Bug Netfilter

xeo

18/05/2005 à 00:52

Bonjour,

Je pense que le problème vient d'une règle plus que d'un bug de
Netfilter.

Peux tu poster ton script ?

--
(o_ Brice Dékany
// (o_ Assistant formateur
V_/_ (/)_ Laboratoire SUPINFO des technologies GNU/Linux

, ,-_-. . http://www.labo-linux.org
((_/)o o(_)) http://forum.labo-linux.org
`-'(. .)`-' http://desktoplinux.labo-linux.org
_/ http://www.guru-linux.org

SUPINFO - Ecole Supérieure d'Informatique
23 rue château Landon
75010 PARIS
FRANCE

Pascal

19/05/2005 à 16:15

Salut,

Sur une passerelle sous Débian 2.4.18, avec Netfilter/Iptables, qui
fait office de Firewall pour le Lan, depuis quelques temps (peut être
depuis une mise à jour), lors de la navigation sur Internet, les sites
contenant des images de type gif ne sont plus affichées.

Uniquement les images au format GIF et pas celles au format JPEG ou PNG,
ni d'autres types de documents ?
Uniquement sur la passerelle ou aussi sur les machines du LAN ?
Avec tous les sites web sans exception ?

Il n'y a pas de proxy sur la passerelle.
Aprés recherche le probléme vient bien du script Iptables utilisé
sur la passerelle.

Je n'arrive pas identifier les lignes concernées du script.
Est ce que c'est un bug de Netfilter ou autre?

A quelques exceptions près pour des protocole "pénibles" (le cas le plus
connu étant FTP), Netfilter n'est pas concerné par le contenu des
connexion TCP. Je ne vois pas comment il serait capable de différencier
une image GIF d'un autre type de contenu dans un flux HTTP.

az

20/05/2005 à 11:25

Bonjour,
Merci pour vos réponses.
Seules les images *.gif sont bloquées, pas les autres jpeg ...etc sur
les machines du LAN, je ne peut pas téster depuis la passerelle
Voici le Script , désolé il est long ...

#!/bin/sh
# Firewall Script
VERSION="0.15"

PATH=/bin:/sbin:/usr/sbin:/usr/bin
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

# Modules which have to be inserted before building the firewall
(reverse dependencies order)
MODULES="ip_tables iptable_filter iptable_mangle ipt_TOS ipt_LOG
ipt_REJECT ipt_limit ip_conntrack ipt_state iptable_nat
ip_conntrack_ftp"

# Interfaces, IP addresses, and networks
IFEXT="ppp0" #External Iface
IPEXT="80.65.227.129" #External IP

IFLAN="eth1" #Internal Iface
IPLAN="192.168.0.254" #Internal IP
NETLAN="192.168.0.0/24" #Internal network

IFDMZ="eth2" #DMZ Iface
IPDMZ="192.168.2.254" #DMZ IP
NETDMZ="192.168.2.0/24" #DMZ network

# If you have a XDSL connection
ADSL="yes"
IF_ADSL="eth0" #XDSL Iface
IP_IFSL="10.0.0.254" #XDSL IP
IP_ADSL="10.0.0.138" #Modem's IP

# Here, your protection against IP Spoofing
SPOOFING="yes" #Activate it ?
SPOOFED_IP="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16" #Private networks
IANA_RESERVED="0 1 2 5 7 23 27 31 36 37 39 41 42 58 59 60 197
201" #Reserved class A networks
IANA_RESERVED_RANGED="69-79 82-95 96-126 221-223 240-255" #Reserved
class A networks (xx to yy)

# Services from Internet to firewall
SERV_EXT_IFEXT_TCP="" #tcp services
SERV_EXT_IFEXT_UDP="" #udp services
SERV_EXT_IFEXT_SSH="yes" #ssh server
SERV_EXT_IFEXT_NTP="no"
#ntp client

# Services from firewall to Internet
SERV_IFEXT_EXT_TCP="http https domain" #tcp services
SERV_IFEXT_EXT_UDP="domain" #udp services
SERV_IFEXT_EXT_SSH="yes" #ssh server
SERV_IFEXT_EXT_NTP="yes" #ntp client

# Services from LAN to firewall
SERV_LAN_IFLAN_TCP="domain" #tcp services
SERV_LAN_IFLAN_UDP="domain" #udp services
SERV_LAN_IFLAN_SSH="yes" #ssh server
SERV_LAN_IFLAN_NTP="no" #ntp client

# Services from firewall to LAN
SERV_IFLAN_LAN_TCP="" #tcp services
SERV_IFLAN_LAN_UDP="" #udp services
SERV_IFLAN_LAN_SSH="no" #ssh server
SERV_IFLAN_LAN_NTP="no" #ntp client

# IPsec (vpn, FreeSWAN)
SERV_EXT_IFEXT_IPSEC="yes" #Ipsec server
SERV_EXT_IFEXT_IPSEC_CLIENTS="62.212.117.199 62.212.96.50 213.41.142.6
213.41.142.7 213.41.148.14" #Which clients
SERV_IFEXT_EXT_IPSEC="yes" #Ipsec client
SERV_IFEXT_EXT_IPSEC_SERVERS="62.212.117.199 62.212.96.50 213.41.142.6
213.41.142.7 213.41.148.14" #Which server

# Services from LAN to Internet
LAN="private" # private/public/no
LAN_EXT_TCP="" # if blank then accept all
LAN_EXT_UDP="" # if blank then accept all

# Services from Internet to DMZ
DMZ="private" # private/public/no
EXT_DMZ_SSH="no" # ssh connexions to DMZ
DMZ_MACHINES="1" # number of machine(s) in the DMZ

# First Machine
EXT_IP[1]="" # leaving this blank cause using $IPEXT or $DMZ_IP[1]
EXT_DMZ_TCP[1]="21 25 110" # !!! ports number only !!!
EXT_DMZ_UDP[1]="21 25 110" # !!! ports number only !!!
DMZ_IP[1]="192.168.2.10" # IP of the machine

# Second Machine
EXT_IP[2]="" # leaving this blank cause using $IPEXT or $DMZ_IP[2]
EXT_DMZ_TCP[2]="" # !!! ports number only !!!
EXT_DMZ_UDP[2]="" # !!! ports number only !!!
DMZ_IP[2]="" # IP of the machine

# Services from LAN to DMZ
LAN_DMZ_SSH="yes"
LAN_DMZ="copy" # copy/create (copy from Internet to DMZ)
# if copy, be sure next lines are commented

# First Machine
#LAN_DMZ_TCP[1]="25" # !!! ports number only !!!
#LAN_DMZ_UDP[1]="" # !!! ports number only !!!

# Second Machine
#LAN_DMZ_TCP[2]="9000" # !!! ports number only !!!
#LAN_DMZ_UDP[2]="9000" # !!! ports number only !!!

# Unprivileged ports
UNPRIVILEGED="1024:"
SSH_UNPRIVILEGED="512:"

# Traceroute Ports
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# Specifie here which things you don't want to log (input)
NOLOG_TCP="31337:31340 137:139" # tcp ports
NOLOG_UDP="137:139" # udp ports
NOLOG_SRC="" # source ips
NOLOG_DST="" # destination ips (ex: broadcast)

# Theses TCP services will be rejected by a tcp-reset (don't remove
auth unless you planed to accept it)
REJECTED_SERVICES="telnet auth socks 3128 webcache" # telnet socks
squid and webcache maybe useful when using irc

# Policies (after logging)
INPUTPOL="DROP" #Input
SPOOFPOL="DROP" #From Spoofed IP
RESERVEDPOL="DROP" #From IANA reserved IP
SYNPOL="DROP" #New packet without syn
OUTPUTPOL="REJECT" #Output
FORWARDPOL="DROP" #Forward
PREPOL="DROP" #Prerouting
POSPOL="DROP" #Postrouting
NOUPOL="DROP" #SNat

#Chains DON'T TOUCH THIS !
INP_CHAINS="EXT-IFEXT"
OUT_CHAINS="IFEXT-EXT"
FOR_CHAINS=""
EXT_CHAINS="EXT-IFEXT"
DMZ_CHAINS=""
if [ ! "$DMZ" == "no" ];
then
INP_CHAINS="$INP_CHAINS DMZ-IFDMZ"
OUT_CHAINS="$OUT_CHAINS IFDMZ-DMZ"
FOR_CHAINS="EXT-DMZ DMZ-EXT"
EXT_CHAINS="$EXT_CHAINS EXT-DMZ"
DMZ_CHAINS="IFDMZ-DMZ EXT-DMZ"

if [ ! "$LAN" == "no" ];
then
FOR_CHAINS="$FOR_CHAINS LAN-DMZ DMZ-LAN"
DMZ_CHAINS="$DMZ_CHAINS LAN-DMZ"
fi
fi

if [ ! "$LAN" == "no" ];
then
INP_CHAINS="$INP_CHAINS LAN-IFLAN"
OUT_CHAINS="$OUT_CHAINS IFLAN-LAN"
FOR_CHAINS="$FOR_CHAINS EXT-LAN LAN-EXT"
EXT_CHAINS="$EXT_CHAINS EXT-LAN"
fi

ALL_CHAINS="$INP_CHAINS $OUT_CHAINS $FOR_CHAINS"

# ICMP
UNLIMITED_ICMP_CHAINS="$OUT_CHAINS"
if [ ! "$DMZ" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS DMZ-EXT"
if [ ! "$LAN" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS LAN-DMZ DMZ-LAN"
fi
fi
if [ ! "$LAN" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS LAN-EXT"
fi

LIMITED_ICMP_CHAINS="$INP_CHAINS"
ICMP_PER_SECOND="50" #Packets per second, 0 means no limit

# Traceroute
TRACEROUTE_CHAINS="$UNLIMITED_ICMP_CHAINS $EXT_CHAINS"

#TCP
TCP_PER_SECOND="5" #Packets per second, 0 means no limit

#PortScanners

#Test mode : starting firewall, sleeping for $SLEEP seconds, then
stopping firewall
SLEEP`

#Minimize delay
MINIMIZE_DELAY="ssh"

function load_modules() {

# Load each modules
for module in $MODULES;
do
$MODPROBE $module; echo -n "."
done
echo " ok!"

}

function unload_modules() {

# reversing order to unload modules in the right order
unset REVERSE
for module in $MODULES;
do
# Leave theses to get policy forward set to DROP
if [ ! "$module" == "iptable_filter" ] && [ ! "$module" "ip_tables" ];
then
# if restarting firewall, leave theses to keep connexion already
established
if [ ! "$module" == "ip_conntrack" ] && [ ! "$module" "ip_conntrack_ftp" ] || [ ! "a$1" == "akeep_conn" ];
then
REVERSE="$module $REVERSE"
fi
fi
done

# unload modules
for module in $REVERSE;
do
$MODPROBE -r $module; echo -n "."
done
echo " ok!"

}

function do_clean() {

# Flush
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Locking the box
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING DROP
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -t nat -P OUTPUT DROP
# Except loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo ". ok!"

}

function create_standard_log_chains() {

# Some chains for logging then dropping packets
$IPTABLES -N INPUTLOG
$IPTABLES -A INPUTLOG -j LOG --log-prefix "IPF: INPUT: "
$IPTABLES -A INPUTLOG -j $INPUTPOL
echo -n "."

$IPTABLES -N SPOOFLOG
$IPTABLES -A SPOOFLOG -j LOG --log-prefix "IPF: SPOOFING: "
$IPTABLES -A SPOOFLOG -j $SPOOFPOL
echo -n "."

$IPTABLES -N RESERVEDLOG
$IPTABLES -A RESERVEDLOG -j LOG --log-prefix "IPF: RESERVED: "
$IPTABLES -A RESERVEDLOG -j $RESERVEDPOL
echo -n "."

$IPTABLES -N SYNLOG
$IPTABLES -A SYNLOG -j LOG --log-prefix "IPF: SYN PACKET: "
$IPTABLES -A SYNLOG -j $SYNPOL
echo -n "."

$IPTABLES -N ICMPFLOOD
$IPTABLES -A ICMPFLOOD -j LOG --log-prefix "IPF: ICMP FLOOD: "
$IPTABLES -A ICMPFLOOD -j DROP
echo -n "."

$IPTABLES -N TCPFLOOD
$IPTABLES -A TCPFLOOD -j LOG --log-prefix "IPF: TCP FLOOD: "
$IPTABLES -A TCPFLOOD -j DROP
echo -n "."

$IPTABLES -N UDPFLOOD
$IPTABLES -A UDPFLOOD -j LOG --log-prefix "IPF: UDP FLOOD: "
$IPTABLES -A UDPFLOOD -j DROP
echo -n "."

$IPTABLES -N OUTPUTLOG
$IPTABLES -A OUTPUTLOG -j LOG --log-prefix "IPF: OUTPUT: "
$IPTABLES -A OUTPUTLOG -j $OUTPUTPOL
echo -n "."

$IPTABLES -N FORWARDLOG
$IPTABLES -A FORWARDLOG -j LOG --log-prefix "IPF: FORWARD: "
$IPTABLES -A FORWARDLOG -j $FORWARDPOL
echo -n "."

$IPTABLES -t nat -N PRELOG
$IPTABLES -t nat -A PRELOG -j LOG --log-prefix "IPF:
PREROUTING: "
$IPTABLES -t nat -A PRELOG -j $PREPOL
echo -n "."

$IPTABLES -t nat -N POSLOG
$IPTABLES -t nat -A POSLOG -j LOG --log-prefix "IPF:
POSTROUTING: "
$IPTABLES -t nat -A POSLOG -j $POSPOL
echo -n "."

