#!/bin/sh -e # # saswall # # saswall is a simple and safe firewall loader. After reloading a # new ruleset it asks for a confirmation and reverts all changes if # this confirmation times out. # # Copyright (C) 2013-2016 Christian Pointner # # This file is part of saswall. # # saswall is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # any later version. # # saswall is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with saswall. If not, see . # ## Sample rules.sh for saswall ## ## this file gets sourced by /usr/sbin/saswall ## - please add your rules here ## - redefine the variable SASWALL_CONFIRM_TIMEOUT if you want ## a different timeout (default: 20 -> 20 seconds) ## - don't use variable and function names starting with ## saswall or SASWALL ## - functions ipv4_up, ipv4_down, ipv6_up and ipv6_down must ## be defined here as they get called by the saswall script ## - don't use exit!! ## ####################### # Definitions # ####################### IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" [ -x $IPTABLES ] || exit 0 [ -x $IP6TABLES ] || exit 0 FILTER="$IPTABLES -t filter" NAT="$IPTABLES -t nat" MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" EXT_IF=eth0 EXT_IP=1.2.3.4 INT_IF=eth1 LOCAL_IP=192.168.1.1 LOCAL_NET=192.168.1.0/24 PORTFW="" PORTFW="$PORTFW udp,1234,192.168.1.1:1234" PORTFW="$PORTFW tcp,80,192.168.1.2:8080" PORTFW6="" # well not really port forwardings but allowed traffic PORTFW6="$PORTFW tcp,80,1234::1.8080" TCP_IN_PORTS="22000" UDP_IN_PORTS="" ######################### # IPv4 UP # ######################### ipv4_up() { # FORWARD # local traffic # nothing here # outbound traffic # main NAT $NAT -A POSTROUTING -s $LOCAL_NET -o $EXT_IF -j SNAT --to $EXT_IP # allow forwarded outbound traffic $FILTER -A FORWARD -i lo -j ACCEPT $FILTER -A FORWARD -i $INT_IF -j ACCEPT # inbound traffic # allow icmp and active connections $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT # install port forwardings and allow traffic through it for fw in $PORTFW; do proto=${fw%%,*} port=${fw#*,} port=${port%%,*} to=${fw##*,} to_ip=${to%%:*} if [ "$to_ip" = "$to" ]; then to_port=$port else to_port=${to##*:} fi $NAT -A PREROUTING -i $EXT_IF -d $EXT_IP -p $proto --dport $port -j DNAT --to $to $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -d $to_ip -p $proto --dport $to_port -j ACCEPT done # Policy -> DROP $FILTER -P FORWARD DROP # INPUT # allow everything from internal interfaces $FILTER -A INPUT -i lo -j ACCEPT $FILTER -A INPUT -i $INT_IF -j ACCEPT # allow icmp and active connections from external $FILTER -A INPUT -i $EXT_IF -p icmp -j ACCEPT $FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT # allow for port in $TCP_IN_PORTS; do $FILTER -A INPUT -i $EXT_IF -p tcp --dport $port -j ACCEPT done for port in $UDP_IN_PORTS; do $FILTER -A INPUT -i $EXT_IF -p udp --dport $port -j ACCEPT done # Policy -> DROP $FILTER -P INPUT DROP # OUTPUT # nothing here # END echo -n "success" } ######################### # IPv6 UP # ######################### ipv6_up() { # FORWARD # local traffic # nothing here # outbound traffic # allow forwarded outbound traffic $FILTER6 -A FORWARD -i lo -j ACCEPT $FILTER6 -A FORWARD -i $INT_IF -j ACCEPT # inbound traffic # allow icmp and active connections $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT # allow traffic to internal hosts for fw in $PORTFW6; do proto=${fw%%,*} port=${fw#*,} port=${port%%,*} to=${fw##*,} to_ip=${to%%:*} if [ "$to_ip" = "$to" ]; then to_port=$port else to_port=${to##*:} fi $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -d $to_ip -p $proto --dport $to_port -j ACCEPT done # Policy -> DROP $FILTER6 -P FORWARD DROP # INPUT # allow everything form internal interface $FILTER6 -A INPUT -i lo -j ACCEPT $FILTER6 -A INPUT -i $INT_IF -j ACCEPT # allow icmp and active connections $FILTER6 -A INPUT -i $EXT_IF -p icmpv6 -j ACCEPT $FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT # allow for port in $TCP_IN_PORTS; do $FILTER6 -A INPUT -i $EXT_IF -p tcp --dport $port -j ACCEPT done for port in $UDP_IN_PORTS; do $FILTER6 -A INPUT -i $EXT_IF -p udp --dport $port -j ACCEPT done # Policy -> DROP $FILTER6 -P INPUT DROP # OUTPUT # nothing here # END echo -n "success" } ######################### # IPv4 DOWN # ######################### ipv4_down() { $MANGLE -F $NAT -F $FILTER -F $FILTER -P INPUT ACCEPT $FILTER -P FORWARD ACCEPT $FILTER -P OUTPUT ACCEPT echo -n "success" } ######################### # IPv6 DOWN # ######################### ipv6_down() { $MANGLE6 -F $FILTER6 -F $FILTER6 -P INPUT ACCEPT $FILTER6 -P FORWARD ACCEPT $FILTER6 -P OUTPUT ACCEPT echo -n "success" }