#!/bin/sh iptables=$DAEMON #no space allowed b4&after = intLo=lo #loopback interface intIf0=eth0 #xtra ethernet 1000Mbps intIf1=eth1 #motherboard ethernet 100Mbps intBr0=brLan #bridge 4 openVpn between eth0 and tapLan 4 lanVpn intVpn0=tapLan #openVpn tap port for bridging intPpp=ppp+ #pptpd vpn intTun0=tun0 #openVpn tunnel for lanVpn iplo=localhost #normaly 127.0.0.1 ip0=10.0.0.248 ip0bc=10.0.0.255 ip1=10.7.204.248 ip1bc=10.7.204.255 ipHome=83.117.120.143 #ipTun0=10.107.102.1 #tun0 adapter ip dns1=208.67.222.222 dns2=8.8.8.8 function firewallSys { #internal function, set system protection bits echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/ip_forward #required for openVpn echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/secure_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/secure_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/secure_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/secure_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects } function firewallFlush { #internal function, flush rules $iptables -t mangle -F if [ -n "`lsmod | grep iptable_raw`" ]; then #echo "raw table detected, flushed" $iptables -t raw -F fi if [ -n "`lsmod | grep iptable_nat`" ]; then #echo "nat table detected, flushed" $iptables -t nat -F fi $iptables -F $iptables -X } function firewallBlock { #default policy allow nothing $iptables -P INPUT DROP $iptables -P FORWARD DROP $iptables -P OUTPUT DROP #allow loopback $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT #allow icmp (ping) $iptables -A INPUT -i $intIf0 -d $ip0 -p icmp -j ACCEPT $iptables -A INPUT -i $intIf1 -d $ip1 -p icmp -j ACCEPT #internet (established and phone home) $iptables -A OUTPUT -o $intIf0 -d $ipHome -j ACCEPT $iptables -A OUTPUT -o $intIf1 -d $ipHome -j ACCEPT $iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #test pptpd vpn $iptables -A INPUT -p tcp --dport 1723 -j ACCEPT $iptables -A INPUT -p 47 -j ACCEPT $iptables -A OUTPUT -p 47 -j ACCEPT $iptables -A OUTPUT -p icmp -j ACCEPT $iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT $iptables -t nat -A POSTROUTING -o $intBr0 -j MASQUERADE $iptables -t nat -A POSTROUTING -o $intPpp -j MASQUERADE #log b4 drop $iptables -A INPUT -p icmp -m limit --limit 5/min --limit-burst 8 -j LOG --log-prefix "fwBlock icmp:" $iptables -A INPUT -p tcp -m limit --limit 5/min --limit-burst 8 -j LOG --log-prefix "fwBlock tcp :" $iptables -A INPUT -p udp -m limit --limit 5/min --limit-burst 8 -j LOG --log-prefix "fwBlock udp :" $iptables -A INPUT -p all -m limit --limit 5/min --limit-burst 8 -j LOG --log-prefix "fwBlock all :" $iptables -A FORWARD -m limit --limit 5/min --limit-burst 8 -j LOG --log-prefix "fwBlock fwd :" $iptables -A OUTPUT -m limit --limit 5/min --limit-burst 8 -j LOG --log-prefix "fwBlock out :" #activate phone home script } case "$1" in block) $NETWORK stop echo "Block" sleep 1 #assure network is stopped b4 switch off firewall firewallSys firewallFlush sleep 1 firewallBlock sleep 1 #assure firewall is running b4 activate network $NETWORK start sleep 1 ;; start) ;; restart) ;; stop) ;; *) N=/usr/local/bin/$NAME echo "Usage: $N { start | restart | stop | block }" exit 1 ;; esac exit 0