#!/bin/bash ## This allows all machines on the private net to get ## Out to the internet through lvs01 ############### General Configration ############### ## to add more rules see rules section below. ### What is the external interface? eg. eth0 EXTERNAL_IF="XTRNL_IF" ### What is the internal interface? eg eth1, eth0:1 INTERNAL_IF="INTRNL_IF" ### What is the private network address? eg. Priv_NET.0/24 PRIVATE_NET="Priv_NET.0/24" ### Log deny packets? YES | NO LOGDENY="YES" ### Block Pings? YES | NO BLOCKPINGS="NO" ### Whitelist of IP ranges SIP_WHITELIST="/etc/network/sip_whitelist.fw" ############# End General Configration ############ ## Setup IP Forwarding echo "1" > /proc/sys/net/ipv4/ip_forward IPT="/sbin/iptables" ### set firewall mode if echo "$1" | grep -q nolog || [ $LOGDENY = "NO" ] then FW="firewall-nolog" else FW="firewall" fi ### Flush old rules, delete the firewall chain if it exists $IPT -F $IPT -F -t nat $IPT -X firewall $IPT -X firewall-nolog ### Setup Default Firewall Chain. Logs all dropped packets. $IPT -N firewall $IPT -A firewall -j LOG --log-level info --log-prefix "Firewall-DENY:" $IPT -A firewall -j DROP ### Setup Firewall Chain Without Logging. $IPT -N firewall-nolog $IPT -A firewall-nolog -j DROP ### Accept Private network $IPT -A INPUT -s "$PRIVATE_NET" -d 0/0 -j ACCEPT ######## Port Forwarding ########## ### Nat incoming connections for Evergreen SIP service. ### If whitelist exists then use it from whitelist $SIP_WHITELIST if [ -e "${SIP_WHITELIST}" ] then for ADDR in $(grep -v "^#" $SIP_WHITELIST | grep -v "-") do $IPT -t nat -A PREROUTING -i $EXTERNAL_IF -s $ADDR -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 done for ADDR in $(grep -v "^#" $SIP_WHITELIST | grep "-") do $IPT -t nat -A PREROUTING -i $EXTERNAL_IF -m iprange --src-range $ADDR -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 done else ### we simply use the old way and forward any connection to the SIP servers. iptables -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 fi ####### End Port Forwarding ####### ### Allow Prvate network to go anywhere $IPT -A POSTROUTING -t nat -s "$PRIVATE_NET" -j MASQUERADE ### Accept ourselves Localhost. $IPT -A INPUT -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT ### Set forwarding policy $IPT -P FORWARD ACCEPT ### Accept incoming packets related to outgoing packets $IPT -A INPUT -p tcp -m state --state RELATED -j ACCEPT ### Accept UDP broadcast packets for public net $IPT -A INPUT -p udp -d Pub_BCAST -j ACCEPT $IPT -A INPUT -p udp -d 255.255.255.255 -j ACCEPT ### Setup fw mark for lvs $IPT -t mangle -A PREROUTING -i $EXTERNAL_IF -p tcp -s 0.0.0.0/0 -d "$PRIVATE_NET" --dport http -j MARK --set-mark 1 $IPT -t mangle -A PREROUTING -i $EXTERNAL_IF -p tcp -s 0.0.0.0/0 -d "$PRIVATE_NET" --dport https -j MARK --set-mark 1 ######### RULES ########## ### Accept DNS, and identd $IPT -A INPUT -p udp --source-port 53 -j ACCEPT $IPT -A INPUT -p tcp --source-port 113 -j ACCEPT $IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT ### Accept HTTP $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT ### Accept HTTPS $IPT -A INPUT -p tcp --destination-port 443 -j ACCEPT ### Accept NTP $IPT -A INPUT -p udp --source-port 123 -j ACCEPT ### Accept SSH $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT # $IPT -A INPUT -p tcp --destination-port 3399 -j ACCEPT #- non standard ssh port ### Accept port for Apache2 Websockets $IPT -A INPUT -p tcp --destination-port 7682 -j ACCEPT ######### END RULES ####### ### Send specific packets to firewall without logging. ### Send everything else on the external interface to the firewall. [ "$BLOCKPINGS" = "YES" ] && $IPT -A INPUT -p icmp -i $EXTERNAL_IF -j $FW $IPT -A INPUT -p tcp --syn -i $EXTERNAL_IF -j $FW $IPT -A INPUT -p udp -i $EXTERNAL_IF -j $FW