#!/bin/sh
#
#  $Id: rc.firewall,v 3.0 2003/11/12 16:11:06 root Exp $
#
#   Name:           rc.firewall
#   Summary:        IPtable based firewall script
#   Author:         Igor Homyakov <homyakov  at ramax . ru>
#   Organization:   RAMAX International
#   Comments [ru]:  Скрип настройки firewall-а с помощью iptables
#

. /etc/firewall/firewall.const
#. firewall.const

# Загрузка необходимых модулей 
$DEPMOD -a
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

# Установка политики по умолчанию 
# "Что не разрешено - запрещенно"
echo 'Политики по умолчанию'
Ipt -P INPUT	DROP
Ipt -P OUTPUT	DROP
Ipt -P FORWARD	DROP

# сброс всех правил 
echo '-nat'
Ipt -t nat -P PREROUTING ACCEPT
Ipt -t nat -P POSTROUTING ACCEPT
Ipt -t nat -P OUTPUT ACCEPT

echo '-mangle'
Ipt -t mangle -P PREROUTING ACCEPT
Ipt -t mangle -P OUTPUT ACCEPT

Ipt -F
Ipt -t nat -F
Ipt -t mangle -F

Ipt -X
Ipt -t nat -X
Ipt -t mangle -X

# Включение форвардинга пакетов
#echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo "Пропуск ВСЕХ по локальной петле"
Ipt -A INPUT  -p ALL -i $LOOPBACK_INT -j ACCEPT 
Ipt -A OUTPUT -p ALL -o $LOOPBACK_INT -j ACCEPT 


# цепочка для обработки ICMP
echo 'icmp_allow'
Ipt -N icmp_allow
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 0  -j ACCEPT
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 3  -j ACCEPT
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 4  -j ACCEPT
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 5  -j ACCEPT
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 8  -j ACCEPT
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 11 -j ACCEPT
Ipt -A icmp_allow -p ICMP -s $ANYWHARE --icmp-type 12 -j ACCEPT
Ipt -A icmp_allow -p ICMP \
	-m limit --limit 10/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT ICMP drop:'
Ipt -A icmp_allow -p ICMP \
	-j DROP

# цепочка для разрешения входящих TCP соединений
echo 'allowed'
Ipt -N allowed
Ipt -A allowed -p TCP --syn -j ACCEPT
Ipt -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
Ipt -A allowed \
	-m limit --limit 10/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT allowed drop:'
Ipt -A allowed -p TCP -j DROP

#
# Служебные правила, сигнатуры атак и т.д
#
echo 'Служебные правила, сигнатуры атак и т.д'
Ipt -N new_not_syn
Ipt -A new_not_syn \
        -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level DEBUG --log-prefix 'IPT new no SYN:'
Ipt -A new_not_syn -j DROP

### Drop & log tables
echo 'Drop & log tables'
Ipt -N scan_probe_full_xmas 
Ipt -A scan_probe_full_xmas \
        -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level DEBUG --log-prefix 'FULL-XMAS scan probe:'
Ipt -A scan_probe_full_xmas -j DROP
        
Ipt -N scan_probe_xmas
Ipt -A scan_probe_xmas \
        -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level DEBUG --log-prefix 'XMAS scan probe:'
Ipt -A scan_probe_xmas -j DROP
                
Ipt -N scan_probe_null
Ipt -A scan_probe_null \
        -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level DEBUG --log-prefix 'NULL scan probe:'
Ipt -A scan_probe_null -j DROP
        
Ipt -N scan_probe_fin
Ipt -A scan_probe_fin \
        -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level DEBUG --log-prefix 'SYN/FIN scan probe:'
Ipt -A scan_probe_fin -j DROP

Ipt -N tcp_attack
# FULL-XMAS scan probe
Ipt -A tcp_attack -p TCP --tcp-flags ALL ALL \
        -m state --state NEW \
        -j scan_probe_full_xmas

# XMAS scan probe
#Ipt -A tcp_attack -p TCP --tcp-flags FIN,URG,PUSH FIN,URG,PUSH \
#       -m state --state NEW \
#       -j scan_probe_xmas

# NULL scan probe
Ipt -A tcp_attack -p TCP --tcp-flags ALL NONE \
        -m state --state NEW \
        -j scan_probe_null