$IPTABLES -t nat -N NOULOG
$IPTABLES -t nat -A NOULOG -j LOG --log-prefix "IPF: NAT
OUTPUT: "
$IPTABLES -t nat -A NOULOG -j $NOUPOL
echo -n "."

echo " ok!"
}

function create_traffic_chains() {

# from anywhere to firewall
$IPTABLES -N EXT-IFEXT
$IPTABLES -A INPUT -s 0/0 -d $IPEXT -i $IFEXT -j EXT-IFEXT
echo -n "."

if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-IFDMZ
$IPTABLES -A INPUT -s $NETDMZ -d $IPDMZ -i $IFDMZ -j DMZ-IFDMZ
echo -n "."
fi

if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-IFLAN
$IPTABLES -A INPUT -s $NETLAN -d $IPLAN -i $IFLAN -j LAN-IFLAN
echo -n "."
fi

# from anywhere to dmz
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N EXT-DMZ
$IPTABLES -A FORWARD -s 0/0 -d $NETDMZ -i $IFEXT -o $IFDMZ -j
EXT-DMZ
echo -n "."
$IPTABLES -N IFDMZ-DMZ
$IPTABLES -A OUTPUT -s $IPDMZ -d $NETDMZ -o $IFDMZ -j IFDMZ-DMZ
echo -n "."
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-DMZ
$IPTABLES -A FORWARD -s $NETLAN -d $NETDMZ -i $IFLAN -o $IFDMZ -j
LAN-DMZ
echo -n "."
fi
fi

# from anywhere to lan
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N EXT-LAN
$IPTABLES -A FORWARD -s 0/0 -d $NETLAN -i $IFEXT -o $IFLAN -j
EXT-LAN
echo -n "."
$IPTABLES -N IFLAN-LAN
$IPTABLES -A OUTPUT -s $IPLAN -d $NETLAN -o $IFLAN -j IFLAN-LAN
echo -n "."
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-LAN
$IPTABLES -A FORWARD -s $NETDMZ -d $NETLAN -i $IFDMZ -o $IFLAN -j
DMZ-LAN
echo -n "."
fi
fi

# from anywhere to ext
$IPTABLES -N IFEXT-EXT
$IPTABLES -A OUTPUT -s $IPEXT -d 0/0 -o $IFEXT -j IFEXT-EXT
echo -n "."
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-EXT
$IPTABLES -A FORWARD -s $NETLAN -d 0/0 -i $IFLAN -o $IFEXT -j
LAN-EXT
echo -n "."
fi
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-EXT
$IPTABLES -A FORWARD -s $NETDMZ -d 0/0 -i $IFDMZ -o $IFEXT -j
DMZ-EXT
echo -n "."
fi

# Tcp Limits
$IPTABLES -N LIMIT-TCP
$IPTABLES -A LIMIT-TCP -p tcp --syn -m limit --limit $TCP_PER_SECOND/s
-j ACCEPT
$IPTABLES -A LIMIT-TCP -p tcp -j TCPFLOOD
echo -n "."

echo " ok!"
}

function create_routing_chains() {

# PREROUTING
# from ext to ifext
$IPTABLES -t nat -N PRE-EXT-IFEXT
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $IPEXT -i $IFEXT -j
PRE-EXT-IFEXT
echo -n "."

# if private dmz and aliased ips, then inlude all aliased ip in the
prerouting table
if [ "$DMZ" == "private" ];
then
for i in `seq $DMZ_MACHINES`;
do
if [ ! "a$EXT_IP[$i]" == "a" ];
then
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $EXT_IP[$i] -i $IFEXT -j
PRE-EXT-IFEXT
echo -n "."
fi
done
fi

# from lan to iflan
if [ ! "$LAN" == "no" ];
then
$IPTABLES -t nat -N PRE-LAN-IFLAN
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $IPLAN -i $IFLAN -j
PRE-LAN-IFLAN
echo -n "."
fi

# POSTROUTING
# from dmz to ext
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -t nat -N POST-DMZ-EXT
$IPTABLES -t nat -A POSTROUTING -s $NETDMZ -d 0/0 -o $IFEXT -j
POST-DMZ-EXT
echo -n "."
fi

# from lan to ext
if [ ! "$LAN" == "no" ];
then
$IPTABLES -t nat -N POST-LAN-EXT
$IPTABLES -t nat -A POSTROUTING -s $NETLAN -d 0/0 -o $IFEXT -j
POST-LAN-EXT
echo -n "."
fi

if [ ! "$LAN" == "no" ] && [ ! "$DMZ" == "no" ];
then
# from dmz to lan
$IPTABLES -t nat -N POST-DMZ-LAN
$IPTABLES -t nat -A POSTROUTING -s $NETDMZ -d 0/0 -o $IFLAN -j
POST-DMZ-LAN
echo -n "."

# from lan to dmz
$IPTABLES -t nat -N POST-LAN-DMZ
$IPTABLES -t nat -A POSTROUTING -s $NETLAN -d 0/0 -o $IFDMZ -j
POST-LAN-DMZ
echo -n "."
fi
echo " ok!"
}

function anti_spoofing() {

if [ ! "$SPOOFING" == "no" ];
then
# Blocking input traffic from privates IP (Spoofed IP)
for spoofed in $SPOOFED_IP;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s $spoofed -j SPOOFLOG
done
$IPTABLES -t nat -A PREROUTING -s $spoofed -d $IPEXT -i $IFEXT -j
PRELOG; echo -n "."
done

# Blocking input traffic from IANA reserved IP (http://www.iana.net)
# Singles A Classes
for iana_reserved in $IANA_RESERVED;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s ${iana_reserved}.0.0.0/8 -j
RESERVEDLOG
done
$IPTABLES -t nat -A PREROUTING -s ${iana_reserved}.0.0.0/8 -d $IPEXT
-i $IFEXT -j PRELOG; echo -n "."
done

# Ranged A Classes
for iana_reserved_ranged in $IANA_RESERVED_RANGED;
do
range=${iana_reserved_ranged/-/ }
for iana_reserved in `seq $range`;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s ${iana_reserved}.0.0.0/8 -j
RESERVEDLOG
done
$IPTABLES -t nat -A PREROUTING -s ${iana_reserved}.0.0.0/8 -d
$IPEXT -i $IFEXT -j PRELOG; echo -n "."
done
done

# Blocking input traffic from my IP
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s $IPEXT -j SPOOFLOG
done
$IPTABLES -t nat -A PREROUTING -s $IPEXT -d 0/0 -i $IFEXT -j
PRELOG
echo -n "."

echo " ok!"
else
echo " no!"
fi

}

function do_advanced() {

echo -n " enabling SYN Cookies "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo ". ok!"

echo -n " disabling response to broadcast pings "
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo ". ok!"

echo -n " enabling bad error message protection "
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo ". ok!"

if [ ! "$SERV_EXT_IFEXT_IPSEC" == "no" ] && [ !
"$SERV_IFEXT_EXT_IPSEC" == "no" ];
then
echo -n " disabling IP Spoofing attacks "
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 2 > $f
done
else
echo -n " enabling IP Spoofing (IPSEC) "
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 0 > $f
done
fi
echo ". ok!"

echo -n " disabling send_redirect "
for f in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo 0 > $f
done
echo ". ok!"

echo -n " blocking source routing "
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $f
done
echo ". ok!"

echo -n " Log Martians (packets with impossible addresses) "
for f in /proc/sys/net/ipv4/conf/*/log_martians;
do
echo 1 > $f
done
echo ". ok!"

echo -n " kill redirects "
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done
echo ". ok!"

echo -n " make sure new incoming tcp connections are SYN packets "
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -p tcp ! --syn -m state --state NEW -j SYNLOG;
echo -n "."
done
echo " ok!"

echo -n " accepting established related in all chains "
for chain in $ALL_CHAINS;
do
$IPTABLES -A $chain -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
done
echo " ok!"

}

do_mangle() {

for port in $MINIMIZE_DELAY
do
iptables -A PREROUTING -t mangle -p tcp --sport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
iptables -A PREROUTING -t mangle -p tcp --dport $port -j TOS
--set-tos Minimize-Delay; echo -n "."

iptables -A PREROUTING -t mangle -p tcp --sport $port -j TOS
--set-tos Maximize-Throughput; echo -n "."
iptables -A PREROUTING -t mangle -p tcp --dport $port -j TOS
--set-tos Maximize-Throughput; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --dport $port
-j TOS --set-tos Maximize-Throughput; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --sport $port
-j TOS --set-tos Maximize-Throughput; echo -n "."

iptables -A OUTPUT -t mangle -p tcp --dport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --sport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
done
echo " ok!"

}

function do_icmp() {

# Accepting only echo-request with no limit (forward, output, chains)
for chain in $UNLIMITED_ICMP_CHAINS;
do
$IPTABLES -A $chain -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state
--state NEW -j ACCEPT; echo -n "."

$IPTABLES -A $chain -p udp --sport $TRACEROUTE_SRC_PORTS --dport
$TRACEROUTE_DEST_PORTS -j ACCEPT; echo -n "."
done

# Accepting only echo-request but only $ICMP_PER_SECOND per second
(input chains), then logging as icmp flood
for chain in $LIMITED_ICMP_CHAINS;
do
$IPTABLES -A $chain -p icmp -m limit --limit $ICMP_PER_SECOND/s -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state --state
NEW -m limit --limit $ICMP_PER_SECOND/s -j ACCEPT; echo -n "."
#$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state
--state NEW -j ICMPFLOOD; echo -n "."
$IPTABLES -A $chain -p icmp -j ICMPFLOOD; echo -n "."
done

# Traceroute :
for chain in $TRACEROUTE_CHAINS;
do
$IPTABLES -A $chain -p icmp --icmp-type destination-unreachable -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type time-exceeded -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-reply -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
done

echo " ok!"

}

function do_adsl() {

# Accepting pptp traffic from modem
if [ "$ADSL" == "yes" ];
then
$IPTABLES -A INPUT -s $IP_ADSL -d $IP_IFSL -i $IF_ADSL
-j ACCEPT
$IPTABLES -A INPUT -p 47 -s $IP_ADSL -d $IPLAN -i $IF_ADSL -j
ACCEPT

$IPTABLES -A OUTPUT -s $IP_IFSL -d $IP_ADSL -o $IF_ADSL
-j ACCEPT
$IPTABLES -A OUTPUT -p 47 -s $IPLAN -d $IP_ADSL -o $IF_ADSL -j
ACCEPT
fi

echo $ADSL

}

function do_ext_fw() {

if [ "$TCP_PER_SECOND" == "0" ];
then
TCP_POLICY="ACCEPT"
else
TCP_POLICY="LIMIT-TCP"
fi

# From Internet to firewall
for service in $SERV_EXT_IFEXT_TCP;
do
$IPTABLES -A EXT-IFEXT -p tcp --sport $UNPRIVILEGED --dport $service
-j $TCP_POLICY; echo -n "."
$IPTABLES -A EXT-IFEXT -p tcp --sport $service --dport $service
-j $TCP_POLICY; echo -n "."
done

for service in $SERV_EXT_IFEXT_UDP;
do
$IPTABLES -A EXT-IFEXT -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A EXT-IFEXT -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_EXT_IFEXT_SSH" == "yes" ];
then
$IPTABLES -A EXT-IFEXT -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j $TCP_POLICY; echo -n "."
fi

if [ "$SERV_EXT_IFEXT_NTP" == "yes" ];
then
$IPTABLES -A EXT-IFEXT -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A EXT-IFEXT -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

# From firewall to Internet
for service in $SERV_IFEXT_EXT_TCP;
do
$IPTABLES -A IFEXT-EXT -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_IFEXT_EXT_UDP;
do
$IPTABLES -A IFEXT-EXT -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_IFEXT_EXT_SSH" == "yes" ];
then
$IPTABLES -A IFEXT-EXT -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_IFEXT_EXT_NTP" == "yes" ];
then
$IPTABLES -A IFEXT-EXT -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

echo " ok!"
}

function do_lan_fw() {

if [ ! "$LAN" == "no" ];
then
# From Internet to LAN
for service in $SERV_LAN_IFLAN_TCP;
do
$IPTABLES -A LAN-IFLAN -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_LAN_IFLAN_UDP;
do
$IPTABLES -A LAN-IFLAN -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_LAN_IFLAN_SSH" == "yes" ];
then
$IPTABLES -A LAN-IFLAN -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_LAN_IFLAN_NTP" == "yes" ];
then
$IPTABLES -A LAN-IFLAN -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

# From firewall to LAN
for service in $SERV_IFLAN_LAN_TCP;
do
$IPTABLES -A IFLAN-LAN -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_IFLAN_LAN_UDP;
do
$IPTABLES -A IFLAN-LAN -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_IFLAN_LAN_SSH" == "yes" ];
then
$IPTABLES -A IFLAN-LAN -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_IFLAN_LAN_NTP" == "yes" ];
then
$IPTABLES -A IFLAN-LAN -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi
fi

echo " ok!"
}

function do_dmz() {

if [ "$TCP_PER_SECOND" == "0" ];
then
TCP_POLICY="ACCEPT"
else
TCP_POLICY="LIMIT-TCP"
fi

# Preparing vars to do prerouting if any
if [ "$DMZ" == "public" ];
then
DNATLAN="/bin/false"
DNATEXT="/bin/false"
DO_DMZ="yes"

elif [ "$DMZ" == "private" ];
then
DNATEXT="/bin/true"
DO_DMZ="yes"
if [ "$LAN" == "public" ];
then
DNATLAN="/bin/true"
else
DNATLAN="/bin/false"
fi
else
DO_DMZ="no"
fi

# Accepting only services to the good IP
if [ "$DO_DMZ" == "yes" ];
then
for i in `seq $DMZ_MACHINES`;
do
if [ "a${EXT_IP[$i]}" == "a" ] && [ "$DMZ" == "private" ];
then
DEST_IP=$IPEXT
else
DEST_IP=${EXT_IP[$i]}
fi

# from Internet to dmz
for service in ${EXT_DMZ_TCP[$i]};
do
# accepting service to the dmz
$IPTABLES -A EXT-DMZ -p tcp -d ${DMZ_IP[$i]} --sport $UNPRIVILEGED
--dport $service -j $TCP_POLICY
$IPTABLES -A EXT-DMZ -p tcp -d ${DMZ_IP[$i]} --sport $service
--dport $service -j $TCP_POLICY
# if private dmz then natting the service to destination machine
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p tcp --sport
$UNPRIVILEGED --dport $service
-d $DEST_IP -j DNAT --to
${DMZ_IP[$i]}:$service
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p tcp --sport
$service --dport $service
-d $DEST_IP -j DNAT --to
${DMZ_IP[$i]}:$service
echo -n "."

if [ "$LAN_DMZ" == "copy" ] && [ ! "$LAN" == "no" ];
then
LAN_DMZ_TCP[$i]=${EXT_DMZ_TCP[$i]}
fi

done

# from lan to dmz
if [ ! "$LAN" == "no" ];
then
for service in ${LAN_DMZ_TCP[$i]};
do
# accepting service to the dmz
$IPTABLES -A LAN-DMZ -p tcp -d ${DMZ_IP[$i]} --sport
$UNPRIVILEGED --dport $service -j ACCEPT
$IPTABLES -A LAN-DMZ -p tcp -d ${DMZ_IP[$i]} --sport
$service --dport $service -j ACCEPT
# if private dmz and public lan then natting the service to
destination machine
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p tcp --sport
$UNPRIVILEGED --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p tcp --sport
$service --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
done
fi
echo -n "."

