NomadCF.com

[NomadCF]

Startup firewall + setup script

Code: Select all

/usr/sbin/scripts/rc.proxy

Code: Select all

#####################
# Chris L. Franklin #
#####################
echo "Loading VARs"
service iptables stop
DHCP_CONF="/etc/dhcpd.conf"
WAN_IP=192.168.175.0/24
LAN_IP=10.1.56.115
LOOP=127.0.0.1
DEVICE_WAN=eth1
DEVICE_LAN=eth0
IPTABLES=/sbin/iptables
MAIL_PORTS="25 143"
REMOTE_PDC='10.1.56.110'
SMB_PORTS="139 138 137 445"
KNOWN_PORTS="53 80 3128 5000 8530"
FORWARD_PORTS="443 5540 8530 8531"
KNOWN_EXTRA_PORTS=""
UNKNOWN_EXTRA_PORTS=""
HW_LOG_FILE_LOCATION="/tmp"
List=`cat $DHCP_CONF | grep -v E"^#" | grep "hardware ethernet" | awk '{print $3}' | tr -d ';'`

## Modules
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_gre

## Rest ALL
$IPTABLES -P INPUT                ACCEPT
$IPTABLES -P FORWARD              ACCEPT
$IPTABLES -P OUTPUT               ACCEPT
$IPTABLES -t nat -P PREROUTING    ACCEPT
$IPTABLES -t nat -P POSTROUTING   ACCEPT
$IPTABLES -t nat -P OUTPUT        ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT     ACCEPT

## Clear ALL
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

## Default Ruls
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P OUTPUT  DROP

## Wireless Rule setup
$IPTABLES -t nat -N KNOWN_WIRELESS_PREROUTING
$IPTABLES -t nat -F KNOWN_WIRELESS_PREROUTING
$IPTABLES -N KNOWN_WIRELESS_FORWARD
$IPTABLES -F KNOWN_WIRELESS_FORWARD
$IPTABLES -N KNOWN_WIRELESS_INPUT
$IPTABLES -F KNOWN_WIRELESS_INPUT
$IPTABLES -N KNOWN_WIRELESS
$IPTABLES -F KNOWN_WIRELESS
$IPTABLES -t nat -N WIRELESS_PREROUTING
$IPTABLES -t nat -F WIRELESS_PREROUTING
$IPTABLES -N WIRELESS_FORWARD
$IPTABLES -F WIRELESS_FORWARD
$IPTABLES -N WIRELESS_INPUT
$IPTABLES -F WIRELESS_INPUT
$IPTABLES -N WIRELESS
$IPTABLES -F WIRELESS

## Allow LAN access WAN
$IPTABLES -t nat -A POSTROUTING -s $WAN_IP -o $DEVICE_LAN  -j MASQUERADE
$IPTABLES -A OUTPUT  -o $DEVICE_LAN -j ACCEPT

## Allow local traffic
$IPTABLES -A OUTPUT -o $DEVICE_LAN -j ACCEPT
$IPTABLES -A OUTPUT -o $DEVICE_WAN -j ACCEPT
$IPTABLES -A OUTPUT -o lo          -j ACCEPT
$IPTABLES -A INPUT  -i lo          -j ACCEPT
$IPTABLES -A INPUT  -i $DEVICE_LAN -j ACCEPT

## Allow all existing connections
$IPTABLES -I INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -I OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

## ignore for now
for PORT in $UNKNOWN_EXTRA_PORTS; do
$IPTABLES -A INPUT -p tcp -i $DEVICE_WAN --dport $PORT -j ACCEPT
done

## setup all normal ports for knowns + input
for PORT in $KNOWN_PORTS; do
$IPTABLES -A KNOWN_WIRELESS_INPUT -p tcp --dport $PORT -j ACCEPT
done

## setup all samba ports for knowns + input
for PORT in $SMB_PORTS; do
  $IPTABLES -A KNOWN_WIRELESS_INPUT -p udp --dport $PORT -j ACCEPT
  $IPTABLES -A KNOWN_WIRELESS_INPUT -p tcp --dport $PORT -j ACCEPT
done

## setup all mail ports for knowns + input
for PORT in $MAIL_PORTS; do
  $IPTABLES -A KNOWN_WIRELESS_INPUT -p udp --dport $PORT -j ACCEPT
  $IPTABLES -A KNOWN_WIRELESS_INPUT -p tcp --dport $PORT -j ACCEPT
done

## Setup all knowns + PREROUTING
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p tcp --dport 80   -j REDIRECT --to-port 5000
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p tcp --dport 3128 -j DNAT --to 192.168.175.1:3128
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p tcp --dport 5540 -j DNAT --to 10.1.1.111:5540

## setup all samba ports for knowns + PREROUTING
for PORT in $SMB_PORTS; do
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p udp -i $DEVICE_WAN --dport $PORT -j DNAT --to $REMOTE_PDC:$PORT
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p tcp -i $DEVICE_WAN --dport $PORT -j DNAT --to $REMOTE_PDC:$PORT
done

