#!/bin/sh # # - iptables firewall script generator # # echo "" echo " please be sure to read the readme file for instructions" echo "" echo "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin out="rc.firewall" if [ -f $out ]; then echo " $out already exists in current directory. continuing will overwrite existing file " echo "" echo -n " do you wish to continue (yes/no) : " read continue echo "" while [ $continue != "yes" ] && [ $continue != "no" ]; do echo " i didn't understand your last answer" echo "" echo " $out already exists in current directory. continuing will overwrite existing file " echo "" echo -n " do you wish to continue (yes/no) : " read continue echo "" done if [ $continue = "yes" ]; then rm -f $out echo "" echo "" else exit 1; fi fi # path to iptables echo " we need to know where the iptables binary is located." echo " it can often be found at /sbin/iptables or" echo " /usr/local/sbin/iptables" echo "" echo -n " where is iptables located on your system : " read iptables echo "" if [ ! -f $iptables ]; then echo -n " iptables not found. do you wish to continue anyway (yes/no) : " read continue echo "" while [ $continue != "yes" ] && [ $continue != "no" ]; do echo " i didn't understand your last answer" echo "" echo " $out already exists in current directory. continuing will overwrite existing file " echo "" echo -n " iptables not found. do you wish to continue anyway (yes/no) : " read continue echo "" done if [ $continue = "yes" ]; then echo "" else exit 1 fi fi # external interface echo "" echo "" echo " we need to know which network interface is connected to" echo " your ISP or untrusted network. this could be an ethernet" echo " like eth0 or eth1, or it could be a ppp interface like" echo " ppp0. if you're unsure what to put here, try running the" echo " following command." echo " /sbin/ip route list | grep default | awk '{print \$5}'" echo "" echo -n " which interface do you use to connect to the internet ( eth0, eth1, ppp0 ) : " read ext_if echo "" # nat echo "" echo "" echo " nat, or network address translation, allows you to connect" echo " multiple computers on a network to the internet. if you" echo " have multiple computers and want to use your linux system" echo " as a router you need to say yes here" echo "" echo -n " would you like to use NAT (yes/no) : " read nat echo "" echo "" while [ $nat != "yes" ] && [ $nat != "no" ]; do echo " i didn't understand your last answer" echo "" echo -n " would you like to use NAT (yes/no) : " read nat echo "" echo "" done if [ $nat = "yes" ]; then echo " this is the interface that is connected to your lan" echo " or what you might call the trusted network" echo "" echo -n " which is your internal interface : " read int_if echo "" echo "" echo " this is your internal or trusted network or networks" echo " that you want to provide gateway services for. if your" echo " internal ip address is 192.168.1.254 and your netmask is" echo " 255.255.255.0 you would answer 192.168.1.0/24 to this" echo " question. if you have multiple internal or trusted networks" echo " seperate them by a single space" echo "" echo -n " what networks would you like to masquerade : " read masq_nets int_ip="`ifconfig $int_if |grep inet |cut -f2 -d: |cut -f1 -d" "`" fi # icmp echo "" echo "" echo -n " would you like your internet IP address to be pingable (yes/no) : " read icmp echo "" while [ $icmp != "yes" ] && [ $icmp != "no" ]; do echo " i didn't understand your last answer" echo "" echo -n " would you like your internet IP address to be pingable (yes/no) : " read icmp echo "" done # tcp input echo "" echo "" echo " if you run any services on your firewall machine you need" echo " to allow connections to their ports. you may list multiple" echo " ports seperated by a single space. this option is mostly" echo " for standalone non-nat setups or for allowing ident requests" echo " to a nat aware identd running on your firewall. hitting enter" echo " closes all ports" echo "" echo -n " what tcp ports would you like open on the firewall (seperate by spaces .. 21 22 80). hit enter to close all ports : " read tcp_input echo "" # udp input echo "" echo "" echo " if you run any services on your firewall machine you need" echo " to allow connections to their ports. you may list multiple" echo " ports seperated by a single space. this option is mostly" echo " for standalone non-nat setups or for allowing ident requests" echo " to a nat aware identd running on your firewall. hitting enter" echo " closes all ports" echo "" echo -n " what udp ports would you like open on the firewall (seperate by spaces .. 53 514). hit enter to close all ports : " read udp_input echo "" # blocked hosts echo "" echo "" echo -n " enter the ip address(es) and/or network address(es) to completely block : " read blocked echo "" # logging echo "" echo "" echo " logging dropped packets creates a record of the packet." echo " it can also generate a lot of logging. iptables uses" echo " kern.info for syslogging" echo "" echo -n " would you like to log dropped packets (yes/no) : " read log_packets echo "" while [ $log_packets != "yes" ] && [ $log_packets != "no" ]; do echo " i didn't understand your last answer" echo "" echo -n " would you like to log dropped packets (yes/no) : " read log_packets echo "" done # do it echo "#!