# from Internet to dmz
for service in ${EXT_DMZ_UDP[$i]};
do
# accepting service to the dmz
$IPTABLES -A EXT-DMZ -p udp -d ${DMZ_IP[$i]} --sport $UNPRIVILEGED
--dport $service -j ACCEPT
$IPTABLES -A EXT-DMZ -p udp -d ${DMZ_IP[$i]} --sport $service
--dport $service -j ACCEPT
# if private dmz then natting the service to destination machine
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p udp --sport
$UNPRIVILEGED --dport $service
-d $DEST_IP -j DNAT --to ${DMZ_IP[$i]}:$service
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p udp --sport
$service --dport $service
-d $DEST_IP -j DNAT --to ${DMZ_IP[$i]}:$service
echo -n "."

if [ "$LAN_DMZ" == "copy" ] && [ ! "$LAN" == "no" ];
then
LAN_DMZ_UDP[$i]=${EXT_DMZ_UDP[$i]}
fi
done

# from lan to dmz
if [ ! "$LAN" == "no" ];
then
for service in ${LAN_DMZ_UDP[$i]};
do
# accepting service to the dmz
$IPTABLES -A LAN-DMZ -p udp -d ${DMZ_IP[$i]} --sport
$UNPRIVILEGED --dport $service -j ACCEPT
$IPTABLES -A LAN-DMZ -p udp -d ${DMZ_IP[$i]} --sport
$service --dport $service -j ACCEPT
# if private dmz and public lan then natting the service to
destination machine
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p udp --sport
$UNPRIVILEGED --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p udp --sport
$service --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
done
fi
echo -n "."

done

if [ "$EXT_DMZ_SSH" == "yes" ];
then
# if public DMZ then accept ssh connexions from Internet
$DNATDMZ || $IPTABLES -A EXT-DMZ -p tcp --sport $SSH_UNPRIVILEGED
--dport ssh -j $TCP_POLICY
$DNATDMZ || $IPTABLES -A EXT-DMZ -p tcp --sport ssh
--dport ssh -j $TCP_POLICY
echo -n "."
fi

if [ ! "$LAN" == "no" ] && [ $LAN_DMZ_SSH == "yes" ];
then
# accept ssh connexions from lan
$DNATLAN || $IPTABLES -A LAN-DMZ -p tcp --sport
$SSH_UNPRIVILEGED --dport ssh -j ACCEPT
$DNATLAN || $IPTABLES -A LAN-DMZ -p tcp --sport ssh
--dport ssh -j ACCEPT
echo -n "."
fi

echo " ok!"
else
echo " no dmz!"
fi

}

function do_lan() {

if [ ! "$LAN" == "no" ];
then
if [ ! "a$LAN_EXT_TCP" == "a" ];
then
for service in $LAN_EXT_TCP;
do
$IPTABLES -A LAN-EXT -p tcp --sport $UNPRIVILEGED --dport
$service -j ACCEPT
$IPTABLES -A LAN-EXT -p tcp --sport $service --dport
$service -j ACCEPT
done
else
$IPTABLES -A LAN-EXT -p tcp -j ACCEPT
fi
echo -n "."

if [ ! "a$LAN_EXT_UDP" == "a" ];
then
for service in $LAN_EXT_UDP;
do
$IPTABLES -A LAN-EXT -p udp --sport $UNPRIVILEGED --dport
$service -j ACCEPT
$IPTABLES -A LAN-EXT -p udp --sport $service --dport
$service -j ACCEPT
done
else
$IPTABLES -A LAN-EXT -p udp -j ACCEPT
fi
echo -n "."

echo " ok!"
fi

}

function do_ipsec() {

if [ "$SERV_EXT_IFEXT_IPSEC" == "yes" ];
then
for client in $SERV_EXT_IFEXT_IPSEC_CLIENTS;
do
$IPTABLES -A EXT-IFEXT -p udp -s $client --sport 500 --dport
500 -j ACCEPT
$IPTABLES -A EXT-IFEXT -p 50 -s $client
-j ACCEPT; echo -n "."
done
fi

if [ "$SERV_IFEXT_EXT_IPSEC" == "yes" ];
then
for server in $SERV_IFEXT_EXT_IPSEC_SERVERS;
do
$IPTABLES -A IFEXT-EXT -p udp -d $server --sport 500 --dport
500 -j ACCEPT
$IPTABLES -A IFEXT-EXT -p 50 -d $server
-j ACCEPT; echo -n "."
done
fi

echo " ok!"

}

function do_reject() {

for chain in $EXT_CHAINS;
do
for service in $REJECTED_SERVICES;
do
$IPTABLES -A $chain -p tcp --dport $service -j REJECT
--reject-with tcp-reset; echo -n "."
done
done

echo " ok!"

}

function do_nolog() {

for chain in $EXT_CHAINS INPUT;
do
for nolog in $NOLOG_TCP;
do
$IPTABLES -A $chain -p tcp --dport $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_UDP;
do
$IPTABLES -A $chain -p udp --dport $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_SRC;
do
$IPTABLES -A $chain -s $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_DST;
do
$IPTABLES -A $chain -d $nolog -j $INPUTPOL; echo -n "."
done
done

echo " ok!"

}

function do_log() {

for chain in $INP_CHAINS INPUT; do $IPTABLES -A $chain -j INPUTLOG;
echo -n "."; done
for chain in $OUT_CHAINS OUTPUT; do $IPTABLES -A $chain -j
OUTPUTLOG; echo -n "."; done
for chain in $FOR_CHAINS FORWARD; do $IPTABLES -A $chain -j
FORWARDLOG; echo -n "."; done

echo " ok!"

}

function do_post() {

if [ "$LAN" == "private" ];
then
$IPTABLES -t nat -A POST-LAN-EXT -j SNAT --to $IPEXT; echo -n "."
if [ "$DMZ" == "public" ];
then
$IPTABLES -t nat -A POST-LAN-DMZ -j SNAT --to $IPDMZ; echo -n "."
fi
fi

if [ "$DMZ" == "private" ];
then
$IPTABLES -t nat -A POST-DMZ-EXT -j SNAT --to $IPEXT; echo -n "."
if [ "$LAN" == "public" ];
then
$IPTABLES -t nat -A POST-DMZ-LAN -j SNAT --to $IPLAN; echo -n "."
fi
fi

echo " ok!"

}

function do_open() {

# Unlock first rules
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
echo ". ok!"

}

function do_close() {

$IPTABLES -P FORWARD DROP
echo ". ok!"

}

case "$1" in
start)
echo "Turning on packet filtering:"
echo -n " desactivating kernel forwarding "
echo 0 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
echo -n " loading modules "
load_modules
echo -n " cleaning chains and rules "
do_clean
echo " creating chains :"
echo -n " log"
create_standard_log_chains
echo -n " traffic "
create_traffic_chains
echo -n " {pre|post}routing "
create_routing_chains
echo -n " antispoofing "
anti_spoofing
echo " advanced protections :"
do_advanced
echo -n " packets priority "
do_mangle
echo -n " icmp "
do_icmp
echo -n " adsl : "
do_adsl
echo -n " Internet <-> firewall "
do_ext_fw
echo -n " LAN <-> firewall "
do_lan_fw
echo -n " Internet/LAN -> DMZ "
do_dmz
echo -n " LAN -> Internet "
do_lan
echo -n " vpn (ipsec) "
do_ipsec
echo -n " rejecting some services from Internet (auth) "
do_reject
echo -n " no log "
do_nolog
echo -n " log "
do_log
echo -n " postrouting "
do_post

# On debloque les regles initiales
echo -n " opening previously closed chains "
do_open
echo -n " activating kernel forwarding "
echo 1 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
;;
stop)
echo "Turning off packet filtering:"
echo -n " desactivating kernel forwarding "
echo 0 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
echo -n " cleaning chains and rules "
do_clean
echo -n " opening previously closed chains "
do_open
echo -n " closing firewall "
do_close
echo -n " unloading modules "
unload_modules $2
;;

restart)
$0 stop keep_conn
echo "sleeping 2 seconds ..."
sleep 2
$0 start
;;

test)
echo "Going to test mode ..."
$0 stop keep_conn
sleep 2
$0 start
echo
echo -n "Sleeping for $SLEEP seconds "
for i in `seq $SLEEP`;
do
echo -n "."
sleep 1
done
echo
echo
$0 stop
;;

status)
if [ "a$2" == "a" ];
then
for chain in $INP_CHAINS $OUT_CHAINS $FOR_CHAINS;
do
$IPTABLES -L $chain -n -v | egrep -v "(RESERVEDLOG|SPOOFLOG) *all"
echo
done
elif [ "$2" == "nat" ];
then
$IPTABLES -t nat -L -n -v | egrep -v "PRELOG *all"
elif [ "$2" == "mangle" ];
then
$IPTABLES -t mangle -L -n -v
fi
;;

*)
echo "eefw version $VERSION"
echo "Copyright Cyril Lacoux 2002"
echo "This script is distributed under the terms of the GPL version 2
or higher"
echo ""
echo "Usage: /etc/init.d/packetfilter
{start|stop|restart|test|status [nat|mangle]}"
echo " -start : starting the firewall"
echo " -stop : stopping the firewall"
echo " -restart : stopping, sleeping 2 seconds then
starting"
echo " -status [nat|mangle] : list current chains and rules"
echo " -test : stopping, sleeping 2 seconds,
starting, sleeping $SLEEP seconds, then stopping"
echo ""
exit 1
;;

esac

Bonjour,
Merci pour vos réponses.
Seules les images *.gif sont bloquées, pas les autres jpeg ...etc sur
les machines du LAN, je ne peut pas téster depuis la passerelle
Voici le Script , désolé il est long ...

#!/bin/sh
# Firewall Script
VERSION="0.15"

PATH=/bin:/sbin:/usr/sbin:/usr/bin
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

# Modules which have to be inserted before building the firewall
(reverse dependencies order)
MODULES="ip_tables iptable_filter iptable_mangle ipt_TOS ipt_LOG
ipt_REJECT ipt_limit ip_conntrack ipt_state iptable_nat
ip_conntrack_ftp"

# Interfaces, IP addresses, and networks
IFEXT="ppp0" #External Iface
IPEXT="80.65.227.129" #External IP

IFLAN="eth1" #Internal Iface
IPLAN="192.168.0.254" #Internal IP
NETLAN="192.168.0.0/24" #Internal network

IFDMZ="eth2" #DMZ Iface
IPDMZ="192.168.2.254" #DMZ IP
NETDMZ="192.168.2.0/24" #DMZ network

# If you have a XDSL connection
ADSL="yes"
IF_ADSL="eth0" #XDSL Iface
IP_IFSL="10.0.0.254" #XDSL IP
IP_ADSL="10.0.0.138" #Modem's IP

# Here, your protection against IP Spoofing
SPOOFING="yes" #Activate it ?
SPOOFED_IP="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16" #Private networks
IANA_RESERVED="0 1 2 5 7 23 27 31 36 37 39 41 42 58 59 60 197
201" #Reserved class A networks
IANA_RESERVED_RANGED="69-79 82-95 96-126 221-223 240-255" #Reserved
class A networks (xx to yy)

# Services from Internet to firewall
SERV_EXT_IFEXT_TCP="" #tcp services
SERV_EXT_IFEXT_UDP="" #udp services
SERV_EXT_IFEXT_SSH="yes" #ssh server
SERV_EXT_IFEXT_NTP="no"
#ntp client

# Services from firewall to Internet
SERV_IFEXT_EXT_TCP="http https domain" #tcp services
SERV_IFEXT_EXT_UDP="domain" #udp services
SERV_IFEXT_EXT_SSH="yes" #ssh server
SERV_IFEXT_EXT_NTP="yes" #ntp client

# Services from LAN to firewall
SERV_LAN_IFLAN_TCP="domain" #tcp services
SERV_LAN_IFLAN_UDP="domain" #udp services
SERV_LAN_IFLAN_SSH="yes" #ssh server
SERV_LAN_IFLAN_NTP="no" #ntp client

# Services from firewall to LAN
SERV_IFLAN_LAN_TCP="" #tcp services
SERV_IFLAN_LAN_UDP="" #udp services
SERV_IFLAN_LAN_SSH="no" #ssh server
SERV_IFLAN_LAN_NTP="no" #ntp client

# IPsec (vpn, FreeSWAN)
SERV_EXT_IFEXT_IPSEC="yes" #Ipsec server
SERV_EXT_IFEXT_IPSEC_CLIENTS="62.212.117.199 62.212.96.50 213.41.142.6
213.41.142.7 213.41.148.14" #Which clients
SERV_IFEXT_EXT_IPSEC="yes" #Ipsec client
SERV_IFEXT_EXT_IPSEC_SERVERS="62.212.117.199 62.212.96.50 213.41.142.6
213.41.142.7 213.41.148.14" #Which server

# Services from LAN to Internet
LAN="private" # private/public/no
LAN_EXT_TCP="" # if blank then accept all
LAN_EXT_UDP="" # if blank then accept all

# Services from Internet to DMZ
DMZ="private" # private/public/no
EXT_DMZ_SSH="no" # ssh connexions to DMZ
DMZ_MACHINES="1" # number of machine(s) in the DMZ

# First Machine
EXT_IP[1]="" # leaving this blank cause using $IPEXT or $DMZ_IP[1]
EXT_DMZ_TCP[1]="21 25 110" # !!! ports number only !!!
EXT_DMZ_UDP[1]="21 25 110" # !!! ports number only !!!
DMZ_IP[1]="192.168.2.10" # IP of the machine

# Second Machine
EXT_IP[2]="" # leaving this blank cause using $IPEXT or $DMZ_IP[2]
EXT_DMZ_TCP[2]="" # !!! ports number only !!!
EXT_DMZ_UDP[2]="" # !!! ports number only !!!
DMZ_IP[2]="" # IP of the machine

