From abc736dd0ee0d4ca0006e350f4be91cf6c7732a8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 15 Sep 2013 03:43:41 +0200
Subject: initial release

---
 rules.sh | 268 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 268 insertions(+)
 create mode 100755 rules.sh

(limited to 'rules.sh')

diff --git a/rules.sh b/rules.sh
new file mode 100755
index 0000000..d2f0405
--- /dev/null
+++ b/rules.sh
@@ -0,0 +1,268 @@
+#!/bin/sh -e
+#
+# saswall
+#
+# saswall is a simple and safe firewall loader. After reloading a
+# new ruleset it ask for a confirmation and reverts all changes if
+# this confirmation times out.
+#
+# Copyright (C) 2013 Christian Pointner <equinox@spreadspace.org>
+#
+# This file is part of saswall.
+#
+# saswall is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# any later version.
+#
+# saswall is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with saswall. If not, see <http://www.gnu.org/licenses/>.
+#
+## Sample rules.sh for saswall
+##
+## this file gets sourced by /usr/local/sbin/saswall
+##  - please add your rules here
+##  - redfined the variable SASWALL_CONFIRM_TIMEOUT if you want
+##    a different timout (default: 20 -> 20s)
+##  - don't use variable and function names starting with
+##    saswall or SASWALL
+##  - functions ipv4_up, ipv4_down, ipv6_up and ipv6_down must
+##    be defined here as they get called by the saswall script
+##  - don't use exit!!
+##
+
+#######################
+# Definitions         #
+#######################
+
+IPTABLES="/sbin/iptables"
+IP6TABLES="/sbin/ip6tables"
+
+[ -x $IPTABLES ] || exit 0
+[ -x $IP6TABLES ] || exit 0
+
+FILTER="$IPTABLES -t filter"
+NAT="$IPTABLES -t nat"
+MANGLE="$IPTABLES -t mangle"
+
+FILTER6="$IP6TABLES -t filter"
+MANGLE6="$IP6TABLES -t mangle"
+
+
+
+EXT_IF=eth0
+EXT_IP=1.2.3.4
+
+INT_IF=eth1
+LOCAL_IP=192.168.1.1
+LOCAL_NET=192.168.1.0/24
+
+PORTFW=""
+PORTFW="$PORTFW udp,1234,192.168.1.1:1234"
+PORTFW="$PORTFW tcp,80,192.168.1.2:8080"
+
+PORTFW6=""    # well not really port forwardings but allowed traffic
+PORTFW6="$PORTFW tcp,80,1234::1.8080"
+
+TCP_IN_PORTS="22000"
+UDP_IN_PORTS=""
+
+
+#########################
+# IPv4 UP               #
+#########################
+
+ipv4_up() {
+# FORWARD
+  # local traffic
+
+    # nothing here
+
+  # outbound traffic
+
+    # main NAT
+    $NAT -A POSTROUTING -s $LOCAL_NET -o $EXT_IF -j SNAT --to $EXT_IP
+
+    # allow forwarded outbound traffic
+    $FILTER -A FORWARD -i lo       -j ACCEPT
+    $FILTER -A FORWARD -i $INT_IF  -j ACCEPT
+
+  # inbound traffic
+
+    # allow icmp and active connections
+    $FILTER -A FORWARD -i $EXT_IF -o $INT_IF  -p icmp                              -j ACCEPT
+    $FILTER -A FORWARD -i $EXT_IF -o $INT_IF  -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+    # install port forwardings and allow traffic through it
+    for fw in $PORTFW; do
+        proto=${fw%%,*}
+        port=${fw#*,}
+        port=${port%%,*}
+        to=${fw##*,}
+        to_ip=${to%%:*}
+        if [ "$to_ip" = "$to" ]; then
+            to_port=$port
+        else
+            to_port=${to##*:}
+        fi
+        $NAT -A PREROUTING -i $EXT_IF            -d $EXT_IP -p $proto --dport $port    -j DNAT --to $to
