#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v3.0.1-565 # # Generated Tue Nov 25 14:16:11 2008 GMT by mr # # files: * FW.fw # # # Compiled for iptables 1.3.0 # # # # # PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/usr/sbin/ip6tables" IPTABLES_RESTORE="/usr/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" LOGGER="/bin/logger" # # Prolog script # # # End of prolog script # log() { echo "$1" test -x "$LOGGER" && $LOGGER -p info "$1" } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by AddressTable object $1" exit 1 } } va_num=1 add_addr() { addr=$1 nm=$2 dev=$3 type="" aadd="" L=`$IP -4 link ls $dev | head -n1` if test -n "$L"; then OIFS=$IFS IFS=" /:,<" set $L type=$4 IFS=$OIFS if test "$type" = "NO-CARRIER"; then type=$5 fi L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :` if test -n "$L"; then OIFS=$IFS IFS=" /" set $L aadd=$2 IFS=$OIFS fi fi if test -z "$aadd"; then if test "$type" = "POINTOPOINT"; then $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num} va_num=`expr $va_num + 1` fi if test "$type" = "BROADCAST"; then $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num} va_num=`expr $va_num + 1` fi fi } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr() { dev=$1 name=$2 L=`$IP -4 addr show dev $dev | grep inet | grep -v :` test -z "$L" && { eval "$name=''" return } OIFS=$IFS IFS=" /" set $L eval "$name=$2" IFS=$OIFS } getaddr6() { dev=$1 name=$2 L=`$IP -6 addr show dev $dev | grep inet6 | grep -v :` test -z "$L" && { eval "$name=''" return } OIFS=$IFS IFS=" /" set $L eval "$name=$2" IFS=$OIFS } getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } # increment ip address incaddr() { n1=$4 n2=$3 n3=$2 n4=$1 vn1=`eval "echo \\$$n1"` R=`expr $vn1 \< 255` if test $R = "1"; then eval "$n1=`expr $vn1 + 1`" else eval "$n1=0" incaddr XX $n4 $n3 $n2 fi } if $IP link ls >/dev/null 2>&1; then echo; else echo "iproute not found" exit 1 fi # Using 0 address table files INTERFACES="eth1 eth0 " for i in $INTERFACES ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done # Configure interfaces $IP -4 neigh flush dev eth1 >/dev/null 2>&1 $IP -4 addr flush dev eth1 secondary label "eth1:FWB*" >/dev/null 2>&1 $IP -4 neigh flush dev eth0 >/dev/null 2>&1 $IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1 # Add virtual addresses for NAT rules log 'Activating firewall script generated Tue Nov 25 14:16:11 2008 by mr' # ================ IPv4 # ================ Table 'filter', automatic rules $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ================ Table 'nat', rule set NAT # NAT compiler errors and warnings: # # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # # outbound traffic from 192.168.1.1 is translated to be from external FW interface (131.111.12.1) $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.1 -j SNAT --to-source 131.111.12.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # # inbound traffic from outside to 131.111.12.1 is translated to 192.168.1.1 $IPTABLES -t nat -A PREROUTING -d 131.111.12.1 -j DNAT --to-destination 192.168.1.1 # # Rule 2 (NAT) # echo "Rule 2 (NAT)" # # NAT our internal network to be as though it is 131.111.12.62 to everything outside our internal network $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 131.111.12.62 # ================ Table 'mangle', automatic rules # ================ Table 'filter', rule set Policy # Policy compiler errors and warnings: # # # Rule 0 (global) # echo "Rule 0 (global)" # # Allow our internal networks anywhere, including ssh to our firewall # $IPTABLES -A INPUT -s 131.111.12.62 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 131.111.12.1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.62 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 1 (global) # echo "Rule 1 (global)" # # Allow ping to all # $IPTABLES -N Cid47D0139B15674.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j Cid47D0139B15674.0 $IPTABLES -N RULE_1 $IPTABLES -A Cid47D0139B15674.0 -d 131.111.12.62 -j RULE_1 $IPTABLES -A Cid47D0139B15674.0 -d 131.111.12.1 -j RULE_1 $IPTABLES -A Cid47D0139B15674.0 -d 192.168.1.62 -j RULE_1 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j RULE_1 $IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT " $IPTABLES -A RULE_1 -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # Allow access to server on our internal network # $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_2 $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT " $IPTABLES -A RULE_2 -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # Default # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -j RULE_3 $IPTABLES -A INPUT -j RULE_3 $IPTABLES -A FORWARD -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -A RULE_3 -j DROP # # echo 1 > /proc/sys/net/ipv4/ip_forward # # Epilog script # # End of epilog script #