## setup all mail ports for knowns + PREROUTING
for PORT in $MAIL_PORTS; do
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p udp -i $DEVICE_WAN --dport $PORT -j DNAT --to 10.1.56.112:$PORT
$IPTABLES -t nat -A KNOWN_WIRELESS_PREROUTING -p tcp -i $DEVICE_WAN --dport $PORT -j DNAT --to 10.1.56.112:$PORT
done

## Setup all samba knowns + FORWARD
for PORT in $SMB_PORTS; do
  $IPTABLES -A KNOWN_WIRELESS_FORWARD -p tcp -d $REMOTE_PDC -i $DEVICE_WAN --dport $PORT -j ACCEPT
  $IPTABLES -A KNOWN_WIRELESS_FORWARD -p udp -d $REMOTE_PDC -i $DEVICE_WAN --dport $PORT -j ACCEPT
done

## Setup all mail knowns + FORWARD
for PORT in $MAIL_PORTS; do
$IPTABLES -A KNOWN_WIRELESS_FORWARD -p tcp -d 10.1.56.112 -i $DEVICE_WAN --dport $PORT -j ACCEPT
$IPTABLES -A KNOWN_WIRELESS_FORWARD -p udp -d 10.1.56.112 -i $DEVICE_WAN --dport $PORT -j ACCEPT
done

## Setup all knowns + FORWARD
for PORT in $FORWARD_PORTS; do
$IPTABLES -A KNOWN_WIRELESS_FORWARD -p tcp --dport $PORT -j ACCEPT
$IPTABLES -A KNOWN_WIRELESS_FORWARD -p udp --dport $PORT -j ACCEPT
done

## here we do all the work
for HW in $List; do
$IPTABLES -A INPUT -m mac --mac-source $HW -j KNOWN_WIRELESS_INPUT
$IPTABLES -t nat -A PREROUTING -m mac --mac-source $HW -j KNOWN_WIRELESS_PREROUTING
$IPTABLES -A FORWARD -m mac --mac-source $HW -j KNOWN_WIRELESS_FORWARD
done


########
########## UNKOWN wireless setup

## Unknown + INPUT
$IPTABLES -A WIRELESS_INPUT -p tcp --dport 53   -j ACCEPT
$IPTABLES -A WIRELESS_INPUT -p tcp --dport 80   -j ACCEPT
$IPTABLES -A WIRELESS_INPUT -p tcp --dport 3128 -j ACCEPT
$IPTABLES -A WIRELESS_INPUT -p tcp --dport 8530 -j ACCEPT

## Unknown + PREROUTING
$IPTABLES -t nat -A WIRELESS_PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

## Unknown + FORWARD
$IPTABLES -A WIRELESS_FORWARD -p tcp --dport 8530 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p udp --dport 8530 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p tcp --dport 8531 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p udp --dport 8531 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p tcp --dport 443 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p tcp --dport 5540 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p tcp --dport 631 -j ACCEPT
$IPTABLES -A WIRELESS_FORWARD -p tcp --dport 9100 -j ACCEPT


# Open Ports
$IPTABLES -A INPUT -p udp -i $DEVICE_WAN --dport 53   -j ACCEPT  # DNS
$IPTABLES -A INPUT -p tcp -i $DEVICE_WAN --dport 80   -j ACCEPT  # HTTP
$IPTABLES -A INPUT -p tcp -i $DEVICE_WAN --dport 22   -j ACCEPT  # HTTP

$IPTABLES -t nat -A PREROUTING -p tcp -s $WAN_IP --dport 80   -j DNAT --to 192.168.175.1:80


## Force Reload on wireless.sh
DATE=`date +%Y%m%d`
HW_LOG_FILE="$HW_LOG_FILE_LOCATION/wireless-$DATE.log"
echo " " >> $HW_LOG_FILE

## "security stuff"
# Enables window scaling as it is defined in RFC 1323 allowing windows to be a
# larger size than 65kb, helping to reduce bandwidth loss in fast connections
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
# Enables the Forward Acknowledgement algorithm geared at congestion control
# This option is dependent upon tcp_sack
echo "1" > /proc/sys/net/ipv4/tcp_fack
# Enables the Selective Acknowledgements algoorithm as defined in RFC 2883
# which helps to shore up poor internet connections
echo "1" > /proc/sys/net/ipv4/tcp_sack
# Enable flood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Disable TCP Explicit Congestion Notification Support
echo "0" > /proc/sys/net/ipv4/tcp_ecn
# Disables logging of RFC 1122 violations (bogus responses to broadcast frames)
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable logging of packets from illegal addresses
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
# Enables kernel timestamps as defined in RFC 1323 used to calculate the
# Round Trip Measurement in a better way than the retransmission timeout method
echo "1" > /proc/sys/net/ipv4/tcp_timestamps
# Source routing is rarely used for legitimate purposes.  Turn it _OFF_!
echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance.
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable source address verification to prevent spoofing
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > ${interface}
done
# Turn on IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward


