User Tools

Site Tools


docs:guide-user:firewall:other_firewall_rules_builders:fw_shell_scripts

Firewall Builder: Shell scripts

If firewall3 is unavailable, one can add netfilter rules manually using the iptables command in a shell scripts.

The script could be loaded using init scripts or added to /etc/rc.local.

Here is an example netfilter configuration bash script taken from the freifunk project.

This has not been tested. It is retained here for completeness.

#!/bin/sh
#
# by rac 2011, placed under GPLv2
#
#############################################################################
# Variables
 
IPT=/usr/sbin/iptables
 
# Interfaces:
IF_LAN=eth0.1
IF_DSL=pppoe-dsl
IF_FUNK=wlan0
 
# Netz IPs:
NET_LAN=192.168.0.0/16
NET_DSL=xxx.xxx.xxx.xxx/16
NET_FUNK=10.0.0.0/8
 
# Eigene IPs:
IP_LAN=192.168.1.1
IP_DSL=$(ifconfig|grep 'inet addr:xxx'|cut -d':' -f2|awk '{print $1}')
IP_FUNK=10.0.0.1
 
# User IPs:
IP_USER1=192.168.1.1
IP_USER2=192.168.2.1
IP_USER3=192.168.3.1
IP_USER4=192.168.4.1
IP_USER5=192.168.5.1
 
# User IP/MAC-Combos:
USER1=" -s 192.168.1.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER2=" -s 192.168.2.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER3=" -s 192.168.3.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER4=" -s 192.168.4.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
USER5=" -s 192.168.5.1 -m mac --mac-source xx:xx:xx:xx:xx:xx"
 
# Besondere IPs/Netze:
UNI=xxx.xxx.xxx.xxx
NET_VEREIN=xxx.xxx.xxx.xxx/24
NET_DNS=xxx.xxx.xxx.xxx/24
FRIEND1=xxx.xxx.xxx.xxx
 
#############################################################################
# Ketten leeren und löschen
 
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X 
#$IPT -t mangle -F  this will be done by the tc script
#$IPT -t mangle -X
$IPT -t raw -F
$IPT -t raw -X
 
if [ "$1" = "stop" ]; then
	echo "Firewall completely flushed! Now running with no firewall."
	exit 0
fi
 
#############################################################################
# Default Policies fuer integrierte Ketten festlegen:
# http://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg
 
# Policies setzen
$IPT -t raw -P PREROUTING ACCEPT #----- before connection tracking
$IPT -t raw -P OUTPUT ACCEPT #--------- before connection tracking
$IPT -t mangle -P PREROUTING ACCEPT #-- before routing; change TOS, TTL, MARK, etc
$IPT -t mangle -P INPUT ACCEPT #------- 
$IPT -t mangle -P FORWARD ACCEPT #----- 
$IPT -t mangle -P OUTPUT ACCEPT #------ 
$IPT -t mangle -P POSTROUTING ACCEPT #- VOR nat POSTROUTING, MARK by source
$IPT -t nat -P PREROUTING ACCEPT   #--- before routing
$IPT -t nat -P POSTROUTING ACCEPT #---- 
$IPT -t nat -P OUTPUT ACCEPT #--------- 
$IPT -t filter -P INPUT DROP #--------- 
$IPT -t filter -P FORWARD DROP #------- 
$IPT -t filter -P OUTPUT ACCEPT #------ 
 
# Eigene Ketten anlegen
$IPT -N INPUT_dsl
$IPT -N INPUT_lan
$IPT -N INPUT_funk
$IPT -N FWD_lan_dsl
$IPT -N FWD_dsl_lan
$IPT -N FWD_funk_dsl
$IPT -N FWD_dsl_funk
$IPT -N FWD_lan_funk
$IPT -N FWD_funk_lan
$IPT -N nuisance
 
#############################################################################
# FILTER
 
#================================
# INPUT (Policy: DROP)
#---------------------
$IPT -A INPUT -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 #--------------- loopback
$IPT -A INPUT -j ACCEPT -i $IF_LAN  -p udp --dport 67:68 --sport 67:68 #- DHCP-Anfragen kommen von 255.255.255.255
$IPT -A INPUT -j ACCEPT -i $IF_FUNK -p udp --dport 67:68 --sport 67:68 #- DHCP-Anfragen kommen von 255.255.255.255
$IPT -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED #- ALLES, was vom Router aufgebaut wurde, darf wieder zurueck
 
$IPT -A INPUT -j INPUT_lan -i $IF_LAN -s $NET_LAN -d $IP_LAN
$IPT -A INPUT -j INPUT_dsl -i $IF_DSL
$IPT -A INPUT -j INPUT_funk -i $IF_FUNK -s $NET_FUNK -d $IP_FUNK
 
$IPT -A INPUT_lan -j ACCEPT #--------------------- Alles von intern erlaubt
 
$IPT -A INPUT_dsl -j ACCEPT -p icmp -s 0/0 --icmp-type 11 #-------- Time Exceeded
$IPT -A INPUT_dsl -j ACCEPT -p tcp --dport 22 #-------------------- ssh
$IPT -A INPUT_dsl -j LOG       --log-prefix "IPT_dsl-Rej "
$IPT -A INPUT_dsl -j DROP
 
$IPT -A INPUT_funk -j ACCEPT -p icmp --icmp-type 8 #--------------- allow system to be pinged!
$IPT -A INPUT_funk -j ACCEPT -p tcp --dport 8080 #----------------- kleine Nachricht
$IPT -A INPUT_funk -j LOG       --log-prefix "IPT_funk-Rej "
$IPT -A INPUT -j REJECT    --reject-with icmp-host-prohibited
 