# Services from LAN to DMZ
LAN_DMZ_SSH="yes"
LAN_DMZ="copy" # copy/create (copy from Internet to DMZ)
# if copy, be sure next lines are commented

# First Machine
#LAN_DMZ_TCP[1]="25" # !!! ports number only !!!
#LAN_DMZ_UDP[1]="" # !!! ports number only !!!

# Second Machine
#LAN_DMZ_TCP[2]="9000" # !!! ports number only !!!
#LAN_DMZ_UDP[2]="9000" # !!! ports number only !!!

# Unprivileged ports
UNPRIVILEGED="1024:"
SSH_UNPRIVILEGED="512:"

# Traceroute Ports
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# Specifie here which things you don't want to log (input)
NOLOG_TCP="31337:31340 137:139" # tcp ports
NOLOG_UDP="137:139" # udp ports
NOLOG_SRC="" # source ips
NOLOG_DST="" # destination ips (ex: broadcast)

# Theses TCP services will be rejected by a tcp-reset (don't remove
auth unless you planed to accept it)
REJECTED_SERVICES="telnet auth socks 3128 webcache" # telnet socks
squid and webcache maybe useful when using irc

# Policies (after logging)
INPUTPOL="DROP" #Input
SPOOFPOL="DROP" #From Spoofed IP
RESERVEDPOL="DROP" #From IANA reserved IP
SYNPOL="DROP" #New packet without syn
OUTPUTPOL="REJECT" #Output
FORWARDPOL="DROP" #Forward
PREPOL="DROP" #Prerouting
POSPOL="DROP" #Postrouting
NOUPOL="DROP" #SNat

#Chains DON'T TOUCH THIS !
INP_CHAINS="EXT-IFEXT"
OUT_CHAINS="IFEXT-EXT"
FOR_CHAINS=""
EXT_CHAINS="EXT-IFEXT"
DMZ_CHAINS=""
if [ ! "$DMZ" == "no" ];
then
INP_CHAINS="$INP_CHAINS DMZ-IFDMZ"
OUT_CHAINS="$OUT_CHAINS IFDMZ-DMZ"
FOR_CHAINS="EXT-DMZ DMZ-EXT"
EXT_CHAINS="$EXT_CHAINS EXT-DMZ"
DMZ_CHAINS="IFDMZ-DMZ EXT-DMZ"

if [ ! "$LAN" == "no" ];
then
FOR_CHAINS="$FOR_CHAINS LAN-DMZ DMZ-LAN"
DMZ_CHAINS="$DMZ_CHAINS LAN-DMZ"
fi
fi

if [ ! "$LAN" == "no" ];
then
INP_CHAINS="$INP_CHAINS LAN-IFLAN"
OUT_CHAINS="$OUT_CHAINS IFLAN-LAN"
FOR_CHAINS="$FOR_CHAINS EXT-LAN LAN-EXT"
EXT_CHAINS="$EXT_CHAINS EXT-LAN"
fi

ALL_CHAINS="$INP_CHAINS $OUT_CHAINS $FOR_CHAINS"

# ICMP
UNLIMITED_ICMP_CHAINS="$OUT_CHAINS"
if [ ! "$DMZ" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS DMZ-EXT"
if [ ! "$LAN" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS LAN-DMZ DMZ-LAN"
fi
fi
if [ ! "$LAN" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS LAN-EXT"
fi

LIMITED_ICMP_CHAINS="$INP_CHAINS"
ICMP_PER_SECOND="50" #Packets per second, 0 means no limit

# Traceroute
TRACEROUTE_CHAINS="$UNLIMITED_ICMP_CHAINS $EXT_CHAINS"

#TCP
TCP_PER_SECOND="5" #Packets per second, 0 means no limit

#PortScanners

#Test mode : starting firewall, sleeping for $SLEEP seconds, then
stopping firewall
SLEEP`

#Minimize delay
MINIMIZE_DELAY="ssh"

function load_modules() {

# Load each modules
for module in $MODULES;
do
$MODPROBE $module; echo -n "."
done
echo " ok!"

}

function unload_modules() {

# reversing order to unload modules in the right order
unset REVERSE
for module in $MODULES;
do
# Leave theses to get policy forward set to DROP
if [ ! "$module" == "iptable_filter" ] && [ ! "$module" "ip_tables" ];
then
# if restarting firewall, leave theses to keep connexion already
established
if [ ! "$module" == "ip_conntrack" ] && [ ! "$module" "ip_conntrack_ftp" ] || [ ! "a$1" == "akeep_conn" ];
then
REVERSE="$module $REVERSE"
fi
fi
done

# unload modules
for module in $REVERSE;
do
$MODPROBE -r $module; echo -n "."
done
echo " ok!"

}

function do_clean() {

# Flush
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Locking the box
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING DROP
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -t nat -P OUTPUT DROP
# Except loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo ". ok!"

}

function create_standard_log_chains() {

# Some chains for logging then dropping packets
$IPTABLES -N INPUTLOG
$IPTABLES -A INPUTLOG -j LOG --log-prefix "IPF: INPUT: "
$IPTABLES -A INPUTLOG -j $INPUTPOL
echo -n "."

$IPTABLES -N SPOOFLOG
$IPTABLES -A SPOOFLOG -j LOG --log-prefix "IPF: SPOOFING: "
$IPTABLES -A SPOOFLOG -j $SPOOFPOL
echo -n "."

$IPTABLES -N RESERVEDLOG
$IPTABLES -A RESERVEDLOG -j LOG --log-prefix "IPF: RESERVED: "
$IPTABLES -A RESERVEDLOG -j $RESERVEDPOL
echo -n "."

$IPTABLES -N SYNLOG
$IPTABLES -A SYNLOG -j LOG --log-prefix "IPF: SYN PACKET: "
$IPTABLES -A SYNLOG -j $SYNPOL
echo -n "."

$IPTABLES -N ICMPFLOOD
$IPTABLES -A ICMPFLOOD -j LOG --log-prefix "IPF: ICMP FLOOD: "
$IPTABLES -A ICMPFLOOD -j DROP
echo -n "."

$IPTABLES -N TCPFLOOD
$IPTABLES -A TCPFLOOD -j LOG --log-prefix "IPF: TCP FLOOD: "
$IPTABLES -A TCPFLOOD -j DROP
echo -n "."

$IPTABLES -N UDPFLOOD
$IPTABLES -A UDPFLOOD -j LOG --log-prefix "IPF: UDP FLOOD: "
$IPTABLES -A UDPFLOOD -j DROP
echo -n "."

$IPTABLES -N OUTPUTLOG
$IPTABLES -A OUTPUTLOG -j LOG --log-prefix "IPF: OUTPUT: "
$IPTABLES -A OUTPUTLOG -j $OUTPUTPOL
echo -n "."

$IPTABLES -N FORWARDLOG
$IPTABLES -A FORWARDLOG -j LOG --log-prefix "IPF: FORWARD: "
$IPTABLES -A FORWARDLOG -j $FORWARDPOL
echo -n "."

$IPTABLES -t nat -N PRELOG
$IPTABLES -t nat -A PRELOG -j LOG --log-prefix "IPF:
PREROUTING: "
$IPTABLES -t nat -A PRELOG -j $PREPOL
echo -n "."

$IPTABLES -t nat -N POSLOG
$IPTABLES -t nat -A POSLOG -j LOG --log-prefix "IPF:
POSTROUTING: "
$IPTABLES -t nat -A POSLOG -j $POSPOL
echo -n "."

$IPTABLES -t nat -N NOULOG
$IPTABLES -t nat -A NOULOG -j LOG --log-prefix "IPF: NAT
OUTPUT: "
$IPTABLES -t nat -A NOULOG -j $NOUPOL
echo -n "."

echo " ok!"
}

function create_traffic_chains() {

# from anywhere to firewall
$IPTABLES -N EXT-IFEXT
$IPTABLES -A INPUT -s 0/0 -d $IPEXT -i $IFEXT -j EXT-IFEXT
echo -n "."

if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-IFDMZ
$IPTABLES -A INPUT -s $NETDMZ -d $IPDMZ -i $IFDMZ -j DMZ-IFDMZ
echo -n "."
fi

if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-IFLAN
$IPTABLES -A INPUT -s $NETLAN -d $IPLAN -i $IFLAN -j LAN-IFLAN
echo -n "."
fi

# from anywhere to dmz
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N EXT-DMZ
$IPTABLES -A FORWARD -s 0/0 -d $NETDMZ -i $IFEXT -o $IFDMZ -j
EXT-DMZ
echo -n "."
$IPTABLES -N IFDMZ-DMZ
$IPTABLES -A OUTPUT -s $IPDMZ -d $NETDMZ -o $IFDMZ -j IFDMZ-DMZ
echo -n "."
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-DMZ
$IPTABLES -A FORWARD -s $NETLAN -d $NETDMZ -i $IFLAN -o $IFDMZ -j
LAN-DMZ
echo -n "."
fi
fi

# from anywhere to lan
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N EXT-LAN
$IPTABLES -A FORWARD -s 0/0 -d $NETLAN -i $IFEXT -o $IFLAN -j
EXT-LAN
echo -n "."
$IPTABLES -N IFLAN-LAN
$IPTABLES -A OUTPUT -s $IPLAN -d $NETLAN -o $IFLAN -j IFLAN-LAN
echo -n "."
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-LAN
$IPTABLES -A FORWARD -s $NETDMZ -d $NETLAN -i $IFDMZ -o $IFLAN -j
DMZ-LAN
echo -n "."
fi
fi

# from anywhere to ext
$IPTABLES -N IFEXT-EXT
$IPTABLES -A OUTPUT -s $IPEXT -d 0/0 -o $IFEXT -j IFEXT-EXT
echo -n "."
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-EXT
$IPTABLES -A FORWARD -s $NETLAN -d 0/0 -i $IFLAN -o $IFEXT -j
LAN-EXT
echo -n "."
fi
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-EXT
$IPTABLES -A FORWARD -s $NETDMZ -d 0/0 -i $IFDMZ -o $IFEXT -j
DMZ-EXT
echo -n "."
fi

# Tcp Limits
$IPTABLES -N LIMIT-TCP
$IPTABLES -A LIMIT-TCP -p tcp --syn -m limit --limit $TCP_PER_SECOND/s
-j ACCEPT
$IPTABLES -A LIMIT-TCP -p tcp -j TCPFLOOD
echo -n "."

echo " ok!"
}

function create_routing_chains() {

# PREROUTING
# from ext to ifext
$IPTABLES -t nat -N PRE-EXT-IFEXT
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $IPEXT -i $IFEXT -j
PRE-EXT-IFEXT
echo -n "."

# if private dmz and aliased ips, then inlude all aliased ip in the
prerouting table
if [ "$DMZ" == "private" ];
then
for i in `seq $DMZ_MACHINES`;
do
if [ ! "a$EXT_IP[$i]" == "a" ];
then
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $EXT_IP[$i] -i $IFEXT -j
PRE-EXT-IFEXT
echo -n "."
fi
done
fi

# from lan to iflan
if [ ! "$LAN" == "no" ];
then
$IPTABLES -t nat -N PRE-LAN-IFLAN
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $IPLAN -i $IFLAN -j
PRE-LAN-IFLAN
echo -n "."
fi

# POSTROUTING
# from dmz to ext
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -t nat -N POST-DMZ-EXT
$IPTABLES -t nat -A POSTROUTING -s $NETDMZ -d 0/0 -o $IFEXT -j
POST-DMZ-EXT
echo -n "."
fi

# from lan to ext
if [ ! "$LAN" == "no" ];
then
$IPTABLES -t nat -N POST-LAN-EXT
$IPTABLES -t nat -A POSTROUTING -s $NETLAN -d 0/0 -o $IFEXT -j
POST-LAN-EXT
echo -n "."
fi

if [ ! "$LAN" == "no" ] && [ ! "$DMZ" == "no" ];
then
# from dmz to lan
$IPTABLES -t nat -N POST-DMZ-LAN
$IPTABLES -t nat -A POSTROUTING -s $NETDMZ -d 0/0 -o $IFLAN -j
POST-DMZ-LAN
echo -n "."

# from lan to dmz
$IPTABLES -t nat -N POST-LAN-DMZ
$IPTABLES -t nat -A POSTROUTING -s $NETLAN -d 0/0 -o $IFDMZ -j
POST-LAN-DMZ
echo -n "."
fi
echo " ok!"
}

function anti_spoofing() {

if [ ! "$SPOOFING" == "no" ];
then
# Blocking input traffic from privates IP (Spoofed IP)
for spoofed in $SPOOFED_IP;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s $spoofed -j SPOOFLOG
done
$IPTABLES -t nat -A PREROUTING -s $spoofed -d $IPEXT -i $IFEXT -j
PRELOG; echo -n "."
done

# Blocking input traffic from IANA reserved IP (http://www.iana.net)
# Singles A Classes
for iana_reserved in $IANA_RESERVED;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s ${iana_reserved}.0.0.0/8 -j
RESERVEDLOG
done
$IPTABLES -t nat -A PREROUTING -s ${iana_reserved}.0.0.0/8 -d $IPEXT
-i $IFEXT -j PRELOG; echo -n "."
done

# Ranged A Classes
for iana_reserved_ranged in $IANA_RESERVED_RANGED;
do
range=${iana_reserved_ranged/-/ }
for iana_reserved in `seq $range`;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s ${iana_reserved}.0.0.0/8 -j
RESERVEDLOG
done
$IPTABLES -t nat -A PREROUTING -s ${iana_reserved}.0.0.0/8 -d
$IPEXT -i $IFEXT -j PRELOG; echo -n "."
done
done

# Blocking input traffic from my IP
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s $IPEXT -j SPOOFLOG
done
$IPTABLES -t nat -A PREROUTING -s $IPEXT -d 0/0 -i $IFEXT -j
PRELOG
echo -n "."

echo " ok!"
else
echo " no!"
fi

}

function do_advanced() {

echo -n " enabling SYN Cookies "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo ". ok!"

echo -n " disabling response to broadcast pings "
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo ". ok!"

echo -n " enabling bad error message protection "
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo ". ok!"

if [ ! "$SERV_EXT_IFEXT_IPSEC" == "no" ] && [ !
"$SERV_IFEXT_EXT_IPSEC" == "no" ];
then
echo -n " disabling IP Spoofing attacks "
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 2 > $f
done
else
echo -n " enabling IP Spoofing (IPSEC) "
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 0 > $f
done
fi
echo ". ok!"

echo -n " disabling send_redirect "
for f in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo 0 > $f
done
echo ". ok!"

echo -n " blocking source routing "
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $f
done
echo ". ok!"

echo -n " Log Martians (packets with impossible addresses) "
for f in /proc/sys/net/ipv4/conf/*/log_martians;
do
echo 1 > $f
done
echo ". ok!"

echo -n " kill redirects "
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done
echo ". ok!"

echo -n " make sure new incoming tcp connections are SYN packets "
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -p tcp ! --syn -m state --state NEW -j SYNLOG;
echo -n "."
done
echo " ok!"

echo -n " accepting established related in all chains "
for chain in $ALL_CHAINS;
do
$IPTABLES -A $chain -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
done
echo " ok!"