Self looping script to add new machines

Code: Select all

/usr/sbin/scripts/wireless.sh

Code: Select all

#!/bin/bash
WAN_IP=192.168.175.0/24
LAN_IP=10.1.56.115
LOOP=127.0.0.1
DEVICE_WAN=eth1
DEVICE_LAN=eth0
IPTABLES=/sbin/iptables
HW_LOG_FILE_LOCATION="/tmp"
DHCP_CONF="/etc/dhcpd.conf"
REMOTE_PDC='10.1.56.110'
SMB_PORTS="139 138 137 445"

#$IPTABLES -N WIRELESS

while [ 1 ]; do

DATE=`date +%Y%m%d`
HW_LOG_FILE="$HW_LOG_FILE_LOCATION/wireless-$DATE.log"
touch $HW_LOG_FILE
chmod 777 $HW_LOG_FILE
NOW_TIME=`ls -l $HW_LOG_FILE | awk '{print $5}'`
NOW_TIME_DHCP=`ls -l $DHCP_CONF | awk '{print $5}'`

if [ "$NOW_TIME_DHCP" != "$LAST_TIME_DHCP" ]; then
  List_Known=`cat $DHCP_CONF | grep -v E"^#" | grep "hardware ethernet" | awk '{print $3}' | tr -d ';'`
  ## Redo all dhcp static clients
  ## Delete 1st becuase iptables has no good way to test
  ## to test for a already inserted rule
  let count=0
  for HW in $List_Known; do
   echo "known $HW $count"
   $IPTABLES -D INPUT             -m mac --mac-source $HW -j KNOWN_WIRELESS_INPUT
   $IPTABLES -A INPUT             -m mac --mac-source $HW -j KNOWN_WIRELESS_INPUT
   $IPTABLES -t nat -D PREROUTING -m mac --mac-source $HW -j KNOWN_WIRELESS_PREROUTING
   $IPTABLES -t nat -A PREROUTING -m mac --mac-source $HW -j KNOWN_WIRELESS_PREROUTING
   $IPTABLES -D FORWARD           -m mac --mac-source $HW -j KNOWN_WIRELESS_FORWARD
   $IPTABLES -A FORWARD           -m mac --mac-source $HW -j KNOWN_WIRELESS_FORWARD

   ((count++))
  done
  LAST_TIME_DHCP="$NOW_TIME_DHCP"
fi

if [ "$NOW_TIME" != "$LAST_TIME" ]; then
  List=`cat $HW_LOG_FILE | awk '{print \$1}'`
  ## Delete 1st becuase iptables has no good way to test
  ## to test for a already inserted rule
  if [ "$List" = "" ]; then
   echo "New Day"
   $IPTABLES -t nat -N WIRELESS_PREROUTING
   $IPTABLES -t nat -F WIRELESS_PREROUTING
   $IPTABLES -N WIRELESS_FORWARD
   $IPTABLES -F WIRELESS_FORWARD
   $IPTABLES -N WIRELESS_INPUT
   $IPTABLES -F WIRELESS_INPUT
   $IPTABLES -N WIRELESS
   $IPTABLES -F WIRELESS

   ## Unknown + INPUT
   $IPTABLES -A WIRELESS_INPUT -p tcp --dport 53   -j ACCEPT
   $IPTABLES -A WIRELESS_INPUT -p tcp --dport 80   -j ACCEPT
   $IPTABLES -A WIRELESS_INPUT -p tcp --dport 3128 -j ACCEPT
   $IPTABLES -A WIRELESS_INPUT -p tcp --dport 8530 -j ACCEPT
   ## Unknown + PREROUTING
   $IPTABLES -t nat -A WIRELESS_PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
   ## Unknown + FORWARD
   $IPTABLES -A WIRELESS_FORWARD -p tcp --dport 8530 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p udp --dport 8530 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p tcp --dport 8531 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p udp --dport 8531 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p tcp --dport 443 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p tcp --dport 5540 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p tcp --dport 631 -j ACCEPT
   $IPTABLES -A WIRELESS_FORWARD -p tcp --dport 9100 -j ACCEPT
  fi

  for HW in $List; do
   echo "authed $HW"
   $IPTABLES -D INPUT             -m mac --mac-source $HW -j WIRELESS_INPUT
   $IPTABLES -A INPUT             -m mac --mac-source $HW -j WIRELESS_INPUT
   $IPTABLES -t nat -D PREROUTING -m mac --mac-source $HW -j WIRELESS_PREROUTING
   $IPTABLES -t nat -A PREROUTING -m mac --mac-source $HW -j WIRELESS_PREROUTING
   $IPTABLES -D FORWARD           -m mac --mac-source $HW -j WIRELESS_FORWARD
   $IPTABLES -A FORWARD           -m mac --mac-source $HW -j WIRELESS_FORWARD
  done

  $IPTABLES -t nat -D PREROUTING -p tcp -s $WAN_IP --dport 80 -j DNAT --to 192.168.175.1:80
  $IPTABLES -t nat -A PREROUTING -p tcp -s $WAN_IP --dport 80 -j DNAT --to 192.168.175.1:80

  LAST_TIME="$NOW_TIME"
fi

sleep 0.5

done