/bin/sh" >> $out echo "#" >> $out echo "# generated by $0" >> $out echo "#" >> $out echo "" >> $out echo "# path to iptables" >> $out echo "iptables=\"$iptables\"" >> $out echo "" "" >> $out echo "if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi" >> $out if [ $nat = "yes" ]; then echo "if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi" >> $out; fi echo "" "" >> $out echo "# flush any existing chains and set default policies" >> $out echo "\$iptables -F INPUT" >> $out echo "\$iptables -F OUTPUT" >> $out echo "\$iptables -P INPUT DROP" >> $out echo "\$iptables -P OUTPUT ACCEPT" >> $out echo "" "" >> $out if [ $nat = "yes" ]; then echo "# setup nat" >> $out echo "\$iptables -F FORWARD" >> $out echo "\$iptables -F -t nat" >> $out echo "\$iptables -P FORWARD DROP" >> $out echo "\$iptables -A FORWARD -i $int_if -j ACCEPT" >> $out echo "\$iptables -A INPUT -i $int_if -j ACCEPT" >> $out echo "\$iptables -A OUTPUT -o $int_if -j ACCEPT" >> $out echo "\$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $out for network in $masq_nets; do echo "\$iptables -t nat -A POSTROUTING -s $network -o $ext_if -j MASQUERADE" >> $out done echo "" "" >> $out fi echo "# allow all packets on the loopback interface" >> $out echo "\$iptables -A INPUT -i lo -j ACCEPT" >> $out echo "\$iptables -A OUTPUT -o lo -j ACCEPT" >> $out echo "" "" >> $out echo "# allow established and related packets back in" >> $out echo "\$iptables -A INPUT -i $ext_if -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $out echo "" "" >> $out if [ ! -z "$blocked" ]; then echo "# blocked hosts" >> $out for block in $blocked; do echo "\$iptables -I INPUT -s $block -j DROP" >> $out done if [ $nat = "yes" ]; then for block in $blocked; do echo "\$iptables -I FORWARD -s $block -j DROP" >> $out done fi echo "" "" >> $out fi echo "# icmp" >> $out echo "\$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT" >> $out echo "\$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $out if [ $icmp = "yes" ]; then echo "\$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i $ext_if -j ACCEPT" >> $out else echo "\$iptables -A INPUT -p icmp --icmp-type echo-request -i $ext_if -j DROP" >> $out fi echo "" "" >> $out echo "# open ports to the firewall" >> $out for port in $tcp_input; do echo "\$iptables -A INPUT -p tcp --dport $port -j ACCEPT" >> $out done for port in $udp_input; do echo "$iptables -A INPUT -p udp --dport $port -j ACCEPT" >> $out done echo "" "" >> $out if [ $nat = "yes" ]; then echo "" echo "" echo " if you're using nat and need to forward ports to amachines" echo " on the internal or trsuted network say yes here" echo "" echo -n " would you like to forward ports to one or more internal machine (yes/no) : " read port_forward echo "" while [ $port_forward != "yes" ] && [ $port_forward != "no" ]; do echo " i didn't understand your last answer" echo "" echo -n " would you like to forward ports to an internal machine (yes/no) : " read port_forward echo "" done if [ $port_forward = "yes" ]; then echo "# open ports to the internal machine" >> $out echo -n " how many internal hosts do you want to forward ports to : " read num_internal for host in `seq -s " " 1 $num_internal`; do echo "" echo -n " ip of internal host number $host : " read internal_ip echo "" echo -n " enter tcp ports to forward to this host (22 25 80) : " read internal_ip_tcp for port in $internal_ip_tcp; do echo "\$iptables -A FORWARD -i $ext_if -p tcp --dport $port -j ACCEPT" >> $out echo "\$iptables -t nat -A PREROUTING -i $ext_if -p tcp --dport $port -j DNAT --to-destination $internal_ip:$port" >> $out done echo -n " enter udp ports to forward to this host or enter for none (53 514) : " read internal_ip_udp for port in $internal_ip_udp; do echo "\$iptables -A FORWARD -i $ext_if -p udp --dport $port -j ACCEPT" >> $out echo "\$iptables -t nat -A PREROUTING -i $ext_if -p udp --dport $port -j DNAT --to-destination $internal_ip:$port" >> $out done done echo "" "" >> $out fi fi if [ $log_packets = "yes" ]; then echo "# logging" >> $out echo "\$iptables -A INPUT -i $ext_if -p tcp --dport 0:65535 -j LOG --log-prefix \"tcp connection: \"" >> $out echo "\$iptables -A INPUT -i $ext_if -p udp --dport 0:67 -j LOG --log-prefix \"udp connection: \"" >> $out echo "\$iptables -A INPUT -i $ext_if -p udp --dport 69:65535 -j LOG --log-prefix \"udp connection: \"" >> $out fi echo "" "" >> $out echo "# drop all other packets" >> $out echo "\$iptables -A INPUT -i $ext_if -p tcp --dport 0:65535 -j DROP" >> $out echo "\$iptables -A INPUT -i $ext_if -p udp --dport 0:65535 -j DROP" >> $out echo "" "" >> $out echo -n "echo \"firewall is loaded\"" >> $out chmod 700 $out echo "" echo " your firewall script has been written to $out" echo ""