Stateful firewall [Solved]

Discussions Regarding Software

Moderator: Moderators

Post Reply
User avatar
goodnewz
Young Hen
Posts: 28
Joined: Tue May 01, 2007 22:14

Stateful firewall [Solved]

Post by goodnewz » Sun Jul 06, 2008 16:58

Hola !

I've been looking for a stateful firewall totorial so I stubled upon the firewall tutorial bellow so I was wondering if anyone has anything to add to it and if there's anything to add/change when using a sabayon 3.5 ?

http://gentoo-wiki.com/HOWTO_Iptables_a ... _firewalls
Last edited by goodnewz on Tue Aug 12, 2008 23:15, edited 1 time in total.

User avatar
goodnewz
Young Hen
Posts: 28
Joined: Tue May 01, 2007 22:14

Re: Stateful firewall

Post by goodnewz » Tue Aug 12, 2008 23:11

for the lazier ones.. here's my install adaptation with a friendlier look of the wiki firewall above so be sure you check with the wiki code since I adapted it to my conf.

Code: Select all

touch /etc/init.d/firewall
chmod +x /etc/init.d/firewall

cat > /etc/init.d/firewall << EOF
#!/bin/bash
 
        #### Colors
        white="\e[1;37m"
        gray="\e[1;30m"
        yellow="\e[1;33m"
        cyan="\e[1;36m"
        blue="\e[1;34m"
        green="\e[1;32m"
        purple="\e[1;35m"
        red="\e[1;31m"
        brown="\e[0;33m"
 
 #Our complete stateful firewall script.  This firewall can be customized for 
 #a laptop, workstation, router or even a server. :)
 
 #change this to the name of the interface that provides your "uplink"
 #(connection to the Internet)
 
 UPLINK="eth0"
 
 #if you're a router (and thus should forward IP packets between interfaces),
 #you want ROUTER="yes"; otherwise, ROUTER="no"
 
 ROUTER="no"
 
 #change this next line to the static IP of your uplink interface for static SNAT, or
 #"dynamic" if you have a dynamic IP.  If you don't need any NAT, set NAT to "" to
 #disable it.
 
 NAT=""
 
 #change this next line so it lists all your network interfaces, including lo
 
 INTERFACES="lo eth0"
 
 #change this line so that it lists the assigned numbers or symbolic names  (from
 #/etc/services) of all the services that you'd like to provide to the general
 #public.  If you don't want any services enabled, set it to ""
 
 SERVICES="ftp ssh"
 
case "$1" in
        "start")
                echo -e ""
                echo -e "${red}  [ ${yellow} Starting the firewall ${red} ] ${white}"
	        iptables -P INPUT DROP
	        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
	        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
	        #enable public access to certain services
	        for x in ${SERVICES}
	        do
	                iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j  ACCEPT
	        done
 
	        iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
	        iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
	        #explicitly disable ECN
	        if [ -e /proc/sys/net/ipv4/tcp_ecn ]
	        then
	                echo 0 > /proc/sys/net/ipv4/tcp_ecn
	        fi
 
	        #disable spoofing on all interfaces
	        for x in ${INTERFACES}
	        do
	                echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
	        done
 
	        if [ "$ROUTER" = "yes" ]
	        then
	                #we're a router of some kind, enable IP forwarding
	                echo 1 > /proc/sys/net/ipv4/ip_forward
	                if [ "$NAT" = "dynamic" ]
	                then
	                        #dynamic IP address, use masquerading
	                        echo "Enabling masquerading (dynamic ip)..."
	                        iptables -t nat -A POSTROUTING -o ${UPLINK} -j  MASQUERADE
	                elif [ "$NAT" != "" ]
	                then
	                        #static IP, use SNAT
	                        echo "Enabling SNAT (static ip)..."
	                        iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT  --to ${UPIP}
	                fi
	        fi
                ;;
 
 
        "stop")
                echo -e ""
                echo -e "${red}  [ ${yellow} Stopping the firewall ${red} ] ${white}"
	 	iptables -F INPUT
	 	iptables -P INPUT ACCEPT
	 	#turn off NAT/masquerading, if any
	 	iptables -t nat -F POSTROUTING
                ;;
 
        "restart")
                echo -e ""
                echo -e "${red}  [ ${yellow} Restarting the firewall ${red} ] ${white}"
 
		# Stopping the firewall
		iptables -F INPUT
                iptables -P INPUT ACCEPT
                #turn off NAT/masquerading, if any
                iptables -t nat -F POSTROUTING
                echo -e "${red}   > > ${yellow} firewall stopped ${white}"
 
		# Starting the firewall
                iptables -P INPUT DROP
                iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
                iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
                #enable public access to certain services
                for x in ${SERVICES}
                do
                        iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j  ACCEPT
                done
 
                iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
                iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
                #explicitly disable ECN
                if [ -e /proc/sys/net/ipv4/tcp_ecn ]
                then
                        echo 0 > /proc/sys/net/ipv4/tcp_ecn
                fi
 
                #disable spoofing on all interfaces
                for x in ${INTERFACES}
                do
                        echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
                done
 
                if [ "$ROUTER" = "yes" ]
                then
                        #we're a router of some kind, enable IP forwarding
                        echo 1 > /proc/sys/net/ipv4/ip_forward
                        if [ "$NAT" = "dynamic" ]
                        then
                                #dynamic IP address, use masquerading
                                echo "Enabling masquerading (dynamic ip)..."
                                iptables -t nat -A POSTROUTING -o ${UPLINK} -j  MASQUERADE
                        elif [ "$NAT" != "" ]
                        then
                                #static IP, use SNAT
                                echo "Enabling SNAT (static ip)..."
                                iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT  --to ${UPIP}
                        fi
                fi
                echo -e "${red}   > > ${yellow} firewall restarted ${white}"
                ;;
 
        "rules")
		echo -e ""
		echo -e "${red}  [ ${yellow} Firewall Rules ${red} ] ${white}"
                iptables -v -L INPUT
                ;;
 
        *)
                echo -e "`basename ${0}`: Stateful firewall script"
                echo -e "http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls"
                echo -e ""
                echo -e "Usage: `basename ${0}` < start | stop | restart >"
                echo -e ""
                echo -e "  start      ->  Starts the firewall"
                echo -e "                 Example: \"`basename ${0}` start\""
                echo -e ""
                echo -e "  stop       ->  Stops the firewall"
                echo -e "                 Example: \"`basename ${0}` stop\""
                echo -e ""
                echo -e "  restart    ->  Restarts the firewall."
                echo -e "                 Example: \"`basename ${0}` restart\""
                echo -e ""
                echo -e "  rules       -> View the rules"
                echo -e "                 Example: \"`basename ${0}` rules\""
                echo -e ""
                ;;
esac
 
exit 0
EOF

rc-update add firewall default

Post Reply