}

do_mangle() {

for port in $MINIMIZE_DELAY
do
iptables -A PREROUTING -t mangle -p tcp --sport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
iptables -A PREROUTING -t mangle -p tcp --dport $port -j TOS
--set-tos Minimize-Delay; echo -n "."

iptables -A PREROUTING -t mangle -p tcp --sport $port -j TOS
--set-tos Maximize-Throughput; echo -n "."
iptables -A PREROUTING -t mangle -p tcp --dport $port -j TOS
--set-tos Maximize-Throughput; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --dport $port
-j TOS --set-tos Maximize-Throughput; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --sport $port
-j TOS --set-tos Maximize-Throughput; echo -n "."

iptables -A OUTPUT -t mangle -p tcp --dport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --sport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
done
echo " ok!"

}

function do_icmp() {

# Accepting only echo-request with no limit (forward, output, chains)
for chain in $UNLIMITED_ICMP_CHAINS;
do
$IPTABLES -A $chain -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state
--state NEW -j ACCEPT; echo -n "."

$IPTABLES -A $chain -p udp --sport $TRACEROUTE_SRC_PORTS --dport
$TRACEROUTE_DEST_PORTS -j ACCEPT; echo -n "."
done

# Accepting only echo-request but only $ICMP_PER_SECOND per second
(input chains), then logging as icmp flood
for chain in $LIMITED_ICMP_CHAINS;
do
$IPTABLES -A $chain -p icmp -m limit --limit $ICMP_PER_SECOND/s -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state --state
NEW -m limit --limit $ICMP_PER_SECOND/s -j ACCEPT; echo -n "."
#$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state
--state NEW -j ICMPFLOOD; echo -n "."
$IPTABLES -A $chain -p icmp -j ICMPFLOOD; echo -n "."
done

# Traceroute :
for chain in $TRACEROUTE_CHAINS;
do
$IPTABLES -A $chain -p icmp --icmp-type destination-unreachable -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type time-exceeded -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-reply -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
done

echo " ok!"

}

function do_adsl() {

# Accepting pptp traffic from modem
if [ "$ADSL" == "yes" ];
then
$IPTABLES -A INPUT -s $IP_ADSL -d $IP_IFSL -i $IF_ADSL
-j ACCEPT
$IPTABLES -A INPUT -p 47 -s $IP_ADSL -d $IPLAN -i $IF_ADSL -j
ACCEPT

$IPTABLES -A OUTPUT -s $IP_IFSL -d $IP_ADSL -o $IF_ADSL
-j ACCEPT
$IPTABLES -A OUTPUT -p 47 -s $IPLAN -d $IP_ADSL -o $IF_ADSL -j
ACCEPT
fi

echo $ADSL

}

function do_ext_fw() {

if [ "$TCP_PER_SECOND" == "0" ];
then
TCP_POLICY="ACCEPT"
else
TCP_POLICY="LIMIT-TCP"
fi

# From Internet to firewall
for service in $SERV_EXT_IFEXT_TCP;
do
$IPTABLES -A EXT-IFEXT -p tcp --sport $UNPRIVILEGED --dport $service
-j $TCP_POLICY; echo -n "."
$IPTABLES -A EXT-IFEXT -p tcp --sport $service --dport $service
-j $TCP_POLICY; echo -n "."
done

for service in $SERV_EXT_IFEXT_UDP;
do
$IPTABLES -A EXT-IFEXT -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A EXT-IFEXT -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_EXT_IFEXT_SSH" == "yes" ];
then
$IPTABLES -A EXT-IFEXT -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j $TCP_POLICY; echo -n "."
fi

if [ "$SERV_EXT_IFEXT_NTP" == "yes" ];
then
$IPTABLES -A EXT-IFEXT -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A EXT-IFEXT -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

# From firewall to Internet
for service in $SERV_IFEXT_EXT_TCP;
do
$IPTABLES -A IFEXT-EXT -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_IFEXT_EXT_UDP;
do
$IPTABLES -A IFEXT-EXT -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_IFEXT_EXT_SSH" == "yes" ];
then
$IPTABLES -A IFEXT-EXT -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_IFEXT_EXT_NTP" == "yes" ];
then
$IPTABLES -A IFEXT-EXT -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

echo " ok!"
}

function do_lan_fw() {

if [ ! "$LAN" == "no" ];
then
# From Internet to LAN
for service in $SERV_LAN_IFLAN_TCP;
do
$IPTABLES -A LAN-IFLAN -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_LAN_IFLAN_UDP;
do
$IPTABLES -A LAN-IFLAN -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_LAN_IFLAN_SSH" == "yes" ];
then
$IPTABLES -A LAN-IFLAN -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_LAN_IFLAN_NTP" == "yes" ];
then
$IPTABLES -A LAN-IFLAN -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

# From firewall to LAN
for service in $SERV_IFLAN_LAN_TCP;
do
$IPTABLES -A IFLAN-LAN -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_IFLAN_LAN_UDP;
do
$IPTABLES -A IFLAN-LAN -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_IFLAN_LAN_SSH" == "yes" ];
then
$IPTABLES -A IFLAN-LAN -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_IFLAN_LAN_NTP" == "yes" ];
then
$IPTABLES -A IFLAN-LAN -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi
fi

echo " ok!"
}

function do_dmz() {

if [ "$TCP_PER_SECOND" == "0" ];
then
TCP_POLICY="ACCEPT"
else
TCP_POLICY="LIMIT-TCP"
fi

# Preparing vars to do prerouting if any
if [ "$DMZ" == "public" ];
then
DNATLAN="/bin/false"
DNATEXT="/bin/false"
DO_DMZ="yes"

elif [ "$DMZ" == "private" ];
then
DNATEXT="/bin/true"
DO_DMZ="yes"
if [ "$LAN" == "public" ];
then
DNATLAN="/bin/true"
else
DNATLAN="/bin/false"
fi
else
DO_DMZ="no"
fi

# Accepting only services to the good IP
if [ "$DO_DMZ" == "yes" ];
then
for i in `seq $DMZ_MACHINES`;
do
if [ "a${EXT_IP[$i]}" == "a" ] && [ "$DMZ" == "private" ];
then
DEST_IP=$IPEXT
else
DEST_IP=${EXT_IP[$i]}
fi

# from Internet to dmz
for service in ${EXT_DMZ_TCP[$i]};
do
# accepting service to the dmz
$IPTABLES -A EXT-DMZ -p tcp -d ${DMZ_IP[$i]} --sport $UNPRIVILEGED
--dport $service -j $TCP_POLICY
$IPTABLES -A EXT-DMZ -p tcp -d ${DMZ_IP[$i]} --sport $service
--dport $service -j $TCP_POLICY
# if private dmz then natting the service to destination machine
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p tcp --sport
$UNPRIVILEGED --dport $service
-d $DEST_IP -j DNAT --to
${DMZ_IP[$i]}:$service
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p tcp --sport
$service --dport $service
-d $DEST_IP -j DNAT --to
${DMZ_IP[$i]}:$service
echo -n "."

if [ "$LAN_DMZ" == "copy" ] && [ ! "$LAN" == "no" ];
then
LAN_DMZ_TCP[$i]=${EXT_DMZ_TCP[$i]}
fi

done

# from lan to dmz
if [ ! "$LAN" == "no" ];
then
for service in ${LAN_DMZ_TCP[$i]};
do
# accepting service to the dmz
$IPTABLES -A LAN-DMZ -p tcp -d ${DMZ_IP[$i]} --sport
$UNPRIVILEGED --dport $service -j ACCEPT
$IPTABLES -A LAN-DMZ -p tcp -d ${DMZ_IP[$i]} --sport
$service --dport $service -j ACCEPT
# if private dmz and public lan then natting the service to
destination machine
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p tcp --sport
$UNPRIVILEGED --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p tcp --sport
$service --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
done
fi
echo -n "."

# from Internet to dmz
for service in ${EXT_DMZ_UDP[$i]};
do
# accepting service to the dmz
$IPTABLES -A EXT-DMZ -p udp -d ${DMZ_IP[$i]} --sport $UNPRIVILEGED
--dport $service -j ACCEPT
$IPTABLES -A EXT-DMZ -p udp -d ${DMZ_IP[$i]} --sport $service
--dport $service -j ACCEPT
# if private dmz then natting the service to destination machine
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p udp --sport
$UNPRIVILEGED --dport $service
-d $DEST_IP -j DNAT --to ${DMZ_IP[$i]}:$service
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p udp --sport
$service --dport $service
-d $DEST_IP -j DNAT --to ${DMZ_IP[$i]}:$service
echo -n "."

if [ "$LAN_DMZ" == "copy" ] && [ ! "$LAN" == "no" ];
then
LAN_DMZ_UDP[$i]=${EXT_DMZ_UDP[$i]}
fi
done

# from lan to dmz
if [ ! "$LAN" == "no" ];
then
for service in ${LAN_DMZ_UDP[$i]};
do
# accepting service to the dmz
$IPTABLES -A LAN-DMZ -p udp -d ${DMZ_IP[$i]} --sport
$UNPRIVILEGED --dport $service -j ACCEPT
$IPTABLES -A LAN-DMZ -p udp -d ${DMZ_IP[$i]} --sport
$service --dport $service -j ACCEPT
# if private dmz and public lan then natting the service to
destination machine
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p udp --sport
$UNPRIVILEGED --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p udp --sport
$service --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
done
fi
echo -n "."

done

if [ "$EXT_DMZ_SSH" == "yes" ];
then
# if public DMZ then accept ssh connexions from Internet
$DNATDMZ || $IPTABLES -A EXT-DMZ -p tcp --sport $SSH_UNPRIVILEGED
--dport ssh -j $TCP_POLICY
$DNATDMZ || $IPTABLES -A EXT-DMZ -p tcp --sport ssh
--dport ssh -j $TCP_POLICY
echo -n "."
fi

if [ ! "$LAN" == "no" ] && [ $LAN_DMZ_SSH == "yes" ];
then
# accept ssh connexions from lan
$DNATLAN || $IPTABLES -A LAN-DMZ -p tcp --sport
$SSH_UNPRIVILEGED --dport ssh -j ACCEPT
$DNATLAN || $IPTABLES -A LAN-DMZ -p tcp --sport ssh
--dport ssh -j ACCEPT
echo -n "."
fi

echo " ok!"
else
echo " no dmz!"
fi

}

function do_lan() {

if [ ! "$LAN" == "no" ];
then
if [ ! "a$LAN_EXT_TCP" == "a" ];
then
for service in $LAN_EXT_TCP;
do
$IPTABLES -A LAN-EXT -p tcp --sport $UNPRIVILEGED --dport
$service -j ACCEPT
$IPTABLES -A LAN-EXT -p tcp --sport $service --dport
$service -j ACCEPT
done
else
$IPTABLES -A LAN-EXT -p tcp -j ACCEPT
fi
echo -n "."

if [ ! "a$LAN_EXT_UDP" == "a" ];
then
for service in $LAN_EXT_UDP;
do
$IPTABLES -A LAN-EXT -p udp --sport $UNPRIVILEGED --dport
$service -j ACCEPT
$IPTABLES -A LAN-EXT -p udp --sport $service --dport
$service -j ACCEPT
done
else
$IPTABLES -A LAN-EXT -p udp -j ACCEPT
fi
echo -n "."

echo " ok!"
fi

}

function do_ipsec() {

if [ "$SERV_EXT_IFEXT_IPSEC" == "yes" ];
then
for client in $SERV_EXT_IFEXT_IPSEC_CLIENTS;
do
$IPTABLES -A EXT-IFEXT -p udp -s $client --sport 500 --dport
500 -j ACCEPT
$IPTABLES -A EXT-IFEXT -p 50 -s $client
-j ACCEPT; echo -n "."
done
fi

if [ "$SERV_IFEXT_EXT_IPSEC" == "yes" ];
then
for server in $SERV_IFEXT_EXT_IPSEC_SERVERS;
do
$IPTABLES -A IFEXT-EXT -p udp -d $server --sport 500 --dport
500 -j ACCEPT
$IPTABLES -A IFEXT-EXT -p 50 -d $server
-j ACCEPT; echo -n "."
done
fi

echo " ok!"

}

function do_reject() {

for chain in $EXT_CHAINS;
do
for service in $REJECTED_SERVICES;
do
$IPTABLES -A $chain -p tcp --dport $service -j REJECT
--reject-with tcp-reset; echo -n "."
done
done

echo " ok!"

}

function do_nolog() {

for chain in $EXT_CHAINS INPUT;
do
for nolog in $NOLOG_TCP;
do
$IPTABLES -A $chain -p tcp --dport $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_UDP;
do
$IPTABLES -A $chain -p udp --dport $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_SRC;
do
$IPTABLES -A $chain -s $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_DST;
do
$IPTABLES -A $chain -d $nolog -j $INPUTPOL; echo -n "."
done
done

echo " ok!"

}

function do_log() {

for chain in $INP_CHAINS INPUT; do $IPTABLES -A $chain -j INPUTLOG;
echo -n "."; done
for chain in $OUT_CHAINS OUTPUT; do $IPTABLES -A $chain -j
OUTPUTLOG; echo -n "."; done
for chain in $FOR_CHAINS FORWARD; do $IPTABLES -A $chain -j
FORWARDLOG; echo -n "."; done

echo " ok!"

