#!/sbin/runscript # Brian Bothwell's Firewall Script opts="start stop stopnat" # Some default network security settings echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/ip_forward depend() { need logger net } start() { ebegin "Loading NAT Rules and Starting Firewall" # Flushing Chains iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # Setting Default Policies iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Creating LOGDROP Chain iptables -F LOGDROP 2>/dev/null iptables -X LOGDROP 2>/dev/null iptables -N LOGDROP iptables -A LOGDROP -j LOG iptables -A LOGDROP -j DROP # Enabling NAT iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 64.81.85.161 # Fix For iptables Bug (obsolete?) iptables -A OUTPUT -m state -p icmp --state INVALID -j LOGDROP # Allowing Already Established Connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allowing Known Services ## FTP & SSH iptables -A INPUT --proto tcp -i eth0 --destination-port 20:22 -j ACCEPT ## Telnet #iptables -A INPUT --proto tcp -i eth0 --destination-port 23 -j ACCEPT ## Mail iptables -A INPUT --proto tcp -i eth0 --destination-port 25 -j ACCEPT iptables -A INPUT --proto tcp -i eth0 --destination-port 110 -j ACCEPT ## HotwayD iptables -A INPUT --proto tcp -i eth0 --destination-port 1010 -j ACCEPT ## HTTP & HTTPS iptables -A INPUT --proto tcp -i eth0 --destination-port 80 -j ACCEPT iptables -A INPUT --proto tcp -i eth0 --destination-port 443 -j ACCEPT ## IDENTD iptables -A INPUT --proto tcp -i eth0 --destination-port 113 -j ACCEPT ## User Ports iptables -A INPUT --proto tcp -i eth0 --destination-port 1024:65535 -j ACCEPT iptables -A INPUT --proto udp -i eth0 --destination-port 1024:65535 -j ACCEPT ## DNS iptables -A INPUT --proto tcp -i eth0 --destination-port 53 -j ACCEPT iptables -A INPUT --proto udp -i eth0 --destination-port 53 -j ACCEPT ## Talk #iptables -A INPUT --proto udp -i eth0 --destination-port 517:518 -j ACCEPT ## ICMP Replies iptables -A INPUT -i eth0 --proto icmp -j ACCEPT ## All IPv6 Traffic # iptables -A INPUT -i eth0 --proto 41 -j ACCEPT # Denying Everything Else iptables -A INPUT -i eth0 -j LOGDROP # Forwarding Ports For NAT ## ICQ iptables -A PREROUTING -t nat -p udp -i eth0 --dport 4000 -j DNAT --to 192.168.1.74 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 20020:20039 -j DNAT --to 192.168.1.74 ## mIRC DCC's iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 15000:15500 -j DNAT --to 192.168.1.75 ## Unreal Tournament #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 7600:7900 -j DNAT --to 192.168.1.1 #iptables -A PREROUTING -t nat -p udp -i eth0 --dport 7600:7900 -j DNAT --to 192.168.1.1 ## Re-Volt #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2300:2400 -j DNAT --to 192.168.1.1 #iptables -A PREROUTING -t nat -p udp -i eth0 --dport 2300:2400 -j DNAT --to 192.168.1.1 #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 47600:47800 -j DNAT --to 192.168.1.1 #iptables -A PREROUTING -t nat -p udp -i eth0 --dport 47600:47800 -j DNAT --to 192.168.1.1 #iptables -A PREROUTING -t nat -p udp -i eth0 --dport 28800:28900 -j DNAT --to 192.168.1.1 ## WinMX iptables -A PREROUTING -t nat -p udp -i eth0 --dport 6257 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6699 -j DNAT --to 192.168.1.75 ## WinVNC #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 5800 -j DNAT --to 192.168.1.1 #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 5900 -j DNAT --to 192.168.1.1 ## DC++ iptables -A PREROUTING -t nat -p udp -i eth0 --dport 8001 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8001 -j DNAT --to 192.168.1.75 ## Everquest #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 7000:7003 -j DNAT --to 192.168.1.75 ## BitTorrent iptables -A PREROUTING -t nat -p udp -i eth0 --dport 6881:6890 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6881:6890 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p udp -i eth0 --dport 6891:6899 -j DNAT --to 192.168.1.74 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6891:6899 -j DNAT --to 192.168.1.74 ## WASTE iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 1337 -j DNAT --to 192.168.1.75 ## Homeworld 2 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6073 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p udp -i eth0 --dport 6073 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2302:2400 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p udp -i eth0 --dport 2302:2400 -j DNAT --to 192.168.1.75 ## MTA iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2003 -j DNAT --to 192.168.1.75 iptables -A PREROUTING -t nat -p udp -i eth0 --dport 2003 -j DNAT --to 192.168.1.75 ## Halo iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2302 -j DNAT --to 192.168.1.75 eend $? } stop() { ebegin "Stopping Firewall" # Flush Rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F LOGDROP 2>/dev/null iptables -X LOGDROP 2>/dev/null iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING # Reset Default Policies iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Restart NAT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 64.81.85.161 eend $? } stopnat() { ebegin "Stopping Firewall & NAT" # Flush Rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F LOGDROP 2>/dev/null iptables -X LOGDROP 2>/dev/null iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING eend $? }