+        $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -d $to_ip  -p $proto --dport $to_port -j ACCEPT
+    done
+
+  # Policy -> DROP
+
+    $FILTER -P FORWARD DROP
+
+
+
+# INPUT
+
+    # allow everything from internal interfaces
+    $FILTER -A INPUT -i lo       -j ACCEPT
+    $FILTER -A INPUT -i $INT_IF  -j ACCEPT
+
+
+    # allow icmp and active connections from external
+    $FILTER -A INPUT -i $EXT_IF -p icmp                              -j ACCEPT
+    $FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+    # allow
+    for port in $TCP_IN_PORTS; do
+        $FILTER -A INPUT -i $EXT_IF -p tcp --dport $port -j ACCEPT
+    done
+    for port in $UDP_IN_PORTS; do
+        $FILTER -A INPUT -i $EXT_IF -p udp --dport $port -j ACCEPT
+    done
+
+
+  # Policy -> DROP
+
+    $FILTER -P INPUT DROP
+
+
+
+# OUTPUT
+
+  # nothing here
+
+
+
+# END
+    echo -n "success"
+}
+
+
+#########################
+# IPv6 UP               #
+#########################
+
+ipv6_up() {
+# FORWARD
+  # local traffic
+
+    # nothing here
+
+  # outbound traffic
+
+    # allow forwarded outbound traffic
+    $FILTER6 -A FORWARD -i lo         -j ACCEPT
+    $FILTER6 -A FORWARD -i $INT_IF    -j ACCEPT
+
+  # inbound traffic
+
+    # allow icmp and active connections
+    $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp                              -j ACCEPT
+    $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+    # allow traffic to internal hosts
+    for fw in $PORTFW6; do
+        proto=${fw%%,*}
+        port=${fw#*,}
+        port=${port%%,*}
+        to=${fw##*,}
+        to_ip=${to%%:*}
+        if [ "$to_ip" = "$to" ]; then
+            to_port=$port
+        else
+            to_port=${to##*:}
+        fi
+        $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -d $to_ip  -p $proto --dport $to_port -j ACCEPT
+    done
+
+  # Policy -> DROP
+
+    $FILTER6 -P FORWARD DROP
+
+
+
+# INPUT
+
+    # allow everything form internal interface
+    $FILTER6 -A INPUT -i lo         -j ACCEPT
+    $FILTER6 -A INPUT -i $INT_IF    -j ACCEPT
+
+
+    # allow icmp and active connections
+    $FILTER6 -A INPUT -i $EXT_IF -p icmpv6                            -j ACCEPT
+    $FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+    # allow
+    for port in $TCP_IN_PORTS; do
+        $FILTER6 -A INPUT -i $EXT_IF -p tcp --dport $port -j ACCEPT
+    done
+    for port in $UDP_IN_PORTS; do
+        $FILTER6 -A INPUT -i $EXT_IF -p udp --dport $port -j ACCEPT
+    done
+
+
+  # Policy -> DROP
+
+    $FILTER6 -P INPUT DROP
+
+
+
+# OUTPUT
+
+  # nothing here
+
+
+
+# END
+    echo -n "success"
+}
+
+
+#########################
+# IPv4 DOWN             #
+#########################
+
+ipv4_down() {
+    $MANGLE -F
+    $NAT    -F
+    $FILTER -F
+    $FILTER -P INPUT ACCEPT
+    $FILTER -P FORWARD ACCEPT
+    $FILTER -P OUTPUT ACCEPT
+
+    echo -n "success"
+}
+
+
+#########################
+# IPv6 DOWN             #
+#########################
+
+ipv6_down() {
+    $MANGLE6 -F
+    $FILTER6 -F
+    $FILTER6 -P INPUT ACCEPT
+    $FILTER6 -P FORWARD ACCEPT
+    $FILTER6 -P OUTPUT ACCEPT
+
+    echo -n "success"
+}
-- 
cgit v1.2.3