#================================
# FORWARD (Policy: DROP)
#-----------------------
$IPT -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED #- ALLES, was bereits aufgebaut wurde, darf auch wieder durch
 
$IPT -A FORWARD -j FWD_lan_dsl -i $IF_LAN -o $IF_DSL -s $NET_LAN
$IPT -A FORWARD -j FWD_dsl_lan -i $IF_DSL -o $IF_LAN
$IPT -A FORWARD -j FWD_funk_dsl -i $IF_FUNK -o $IF_DSL -s $NET_FUNK
$IPT -A FORWARD -j FWD_dsl_funk -i $IF_DSL -o $IF_FUNK
$IPT -A FORWARD -j FWD_lan_funk -i $IF_LAN -o $IF_FUNK -s $NET_LAN
$IPT -A FORWARD -j FWD_funk_lan -i $IF_FUNK -o $IF_LAN -s $NET_FUNK
$IPT -A FORWARD -j LOG       --log-prefix "FORWARD: " #--- duerfte nix uebrig bleiben
$IPT -A FORWARD -j DROP
 
# LAN und DSL
$IPT -A FWD_lan_dsl -j REJECT -p udp --dport 135:139 #--------------- hat nichts im internet verloren
$IPT -A FWD_lan_dsl -j REJECT -p tcp --dport 135:139 #--------------- hat nichts im internet verloren
$IPT -A FWD_lan_dsl -j REJECT -p tcp --dport 445  #------------------ hat nichts im internet verloren
$IPT -A FWD_lan_dsl -j ACCEPT
 
# DSL to LAN (the portforwards)
$IPT -A FWD_dsl_lan -j ACCEPT -p udp --dport 11111 --sport 1024:65535 -d $IP_USER1 -m state --state NEW #- udp
$IPT -A FWD_dsl_lan -j ACCEPT -p tcp --dport 11111 --sport 1024:65535 -d $IP_USER1 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j ACCEPT -p udp --dport 22222 --sport 1024:65535 -d $IP_USER2 -m state --state NEW #- udp
$IPT -A FWD_dsl_lan -j ACCEPT -p tcp --dport 22222 --sport 1024:65535 -d $IP_USER2 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j ACCEPT -p udp --dport 44444 --sport 1024:65535 -d $IP_USER4 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j ACCEPT -p tcp --dport  8000 --sport 1024:65535 -d $IP_USER5 -s $FRIEND1 -m state --state NEW #- tcp
$IPT -A FWD_dsl_lan -j LOG       --log-prefix "FWD_dsl_lan "
$IPT -A FWD_dsl_lan -j DROP
 
# FUNK to DSL
$IPT -A FWD_funk_dsl -j ACCEPT -s 10.10.10.99 -m mac --mac-source 11:22:33:44:55:66 #------- no safety here!
$IPT -A FWD_funk_dsl -j LOG       --log-prefix "FWD_funk_dsl "
$IPT -A FWD_funk_dsl -j REJECT    --reject-with icmp-host-prohibited
 
# DSL to FUNK
$IPT -A FWD_dsl_funk -j LOG       --log-prefix "FWD_dsl_funk "
$IPT -A FWD_dsl_funk -j DROP
 
# LAN to FUNK
$IPT -A FWD_lan_funk -j ACCEPT #------------------------------- alles erlaubt
$IPT -A FWD_lan_funk -j LOG       --log-prefix "FWD_lan_funk "
$IPT -A FWD_lan_funk -j DROP
 
# FUNK to LAN
$IPT -A FWD_funk_lan -j ACCEPT #------------------------------- alles erlaubt
$IPT -A FWD_funk_lan -j LOG       --log-prefix "FWD_funk_lan "
$IPT -A FWD_funk_lan -j DROP
 
#================================
# OUTPUT (Policy: ACCEPT)
#---------------------
 
#############################################################################
# NAT
 
#================================
# PREROUTING (Policy: ACCEPT)
#----------------------------
 
#
# Portforwads:
#
 
$IPT -t nat -A PREROUTING -i $IF_DSL -p udp --dport 11111 -j DNAT --to-destination ${IP_USER1}:11111 #--- udp
$IPT -t nat -A PREROUTING -i $IF_DSL -p tcp --dport 11111 -j DNAT --to-destination ${IP_USER1}:11111 #--- tcp
$IPT -t nat -A PREROUTING -i $IF_DSL -p udp --dport 22222 -j DNAT --to-destination ${IP_USER2}:11111 #--- udp
$IPT -t nat -A PREROUTING -i $IF_DSL -p tcp --dport 22222 -j DNAT --to-destination ${IP_USER2}:11111 #--- tcp
$IPT -t nat -A PREROUTING -i $IF_DSL -p udp --dport 44444 -j DNAT --to-destination ${IP_USER4}:11111 #--- udp
$IPT -t nat -A PREROUTING -i $IF_DSL -p tcp --dport 55555 -j DNAT --to-destination ${IP_USER5}:11111 #--- tcp
 
#================================
# POSTROUTING (Policy: ACCEPT)
#-----------------------------
$IPT -t nat -A POSTROUTING -o $IF_DSL -j MASQUERADE #--------------- Alles ins Internet auf Router-IP naten
 
#############################################################################
# MANGLE
 
#================================
# POSTROUTING (Policy: ACCEPT)
#----------------------------
# included in the tc script
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/firewall/other_firewall_rules_builders/fw_shell_scripts.txt · Last modified: 2018/09/16 12:49 by 14.213.133.16