}

function do_post() {

if [ "$LAN" == "private" ];
then
$IPTABLES -t nat -A POST-LAN-EXT -j SNAT --to $IPEXT; echo -n "."
if [ "$DMZ" == "public" ];
then
$IPTABLES -t nat -A POST-LAN-DMZ -j SNAT --to $IPDMZ; echo -n "."
fi
fi

if [ "$DMZ" == "private" ];
then
$IPTABLES -t nat -A POST-DMZ-EXT -j SNAT --to $IPEXT; echo -n "."
if [ "$LAN" == "public" ];
then
$IPTABLES -t nat -A POST-DMZ-LAN -j SNAT --to $IPLAN; echo -n "."
fi
fi

echo " ok!"

}

function do_open() {

# Unlock first rules
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
echo ". ok!"

}

function do_close() {

$IPTABLES -P FORWARD DROP
echo ". ok!"

}

case "$1" in
start)
echo "Turning on packet filtering:"
echo -n " desactivating kernel forwarding "
echo 0 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
echo -n " loading modules "
load_modules
echo -n " cleaning chains and rules "
do_clean
echo " creating chains :"
echo -n " log"
create_standard_log_chains
echo -n " traffic "
create_traffic_chains
echo -n " {pre|post}routing "
create_routing_chains
echo -n " antispoofing "
anti_spoofing
echo " advanced protections :"
do_advanced
echo -n " packets priority "
do_mangle
echo -n " icmp "
do_icmp
echo -n " adsl : "
do_adsl
echo -n " Internet <-> firewall "
do_ext_fw
echo -n " LAN <-> firewall "
do_lan_fw
echo -n " Internet/LAN -> DMZ "
do_dmz
echo -n " LAN -> Internet "
do_lan
echo -n " vpn (ipsec) "
do_ipsec
echo -n " rejecting some services from Internet (auth) "
do_reject
echo -n " no log "
do_nolog
echo -n " log "
do_log
echo -n " postrouting "
do_post

# On debloque les regles initiales
echo -n " opening previously closed chains "
do_open
echo -n " activating kernel forwarding "
echo 1 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
;;
stop)
echo "Turning off packet filtering:"
echo -n " desactivating kernel forwarding "
echo 0 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
echo -n " cleaning chains and rules "
do_clean
echo -n " opening previously closed chains "
do_open
echo -n " closing firewall "
do_close
echo -n " unloading modules "
unload_modules $2
;;

restart)
$0 stop keep_conn
echo "sleeping 2 seconds ..."
sleep 2
$0 start
;;

test)
echo "Going to test mode ..."
$0 stop keep_conn
sleep 2
$0 start
echo
echo -n "Sleeping for $SLEEP seconds "
for i in `seq $SLEEP`;
do
echo -n "."
sleep 1
done
echo
echo
$0 stop
;;

status)
if [ "a$2" == "a" ];
then
for chain in $INP_CHAINS $OUT_CHAINS $FOR_CHAINS;
do
$IPTABLES -L $chain -n -v | egrep -v "(RESERVEDLOG|SPOOFLOG) *all"
echo
done
elif [ "$2" == "nat" ];
then
$IPTABLES -t nat -L -n -v | egrep -v "PRELOG *all"
elif [ "$2" == "mangle" ];
then
$IPTABLES -t mangle -L -n -v
fi
;;

*)
echo "eefw version $VERSION"
echo "Copyright Cyril Lacoux <clacoux@easter-eggs.com> 2002"
echo "This script is distributed under the terms of the GPL version 2
or higher"
echo ""
echo "Usage: /etc/init.d/packetfilter
{start|stop|restart|test|status [nat|mangle]}"
echo " -start : starting the firewall"
echo " -stop : stopping the firewall"
echo " -restart : stopping, sleeping 2 seconds then
starting"
echo " -status [nat|mangle] : list current chains and rules"
echo " -test : stopping, sleeping 2 seconds,
starting, sleeping $SLEEP seconds, then stopping"
echo ""
exit 1
;;

esac

Vous avez filtré cet utilisateur ! Consultez son message

Bonjour,
Merci pour vos réponses.
Seules les images *.gif sont bloquées, pas les autres jpeg ...etc sur
les machines du LAN, je ne peut pas téster depuis la passerelle
Voici le Script , désolé il est long ...

#!/bin/sh
# Firewall Script
VERSION="0.15"

PATH=/bin:/sbin:/usr/sbin:/usr/bin
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

# Modules which have to be inserted before building the firewall
(reverse dependencies order)
MODULES="ip_tables iptable_filter iptable_mangle ipt_TOS ipt_LOG
ipt_REJECT ipt_limit ip_conntrack ipt_state iptable_nat
ip_conntrack_ftp"

# Interfaces, IP addresses, and networks
IFEXT="ppp0" #External Iface
IPEXT="80.65.227.129" #External IP

IFLAN="eth1" #Internal Iface
IPLAN="192.168.0.254" #Internal IP
NETLAN="192.168.0.0/24" #Internal network

IFDMZ="eth2" #DMZ Iface
IPDMZ="192.168.2.254" #DMZ IP
NETDMZ="192.168.2.0/24" #DMZ network

# If you have a XDSL connection
ADSL="yes"
IF_ADSL="eth0" #XDSL Iface
IP_IFSL="10.0.0.254" #XDSL IP
IP_ADSL="10.0.0.138" #Modem's IP

# Here, your protection against IP Spoofing
SPOOFING="yes" #Activate it ?
SPOOFED_IP="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16" #Private networks
IANA_RESERVED="0 1 2 5 7 23 27 31 36 37 39 41 42 58 59 60 197
201" #Reserved class A networks
IANA_RESERVED_RANGED="69-79 82-95 96-126 221-223 240-255" #Reserved
class A networks (xx to yy)

# Services from Internet to firewall
SERV_EXT_IFEXT_TCP="" #tcp services
SERV_EXT_IFEXT_UDP="" #udp services
SERV_EXT_IFEXT_SSH="yes" #ssh server
SERV_EXT_IFEXT_NTP="no"
#ntp client

# Services from firewall to Internet
SERV_IFEXT_EXT_TCP="http https domain" #tcp services
SERV_IFEXT_EXT_UDP="domain" #udp services
SERV_IFEXT_EXT_SSH="yes" #ssh server
SERV_IFEXT_EXT_NTP="yes" #ntp client

# Services from LAN to firewall
SERV_LAN_IFLAN_TCP="domain" #tcp services
SERV_LAN_IFLAN_UDP="domain" #udp services
SERV_LAN_IFLAN_SSH="yes" #ssh server
SERV_LAN_IFLAN_NTP="no" #ntp client

# Services from firewall to LAN
SERV_IFLAN_LAN_TCP="" #tcp services
SERV_IFLAN_LAN_UDP="" #udp services
SERV_IFLAN_LAN_SSH="no" #ssh server
SERV_IFLAN_LAN_NTP="no" #ntp client

# IPsec (vpn, FreeSWAN)
SERV_EXT_IFEXT_IPSEC="yes" #Ipsec server
SERV_EXT_IFEXT_IPSEC_CLIENTS="62.212.117.199 62.212.96.50 213.41.142.6
213.41.142.7 213.41.148.14" #Which clients
SERV_IFEXT_EXT_IPSEC="yes" #Ipsec client
SERV_IFEXT_EXT_IPSEC_SERVERS="62.212.117.199 62.212.96.50 213.41.142.6
213.41.142.7 213.41.148.14" #Which server

# Services from LAN to Internet
LAN="private" # private/public/no
LAN_EXT_TCP="" # if blank then accept all
LAN_EXT_UDP="" # if blank then accept all

# Services from Internet to DMZ
DMZ="private" # private/public/no
EXT_DMZ_SSH="no" # ssh connexions to DMZ
DMZ_MACHINES="1" # number of machine(s) in the DMZ

# First Machine
EXT_IP[1]="" # leaving this blank cause using $IPEXT or $DMZ_IP[1]
EXT_DMZ_TCP[1]="21 25 110" # !!! ports number only !!!
EXT_DMZ_UDP[1]="21 25 110" # !!! ports number only !!!
DMZ_IP[1]="192.168.2.10" # IP of the machine

# Second Machine
EXT_IP[2]="" # leaving this blank cause using $IPEXT or $DMZ_IP[2]
EXT_DMZ_TCP[2]="" # !!! ports number only !!!
EXT_DMZ_UDP[2]="" # !!! ports number only !!!
DMZ_IP[2]="" # IP of the machine

# Services from LAN to DMZ
LAN_DMZ_SSH="yes"
LAN_DMZ="copy" # copy/create (copy from Internet to DMZ)
# if copy, be sure next lines are commented

# First Machine
#LAN_DMZ_TCP[1]="25" # !!! ports number only !!!
#LAN_DMZ_UDP[1]="" # !!! ports number only !!!

# Second Machine
#LAN_DMZ_TCP[2]="9000" # !!! ports number only !!!
#LAN_DMZ_UDP[2]="9000" # !!! ports number only !!!

# Unprivileged ports
UNPRIVILEGED="1024:"
SSH_UNPRIVILEGED="512:"

# Traceroute Ports
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# Specifie here which things you don't want to log (input)
NOLOG_TCP="31337:31340 137:139" # tcp ports
NOLOG_UDP="137:139" # udp ports
NOLOG_SRC="" # source ips
NOLOG_DST="" # destination ips (ex: broadcast)

# Theses TCP services will be rejected by a tcp-reset (don't remove
auth unless you planed to accept it)
REJECTED_SERVICES="telnet auth socks 3128 webcache" # telnet socks
squid and webcache maybe useful when using irc

# Policies (after logging)
INPUTPOL="DROP" #Input
SPOOFPOL="DROP" #From Spoofed IP
RESERVEDPOL="DROP" #From IANA reserved IP
SYNPOL="DROP" #New packet without syn
OUTPUTPOL="REJECT" #Output
FORWARDPOL="DROP" #Forward
PREPOL="DROP" #Prerouting
POSPOL="DROP" #Postrouting
NOUPOL="DROP" #SNat

#Chains DON'T TOUCH THIS !
INP_CHAINS="EXT-IFEXT"
OUT_CHAINS="IFEXT-EXT"
FOR_CHAINS=""
EXT_CHAINS="EXT-IFEXT"
DMZ_CHAINS=""
if [ ! "$DMZ" == "no" ];
then
INP_CHAINS="$INP_CHAINS DMZ-IFDMZ"
OUT_CHAINS="$OUT_CHAINS IFDMZ-DMZ"
FOR_CHAINS="EXT-DMZ DMZ-EXT"
EXT_CHAINS="$EXT_CHAINS EXT-DMZ"
DMZ_CHAINS="IFDMZ-DMZ EXT-DMZ"

if [ ! "$LAN" == "no" ];
then
FOR_CHAINS="$FOR_CHAINS LAN-DMZ DMZ-LAN"
DMZ_CHAINS="$DMZ_CHAINS LAN-DMZ"
fi
fi

if [ ! "$LAN" == "no" ];
then
INP_CHAINS="$INP_CHAINS LAN-IFLAN"
OUT_CHAINS="$OUT_CHAINS IFLAN-LAN"
FOR_CHAINS="$FOR_CHAINS EXT-LAN LAN-EXT"
EXT_CHAINS="$EXT_CHAINS EXT-LAN"
fi

ALL_CHAINS="$INP_CHAINS $OUT_CHAINS $FOR_CHAINS"

# ICMP
UNLIMITED_ICMP_CHAINS="$OUT_CHAINS"
if [ ! "$DMZ" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS DMZ-EXT"
if [ ! "$LAN" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS LAN-DMZ DMZ-LAN"
fi
fi
if [ ! "$LAN" == "no" ];
then
UNLIMITED_ICMP_CHAINS="$UNLIMITED_ICMP_CHAINS LAN-EXT"
fi

LIMITED_ICMP_CHAINS="$INP_CHAINS"
ICMP_PER_SECOND="50" #Packets per second, 0 means no limit

# Traceroute
TRACEROUTE_CHAINS="$UNLIMITED_ICMP_CHAINS $EXT_CHAINS"

#TCP
TCP_PER_SECOND="5" #Packets per second, 0 means no limit

#PortScanners

#Test mode : starting firewall, sleeping for $SLEEP seconds, then
stopping firewall
SLEEP`

#Minimize delay
MINIMIZE_DELAY="ssh"

function load_modules() {

# Load each modules
for module in $MODULES;
do
$MODPROBE $module; echo -n "."
done
echo " ok!"

}

function unload_modules() {

# reversing order to unload modules in the right order
unset REVERSE
for module in $MODULES;
do
# Leave theses to get policy forward set to DROP
if [ ! "$module" == "iptable_filter" ] && [ ! "$module" "ip_tables" ];
then
# if restarting firewall, leave theses to keep connexion already
established
if [ ! "$module" == "ip_conntrack" ] && [ ! "$module" "ip_conntrack_ftp" ] || [ ! "a$1" == "akeep_conn" ];
then
REVERSE="$module $REVERSE"
fi
fi
done

# unload modules
for module in $REVERSE;
do
$MODPROBE -r $module; echo -n "."
done
echo " ok!"

}

function do_clean() {

# Flush
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Locking the box
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING DROP
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -t nat -P OUTPUT DROP
# Except loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo ". ok!"

}

function create_standard_log_chains() {

# Some chains for logging then dropping packets
$IPTABLES -N INPUTLOG
$IPTABLES -A INPUTLOG -j LOG --log-prefix "IPF: INPUT: "
$IPTABLES -A INPUTLOG -j $INPUTPOL
echo -n "."

$IPTABLES -N SPOOFLOG
$IPTABLES -A SPOOFLOG -j LOG --log-prefix "IPF: SPOOFING: "
$IPTABLES -A SPOOFLOG -j $SPOOFPOL
echo -n "."

$IPTABLES -N RESERVEDLOG
$IPTABLES -A RESERVEDLOG -j LOG --log-prefix "IPF: RESERVED: "
$IPTABLES -A RESERVEDLOG -j $RESERVEDPOL
echo -n "."

$IPTABLES -N SYNLOG
$IPTABLES -A SYNLOG -j LOG --log-prefix "IPF: SYN PACKET: "
$IPTABLES -A SYNLOG -j $SYNPOL
echo -n "."

$IPTABLES -N ICMPFLOOD
$IPTABLES -A ICMPFLOOD -j LOG --log-prefix "IPF: ICMP FLOOD: "
$IPTABLES -A ICMPFLOOD -j DROP
echo -n "."

$IPTABLES -N TCPFLOOD
$IPTABLES -A TCPFLOOD -j LOG --log-prefix "IPF: TCP FLOOD: "
$IPTABLES -A TCPFLOOD -j DROP
echo -n "."