# SYN/FIN scan probe
Ipt -A tcp_attack -p TCP --tcp-flags SYN,FIN SYN,FIN \
        -m state --state NEW \
        -j scan_probe_fin

# new not SYN
echo 'bad_tcp_packets'
Ipt -N bad_tcp_packets
Ipt -A bad_tcp_packets -p TCP ! --syn \
        -m state --state NEW \
        -j new_not_syn

# Индикация червей
Ipt -N virus_log
Ipt -A virus_log \
	-m limit --limit 5/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT virus(?):'

Ipt -N virus_drop
Ipt -A virus_drop \
	-j virus_log
Ipt -A virus_drop \
	-j DROP

Ipt -N virus_reject
Ipt -A virus_reject \
	-j virus_log
Ipt -A virus_reject \
	-j REJECT


Ipt -N virus_attack_drop
IptPorts -a "-A virus_attack_drop -p tcp" "-j virus_drop" ${ALARM_PORTS[@]}
IptPorts -a "-A virus_attack_drop -p udp" "-j virus_drop" ${ALARM_PORTS[@]}

Ipt -N virus_attack_reject
IptPorts -a "-A virus_attack_reject -p tcp" "-j virus_reject" ${ALARM_PORTS[@]}
IptPorts -a "-A virus_attack_reject -p udp" "-j virus_reject" ${ALARM_PORTS[@]}


# Индикация подмен
Ipt -N badip_log
Ipt -A badip_log \
	-m limit --limit 5/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT bad IP:'

Ipt -N badip_drop
Ipt -A badip_drop \
	-j badip_log
Ipt -A badip_drop \
	-j DROP

Ipt -N badip_reject
Ipt -A badip_reject \
	-j badip_log
Ipt -A badip_reject \
	-j REJECT


Ipt -N badip_in
IptMass "-A badip_in -s " "-j badip_drop" ${BAD_IP_ALL[@]} $IP_BC_DEST

#Ipt -N badip_out
for INT in ${LAN_INTS[@]} ${EXT_INTS[@]}
do
	Ipt -N badip_in_$INT
#	BadIp=
	eval BadIp=\${IP_BC_DEST_$INT[@]}
#	echo ${BadIp[@]}
	IptMass "-A badip_in_$INT -s " "-j badip_drop" ${BadIp[@]}
	
#	GodNet=
	eval GodNet=\${NET_$INT[@]}
	IptMass "-A badip_in_$INT -s " "-j RETURN" ${GodNet[@]}
	
	Ipt -A badip_in_$INT \
		-s $IP_C \
		-j badip_drop
done

# Цепочки INPUT

Ipt -N in_privat
IptPorts -d "-A in_privat -p tcp" "-j allowed" ${PRIVAT_TCP[@]} ${PUBLIC_TCP[@]}
IptPorts -d "-A in_privat -p udp" "-j ACCEPT" ${PRIVAT_UDP[@]} ${PUBLIC_UDP[@]}

Ipt -N in_lan
IptPorts -d "-A in_lan -p tcp" "-j allowed" ${LAN_TCP[@]} ${PRIVAT_TCP[@]} ${PUBLIC_TCP[@]}
IptPorts -d "-A in_lan -p udp" "-j ACCEPT" ${LAN_UDP[@]} ${PRIVAT_UDP[@]} ${PUBLIC_UDP[@]}

# Закрытый порт
Ipt -N noport_log
Ipt -A noport_log \
	-m limit --limit 5/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT bad IP:'

Ipt -N noport_drop
Ipt -A noport_drop \
	-j noport_log
Ipt -A noport_drop \
	-j DROP

Ipt -N noport_reject
Ipt -A noport_reject \
	-j noport_log
Ipt -A noport_reject \
	-j REJECT


# Цепочки FORWARD
Ipt -N forvard_port
IptPorts -d "-A forvard_port -p tcp" "-j allowed" ${FORVARD_TCP[@]}
IptPorts -d "-A forvard_port udp" "-j ACCEPT" ${FORVARD_UDP[@]}


###
###
###   цепочка FORWARD
###  
###

echo '+FORWARD+'

