +######################### +# IPv6 DOWN # +######################### + +ipv6_down() { + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + + echo -n "success" +} |