Ipt -A FORWARD -p TCP -j tcp_attack
Ipt -A FORWARD -j badip_in
Ipt -A FORWARD -p TCP -j bad_tcp_packets

# Пропуск открытого наружу
IptMass "-A FORWARD -s" "-j forvard_port" ${LAN_IP[@]}
	
Ipt -A FORWARD -p ICMP -j icmp_allow


# пропускать уже установленные соединения
Ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Ipt -A FORWARD \
	-m limit --limit 10/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPF FORWARD packet died:'

IptMass "-A FORWARD -i" "-j virus_attack_reject" ${LAN_FIZ_INTS[@]}
IptMass "-A FORWARD -i" "-j virus_attack_drop" ${EXT_FIZ_INTS[@]}
	
# REJECT для LAN
IptMass "-A FORWARD -s" "-j REJECT" ${LAN_IP[@]}
	
Ipt -A FORWARD -j DROP

echo '-FORWARD-'


###
###
###   Цепочка INPUT 
###
###

echo '+INPUT+'

#Ipt -A INPUT -p TCP --destination-port ssh -j ACCEPT

Ipt -A INPUT -p TCP -j tcp_attack
Ipt -A INPUT -j badip_in
Ipt -A INPUT -p TCP -j bad_tcp_packets

# Открытые
IptPorts -d "-A INPUT -p tcp" "-j allowed" ${PUBLIC_TCP[@]}
IptPorts -d "-A INPUT -p udp" "-j ACCEPT" ${PUBLIC_UDP[@]}

# Приватные
IptMass "-A INPUT -s" "-j in_privat" ${PRIVAT_IP[@]}

# Lan
for INT in ${LAN_INTS[@]}
do
	TablInt="inlan$INT"
	echo TablInt="$TablInt"
	eval FInts=\${INT_$INT[@]}
	echo FInts="$FInts"
	eval IP=\${IP_$INT}
	echo IP="$IP"
	eval BCs=\${IP_BC_DEST_$INT[@]}

	if test "x$IP"="x"; then
		eval Net=\${NET_$INT}
		IP="$Net"
	fi

	Ipt -N "$TablInt"
	IptMass "-A $TablInt -d" "-p tcp -j in_lan" $IP
	IptMass "-A $TablInt -d" "-p udp -j in_lan" $IP ${BCs[@]}
	IptMass "-A INPUT -i" "-j $TablInt" ${FInts[@]}
done

Ipt -A INPUT -p ICMP -j icmp_allow

# REJECT для всех
IptPorts -d "-A INPUT -p tcp" "-j REJECT" ${REJECT_TCP[@]}
IptPorts -d "-A INPUT -p udp" "-j REJECT" ${REJECT_UDP[@]}

Ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Ipt -A INPUT \
	-m limit --limit 10/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT INPUT packet died:'

IptMass "-A INPUT -i" "-j virus_attack_reject" ${LAN_FIZ_INTS[@]}
IptMass "-A INPUT -i" "-j virus_attack_drop" ${EXT_FIZ_INTS[@]}

# REJECT для LAN
IptMass "-A INPUT -s" "-j REJECT" ${LAN_IP[@]} $IP_LO
	
Ipt -A INPUT -j DROP

echo '-INPUT-'

###
###
###   Цепочка OUTPUT
###
###

echo '+OUTPUT+'

#Ipt -A OUTPUT -p tcp --source-port ssh -j ACCEPT

Ipt -A OUTPUT -p TCP -j tcp_attack
Ipt -A OUTPUT -p TCP -j bad_tcp_packets

#Ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Ipt -A OUTPUT -j ACCEPT

# журналированние отброшенных пакетов
Ipt -A OUTPUT \
	-m limit --limit 10/minute --limit-burst 3 \
	-j LOG --log-level DEBUG --log-prefix 'IPT OUTPUT packet died: '

Ipt -A OUTPUT -j REJECT

echo '-OUTPUT-'

###
###
###   Таблица NAT
###
###

### PREROUTING


### POSTROUTING

echo '+POSTROUTING+'

Ipt -t nat -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
IptMass "-t nat -A POSTROUTING -o" "-j MASQUERADE" ${NAT_FIZ_INTS[@]}


#. /etc/firewall/snat
# snat

### END OF FILE