$IPTABLES -N UDPFLOOD
$IPTABLES -A UDPFLOOD -j LOG --log-prefix "IPF: UDP FLOOD: "
$IPTABLES -A UDPFLOOD -j DROP
echo -n "."

$IPTABLES -N OUTPUTLOG
$IPTABLES -A OUTPUTLOG -j LOG --log-prefix "IPF: OUTPUT: "
$IPTABLES -A OUTPUTLOG -j $OUTPUTPOL
echo -n "."

$IPTABLES -N FORWARDLOG
$IPTABLES -A FORWARDLOG -j LOG --log-prefix "IPF: FORWARD: "
$IPTABLES -A FORWARDLOG -j $FORWARDPOL
echo -n "."

$IPTABLES -t nat -N PRELOG
$IPTABLES -t nat -A PRELOG -j LOG --log-prefix "IPF:
PREROUTING: "
$IPTABLES -t nat -A PRELOG -j $PREPOL
echo -n "."

$IPTABLES -t nat -N POSLOG
$IPTABLES -t nat -A POSLOG -j LOG --log-prefix "IPF:
POSTROUTING: "
$IPTABLES -t nat -A POSLOG -j $POSPOL
echo -n "."

$IPTABLES -t nat -N NOULOG
$IPTABLES -t nat -A NOULOG -j LOG --log-prefix "IPF: NAT
OUTPUT: "
$IPTABLES -t nat -A NOULOG -j $NOUPOL
echo -n "."

echo " ok!"
}

function create_traffic_chains() {

# from anywhere to firewall
$IPTABLES -N EXT-IFEXT
$IPTABLES -A INPUT -s 0/0 -d $IPEXT -i $IFEXT -j EXT-IFEXT
echo -n "."

if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-IFDMZ
$IPTABLES -A INPUT -s $NETDMZ -d $IPDMZ -i $IFDMZ -j DMZ-IFDMZ
echo -n "."
fi

if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-IFLAN
$IPTABLES -A INPUT -s $NETLAN -d $IPLAN -i $IFLAN -j LAN-IFLAN
echo -n "."
fi

# from anywhere to dmz
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N EXT-DMZ
$IPTABLES -A FORWARD -s 0/0 -d $NETDMZ -i $IFEXT -o $IFDMZ -j
EXT-DMZ
echo -n "."
$IPTABLES -N IFDMZ-DMZ
$IPTABLES -A OUTPUT -s $IPDMZ -d $NETDMZ -o $IFDMZ -j IFDMZ-DMZ
echo -n "."
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-DMZ
$IPTABLES -A FORWARD -s $NETLAN -d $NETDMZ -i $IFLAN -o $IFDMZ -j
LAN-DMZ
echo -n "."
fi
fi

# from anywhere to lan
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N EXT-LAN
$IPTABLES -A FORWARD -s 0/0 -d $NETLAN -i $IFEXT -o $IFLAN -j
EXT-LAN
echo -n "."
$IPTABLES -N IFLAN-LAN
$IPTABLES -A OUTPUT -s $IPLAN -d $NETLAN -o $IFLAN -j IFLAN-LAN
echo -n "."
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-LAN
$IPTABLES -A FORWARD -s $NETDMZ -d $NETLAN -i $IFDMZ -o $IFLAN -j
DMZ-LAN
echo -n "."
fi
fi

# from anywhere to ext
$IPTABLES -N IFEXT-EXT
$IPTABLES -A OUTPUT -s $IPEXT -d 0/0 -o $IFEXT -j IFEXT-EXT
echo -n "."
if [ ! "$LAN" == "no" ];
then
$IPTABLES -N LAN-EXT
$IPTABLES -A FORWARD -s $NETLAN -d 0/0 -i $IFLAN -o $IFEXT -j
LAN-EXT
echo -n "."
fi
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -N DMZ-EXT
$IPTABLES -A FORWARD -s $NETDMZ -d 0/0 -i $IFDMZ -o $IFEXT -j
DMZ-EXT
echo -n "."
fi

# Tcp Limits
$IPTABLES -N LIMIT-TCP
$IPTABLES -A LIMIT-TCP -p tcp --syn -m limit --limit $TCP_PER_SECOND/s
-j ACCEPT
$IPTABLES -A LIMIT-TCP -p tcp -j TCPFLOOD
echo -n "."

echo " ok!"
}

function create_routing_chains() {

# PREROUTING
# from ext to ifext
$IPTABLES -t nat -N PRE-EXT-IFEXT
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $IPEXT -i $IFEXT -j
PRE-EXT-IFEXT
echo -n "."

# if private dmz and aliased ips, then inlude all aliased ip in the
prerouting table
if [ "$DMZ" == "private" ];
then
for i in `seq $DMZ_MACHINES`;
do
if [ ! "a$EXT_IP[$i]" == "a" ];
then
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $EXT_IP[$i] -i $IFEXT -j
PRE-EXT-IFEXT
echo -n "."
fi
done
fi

# from lan to iflan
if [ ! "$LAN" == "no" ];
then
$IPTABLES -t nat -N PRE-LAN-IFLAN
$IPTABLES -t nat -A PREROUTING -s 0/0 -d $IPLAN -i $IFLAN -j
PRE-LAN-IFLAN
echo -n "."
fi

# POSTROUTING
# from dmz to ext
if [ ! "$DMZ" == "no" ];
then
$IPTABLES -t nat -N POST-DMZ-EXT
$IPTABLES -t nat -A POSTROUTING -s $NETDMZ -d 0/0 -o $IFEXT -j
POST-DMZ-EXT
echo -n "."
fi

# from lan to ext
if [ ! "$LAN" == "no" ];
then
$IPTABLES -t nat -N POST-LAN-EXT
$IPTABLES -t nat -A POSTROUTING -s $NETLAN -d 0/0 -o $IFEXT -j
POST-LAN-EXT
echo -n "."
fi

if [ ! "$LAN" == "no" ] && [ ! "$DMZ" == "no" ];
then
# from dmz to lan
$IPTABLES -t nat -N POST-DMZ-LAN
$IPTABLES -t nat -A POSTROUTING -s $NETDMZ -d 0/0 -o $IFLAN -j
POST-DMZ-LAN
echo -n "."

# from lan to dmz
$IPTABLES -t nat -N POST-LAN-DMZ
$IPTABLES -t nat -A POSTROUTING -s $NETLAN -d 0/0 -o $IFDMZ -j
POST-LAN-DMZ
echo -n "."
fi
echo " ok!"
}

function anti_spoofing() {

if [ ! "$SPOOFING" == "no" ];
then
# Blocking input traffic from privates IP (Spoofed IP)
for spoofed in $SPOOFED_IP;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s $spoofed -j SPOOFLOG
done
$IPTABLES -t nat -A PREROUTING -s $spoofed -d $IPEXT -i $IFEXT -j
PRELOG; echo -n "."
done

# Blocking input traffic from IANA reserved IP (http://www.iana.net)
# Singles A Classes
for iana_reserved in $IANA_RESERVED;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s ${iana_reserved}.0.0.0/8 -j
RESERVEDLOG
done
$IPTABLES -t nat -A PREROUTING -s ${iana_reserved}.0.0.0/8 -d $IPEXT
-i $IFEXT -j PRELOG; echo -n "."
done

# Ranged A Classes
for iana_reserved_ranged in $IANA_RESERVED_RANGED;
do
range=${iana_reserved_ranged/-/ }
for iana_reserved in `seq $range`;
do
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s ${iana_reserved}.0.0.0/8 -j
RESERVEDLOG
done
$IPTABLES -t nat -A PREROUTING -s ${iana_reserved}.0.0.0/8 -d
$IPEXT -i $IFEXT -j PRELOG; echo -n "."
done
done

# Blocking input traffic from my IP
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -s $IPEXT -j SPOOFLOG
done
$IPTABLES -t nat -A PREROUTING -s $IPEXT -d 0/0 -i $IFEXT -j
PRELOG
echo -n "."

echo " ok!"
else
echo " no!"
fi

}

function do_advanced() {

echo -n " enabling SYN Cookies "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo ". ok!"

echo -n " disabling response to broadcast pings "
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo ". ok!"

echo -n " enabling bad error message protection "
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo ". ok!"

if [ ! "$SERV_EXT_IFEXT_IPSEC" == "no" ] && [ !
"$SERV_IFEXT_EXT_IPSEC" == "no" ];
then
echo -n " disabling IP Spoofing attacks "
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 2 > $f
done
else
echo -n " enabling IP Spoofing (IPSEC) "
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 0 > $f
done
fi
echo ". ok!"

echo -n " disabling send_redirect "
for f in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo 0 > $f
done
echo ". ok!"

echo -n " blocking source routing "
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $f
done
echo ". ok!"

echo -n " Log Martians (packets with impossible addresses) "
for f in /proc/sys/net/ipv4/conf/*/log_martians;
do
echo 1 > $f
done
echo ". ok!"

echo -n " kill redirects "
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done
echo ". ok!"

echo -n " make sure new incoming tcp connections are SYN packets "
for chain in $EXT_CHAINS;
do
$IPTABLES -A $chain -p tcp ! --syn -m state --state NEW -j SYNLOG;
echo -n "."
done
echo " ok!"

echo -n " accepting established related in all chains "
for chain in $ALL_CHAINS;
do
$IPTABLES -A $chain -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
done
echo " ok!"

}

do_mangle() {

for port in $MINIMIZE_DELAY
do
iptables -A PREROUTING -t mangle -p tcp --sport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
iptables -A PREROUTING -t mangle -p tcp --dport $port -j TOS
--set-tos Minimize-Delay; echo -n "."

iptables -A PREROUTING -t mangle -p tcp --sport $port -j TOS
--set-tos Maximize-Throughput; echo -n "."
iptables -A PREROUTING -t mangle -p tcp --dport $port -j TOS
--set-tos Maximize-Throughput; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --dport $port
-j TOS --set-tos Maximize-Throughput; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --sport $port
-j TOS --set-tos Maximize-Throughput; echo -n "."

iptables -A OUTPUT -t mangle -p tcp --dport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
iptables -A OUTPUT -t mangle -p tcp --sport $port -j TOS
--set-tos Minimize-Delay; echo -n "."
done
echo " ok!"

}

function do_icmp() {

# Accepting only echo-request with no limit (forward, output, chains)
for chain in $UNLIMITED_ICMP_CHAINS;
do
$IPTABLES -A $chain -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state
--state NEW -j ACCEPT; echo -n "."

$IPTABLES -A $chain -p udp --sport $TRACEROUTE_SRC_PORTS --dport
$TRACEROUTE_DEST_PORTS -j ACCEPT; echo -n "."
done

# Accepting only echo-request but only $ICMP_PER_SECOND per second
(input chains), then logging as icmp flood
for chain in $LIMITED_ICMP_CHAINS;
do
$IPTABLES -A $chain -p icmp -m limit --limit $ICMP_PER_SECOND/s -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state --state
NEW -m limit --limit $ICMP_PER_SECOND/s -j ACCEPT; echo -n "."
#$IPTABLES -A $chain -p icmp --icmp-type echo-request -m state
--state NEW -j ICMPFLOOD; echo -n "."
$IPTABLES -A $chain -p icmp -j ICMPFLOOD; echo -n "."
done

# Traceroute :
for chain in $TRACEROUTE_CHAINS;
do
$IPTABLES -A $chain -p icmp --icmp-type destination-unreachable -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type time-exceeded -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
$IPTABLES -A $chain -p icmp --icmp-type echo-reply -m
state --state ESTABLISHED,RELATED -j ACCEPT; echo -n "."
done

echo " ok!"

}

function do_adsl() {

# Accepting pptp traffic from modem
if [ "$ADSL" == "yes" ];
then
$IPTABLES -A INPUT -s $IP_ADSL -d $IP_IFSL -i $IF_ADSL
-j ACCEPT
$IPTABLES -A INPUT -p 47 -s $IP_ADSL -d $IPLAN -i $IF_ADSL -j
ACCEPT

$IPTABLES -A OUTPUT -s $IP_IFSL -d $IP_ADSL -o $IF_ADSL
-j ACCEPT
$IPTABLES -A OUTPUT -p 47 -s $IPLAN -d $IP_ADSL -o $IF_ADSL -j
ACCEPT
fi

echo $ADSL

}

function do_ext_fw() {

if [ "$TCP_PER_SECOND" == "0" ];
then
TCP_POLICY="ACCEPT"
else
TCP_POLICY="LIMIT-TCP"
fi

# From Internet to firewall
for service in $SERV_EXT_IFEXT_TCP;
do
$IPTABLES -A EXT-IFEXT -p tcp --sport $UNPRIVILEGED --dport $service
-j $TCP_POLICY; echo -n "."
$IPTABLES -A EXT-IFEXT -p tcp --sport $service --dport $service
-j $TCP_POLICY; echo -n "."
done

for service in $SERV_EXT_IFEXT_UDP;
do
$IPTABLES -A EXT-IFEXT -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A EXT-IFEXT -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_EXT_IFEXT_SSH" == "yes" ];
then
$IPTABLES -A EXT-IFEXT -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j $TCP_POLICY; echo -n "."
fi

if [ "$SERV_EXT_IFEXT_NTP" == "yes" ];
then
$IPTABLES -A EXT-IFEXT -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A EXT-IFEXT -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

# From firewall to Internet
for service in $SERV_IFEXT_EXT_TCP;
do
$IPTABLES -A IFEXT-EXT -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_IFEXT_EXT_UDP;
do
$IPTABLES -A IFEXT-EXT -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_IFEXT_EXT_SSH" == "yes" ];
then
$IPTABLES -A IFEXT-EXT -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_IFEXT_EXT_NTP" == "yes" ];
then
$IPTABLES -A IFEXT-EXT -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A IFEXT-EXT -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

echo " ok!"
}

function do_lan_fw() {

if [ ! "$LAN" == "no" ];
then
# From Internet to LAN
for service in $SERV_LAN_IFLAN_TCP;
do
$IPTABLES -A LAN-IFLAN -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_LAN_IFLAN_UDP;
do
$IPTABLES -A LAN-IFLAN -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_LAN_IFLAN_SSH" == "yes" ];
then
$IPTABLES -A LAN-IFLAN -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_LAN_IFLAN_NTP" == "yes" ];
then
$IPTABLES -A LAN-IFLAN -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A LAN-IFLAN -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi

# From firewall to LAN
for service in $SERV_IFLAN_LAN_TCP;
do
$IPTABLES -A IFLAN-LAN -p tcp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p tcp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

for service in $SERV_IFLAN_LAN_UDP;
do
$IPTABLES -A IFLAN-LAN -p udp --sport $UNPRIVILEGED --dport $service
-j ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p udp --sport $service --dport $service
-j ACCEPT; echo -n "."
done

if [ "$SERV_IFLAN_LAN_SSH" == "yes" ];
then
$IPTABLES -A IFLAN-LAN -p tcp --sport $SSH_UNPRIVILEGED --dport ssh
-j ACCEPT; echo -n "."
fi

if [ "$SERV_IFLAN_LAN_NTP" == "yes" ];
then
$IPTABLES -A IFLAN-LAN -p udp --sport $UNPRIVILEGED --dport ntp -j
ACCEPT; echo -n "."
$IPTABLES -A IFLAN-LAN -p udp --sport ntp --dport ntp -j
ACCEPT; echo -n "."
fi
fi

echo " ok!"
}

function do_dmz() {

if [ "$TCP_PER_SECOND" == "0" ];
then
TCP_POLICY="ACCEPT"
else
TCP_POLICY="LIMIT-TCP"
fi

# Preparing vars to do prerouting if any
if [ "$DMZ" == "public" ];
then
DNATLAN="/bin/false"
DNATEXT="/bin/false"
DO_DMZ="yes"

elif [ "$DMZ" == "private" ];
then
DNATEXT="/bin/true"
DO_DMZ="yes"
if [ "$LAN" == "public" ];
then
DNATLAN="/bin/true"
else
DNATLAN="/bin/false"
fi
else
DO_DMZ="no"
fi

# Accepting only services to the good IP
if [ "$DO_DMZ" == "yes" ];
then
for i in `seq $DMZ_MACHINES`;
do
if [ "a${EXT_IP[$i]}" == "a" ] && [ "$DMZ" == "private" ];
then
DEST_IP=$IPEXT
else
DEST_IP=${EXT_IP[$i]}
fi

# from Internet to dmz
for service in ${EXT_DMZ_TCP[$i]};
do
# accepting service to the dmz
$IPTABLES -A EXT-DMZ -p tcp -d ${DMZ_IP[$i]} --sport $UNPRIVILEGED
--dport $service -j $TCP_POLICY
$IPTABLES -A EXT-DMZ -p tcp -d ${DMZ_IP[$i]} --sport $service
--dport $service -j $TCP_POLICY
# if private dmz then natting the service to destination machine
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p tcp --sport
$UNPRIVILEGED --dport $service
-d $DEST_IP -j DNAT --to
${DMZ_IP[$i]}:$service
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p tcp --sport
$service --dport $service
-d $DEST_IP -j DNAT --to
${DMZ_IP[$i]}:$service
echo -n "."

if [ "$LAN_DMZ" == "copy" ] && [ ! "$LAN" == "no" ];
then
LAN_DMZ_TCP[$i]=${EXT_DMZ_TCP[$i]}
fi

done

# from lan to dmz
if [ ! "$LAN" == "no" ];
then
for service in ${LAN_DMZ_TCP[$i]};
do
# accepting service to the dmz
$IPTABLES -A LAN-DMZ -p tcp -d ${DMZ_IP[$i]} --sport
$UNPRIVILEGED --dport $service -j ACCEPT
$IPTABLES -A LAN-DMZ -p tcp -d ${DMZ_IP[$i]} --sport
$service --dport $service -j ACCEPT
# if private dmz and public lan then natting the service to
destination machine
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p tcp --sport
$UNPRIVILEGED --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p tcp --sport
$service --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
done
fi
echo -n "."

# from Internet to dmz
for service in ${EXT_DMZ_UDP[$i]};
do
# accepting service to the dmz
$IPTABLES -A EXT-DMZ -p udp -d ${DMZ_IP[$i]} --sport $UNPRIVILEGED
--dport $service -j ACCEPT
$IPTABLES -A EXT-DMZ -p udp -d ${DMZ_IP[$i]} --sport $service
--dport $service -j ACCEPT
# if private dmz then natting the service to destination machine
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p udp --sport
$UNPRIVILEGED --dport $service
-d $DEST_IP -j DNAT --to ${DMZ_IP[$i]}:$service
$DNATEXT && $IPTABLES -t nat -A PRE-EXT-IFEXT -p udp --sport
$service --dport $service
-d $DEST_IP -j DNAT --to ${DMZ_IP[$i]}:$service
echo -n "."

if [ "$LAN_DMZ" == "copy" ] && [ ! "$LAN" == "no" ];
then
LAN_DMZ_UDP[$i]=${EXT_DMZ_UDP[$i]}
fi
done

# from lan to dmz
if [ ! "$LAN" == "no" ];
then
for service in ${LAN_DMZ_UDP[$i]};
do
# accepting service to the dmz
$IPTABLES -A LAN-DMZ -p udp -d ${DMZ_IP[$i]} --sport
$UNPRIVILEGED --dport $service -j ACCEPT
$IPTABLES -A LAN-DMZ -p udp -d ${DMZ_IP[$i]} --sport
$service --dport $service -j ACCEPT
# if private dmz and public lan then natting the service to
destination machine
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p udp --sport
$UNPRIVILEGED --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
$DNATLAN && $IPTABLES -t nat -A PRE-LAN-IFLAN -p udp --sport
$service --dport $service
-j DNAT --to ${DMZ_IP[$i]}:$service
done
fi
echo -n "."

done

if [ "$EXT_DMZ_SSH" == "yes" ];
then
# if public DMZ then accept ssh connexions from Internet
$DNATDMZ || $IPTABLES -A EXT-DMZ -p tcp --sport $SSH_UNPRIVILEGED
--dport ssh -j $TCP_POLICY
$DNATDMZ || $IPTABLES -A EXT-DMZ -p tcp --sport ssh
--dport ssh -j $TCP_POLICY
echo -n "."
fi

if [ ! "$LAN" == "no" ] && [ $LAN_DMZ_SSH == "yes" ];
then
# accept ssh connexions from lan
$DNATLAN || $IPTABLES -A LAN-DMZ -p tcp --sport
$SSH_UNPRIVILEGED --dport ssh -j ACCEPT
$DNATLAN || $IPTABLES -A LAN-DMZ -p tcp --sport ssh
--dport ssh -j ACCEPT
echo -n "."
fi

echo " ok!"
else
echo " no dmz!"
fi

}

function do_lan() {

if [ ! "$LAN" == "no" ];
then
if [ ! "a$LAN_EXT_TCP" == "a" ];
then
for service in $LAN_EXT_TCP;
do
$IPTABLES -A LAN-EXT -p tcp --sport $UNPRIVILEGED --dport
$service -j ACCEPT
$IPTABLES -A LAN-EXT -p tcp --sport $service --dport
$service -j ACCEPT
done
else
$IPTABLES -A LAN-EXT -p tcp -j ACCEPT
fi
echo -n "."

if [ ! "a$LAN_EXT_UDP" == "a" ];
then
for service in $LAN_EXT_UDP;
do
$IPTABLES -A LAN-EXT -p udp --sport $UNPRIVILEGED --dport
$service -j ACCEPT
$IPTABLES -A LAN-EXT -p udp --sport $service --dport
$service -j ACCEPT
done
else
$IPTABLES -A LAN-EXT -p udp -j ACCEPT
fi
echo -n "."

echo " ok!"
fi

}

function do_ipsec() {

if [ "$SERV_EXT_IFEXT_IPSEC" == "yes" ];
then
for client in $SERV_EXT_IFEXT_IPSEC_CLIENTS;
do
$IPTABLES -A EXT-IFEXT -p udp -s $client --sport 500 --dport
500 -j ACCEPT
$IPTABLES -A EXT-IFEXT -p 50 -s $client
-j ACCEPT; echo -n "."
done
fi

if [ "$SERV_IFEXT_EXT_IPSEC" == "yes" ];
then
for server in $SERV_IFEXT_EXT_IPSEC_SERVERS;
do
$IPTABLES -A IFEXT-EXT -p udp -d $server --sport 500 --dport
500 -j ACCEPT
$IPTABLES -A IFEXT-EXT -p 50 -d $server
-j ACCEPT; echo -n "."
done
fi

echo " ok!"

}

function do_reject() {

for chain in $EXT_CHAINS;
do
for service in $REJECTED_SERVICES;
do
$IPTABLES -A $chain -p tcp --dport $service -j REJECT
--reject-with tcp-reset; echo -n "."
done
done

echo " ok!"

}

function do_nolog() {

for chain in $EXT_CHAINS INPUT;
do
for nolog in $NOLOG_TCP;
do
$IPTABLES -A $chain -p tcp --dport $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_UDP;
do
$IPTABLES -A $chain -p udp --dport $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_SRC;
do
$IPTABLES -A $chain -s $nolog -j $INPUTPOL; echo -n "."
done

for nolog in $NOLOG_DST;
do
$IPTABLES -A $chain -d $nolog -j $INPUTPOL; echo -n "."
done
done

echo " ok!"

}

function do_log() {

for chain in $INP_CHAINS INPUT; do $IPTABLES -A $chain -j INPUTLOG;
echo -n "."; done
for chain in $OUT_CHAINS OUTPUT; do $IPTABLES -A $chain -j
OUTPUTLOG; echo -n "."; done
for chain in $FOR_CHAINS FORWARD; do $IPTABLES -A $chain -j
FORWARDLOG; echo -n "."; done

echo " ok!"

}

function do_post() {

if [ "$LAN" == "private" ];
then
$IPTABLES -t nat -A POST-LAN-EXT -j SNAT --to $IPEXT; echo -n "."
if [ "$DMZ" == "public" ];
then
$IPTABLES -t nat -A POST-LAN-DMZ -j SNAT --to $IPDMZ; echo -n "."
fi
fi

if [ "$DMZ" == "private" ];
then
$IPTABLES -t nat -A POST-DMZ-EXT -j SNAT --to $IPEXT; echo -n "."
if [ "$LAN" == "public" ];
then
$IPTABLES -t nat -A POST-DMZ-LAN -j SNAT --to $IPLAN; echo -n "."
fi
fi

echo " ok!"

}

function do_open() {

# Unlock first rules
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
echo ". ok!"

}

function do_close() {

$IPTABLES -P FORWARD DROP
echo ". ok!"

}

case "$1" in
start)
echo "Turning on packet filtering:"
echo -n " desactivating kernel forwarding "
echo 0 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
echo -n " loading modules "
load_modules
echo -n " cleaning chains and rules "
do_clean
echo " creating chains :"
echo -n " log"
create_standard_log_chains
echo -n " traffic "
create_traffic_chains
echo -n " {pre|post}routing "
create_routing_chains
echo -n " antispoofing "
anti_spoofing
echo " advanced protections :"
do_advanced
echo -n " packets priority "
do_mangle
echo -n " icmp "
do_icmp
echo -n " adsl : "
do_adsl
echo -n " Internet <-> firewall "
do_ext_fw
echo -n " LAN <-> firewall "
do_lan_fw
echo -n " Internet/LAN -> DMZ "
do_dmz
echo -n " LAN -> Internet "
do_lan
echo -n " vpn (ipsec) "
do_ipsec
echo -n " rejecting some services from Internet (auth) "
do_reject
echo -n " no log "
do_nolog
echo -n " log "
do_log
echo -n " postrouting "
do_post

# On debloque les regles initiales
echo -n " opening previously closed chains "
do_open
echo -n " activating kernel forwarding "
echo 1 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
;;
stop)
echo "Turning off packet filtering:"
echo -n " desactivating kernel forwarding "
echo 0 > /proc/sys/net/ipv4/ip_forward; echo ". ok!"
echo -n " cleaning chains and rules "
do_clean
echo -n " opening previously closed chains "
do_open
echo -n " closing firewall "
do_close
echo -n " unloading modules "
unload_modules $2
;;

restart)
$0 stop keep_conn
echo "sleeping 2 seconds ..."
sleep 2
$0 start
;;

test)
echo "Going to test mode ..."
$0 stop keep_conn
sleep 2
$0 start
echo
echo -n "Sleeping for $SLEEP seconds "
for i in `seq $SLEEP`;
do
echo -n "."
sleep 1
done
echo
echo
$0 stop
;;

status)
if [ "a$2" == "a" ];
then
for chain in $INP_CHAINS $OUT_CHAINS $FOR_CHAINS;
do
$IPTABLES -L $chain -n -v | egrep -v "(RESERVEDLOG|SPOOFLOG) *all"
echo
done
elif [ "$2" == "nat" ];
then
$IPTABLES -t nat -L -n -v | egrep -v "PRELOG *all"
elif [ "$2" == "mangle" ];
then
$IPTABLES -t mangle -L -n -v
fi
;;

*)
echo "eefw version $VERSION"
echo "Copyright Cyril Lacoux 2002"
echo "This script is distributed under the terms of the GPL version 2
or higher"
echo ""
echo "Usage: /etc/init.d/packetfilter
{start|stop|restart|test|status [nat|mangle]}"
echo " -start : starting the firewall"
echo " -stop : stopping the firewall"
echo " -restart : stopping, sleeping 2 seconds then
starting"
echo " -status [nat|mangle] : list current chains and rules"
echo " -test : stopping, sleeping 2 seconds,
starting, sleeping $SLEEP seconds, then stopping"
echo ""
exit 1
;;

esac

Rakotomandimby (R12y) Mihamina

20/05/2005 à 21:55

( Tue, 17 May 2005 22:52:42 +0000 ) xeo :

Je pense que le problème vient d'une règle plus que d'un bug de
Netfilter.

Netfilter a une fonctionalité qui remonte d'une (ou plus) couche réseau
et filtre sur le nom des fichiers transférés? Je pense que non. Pour en
arriver jusqu'au filtrage des noms de fichiers, non...

--
Mirroir de logiciels libres http://www.etud-orleans.fr
Développement de logiciels libres http://aspo.rktmb.org/activites/developpement
Infogerance de serveur dédié http://aspo.rktmb.org/activites/infogerance
(En louant les services de l'ASPO vous luttez contre la fracture numerique)

Dominique Blas

23/05/2005 à 07:25

Bonjour,
[...]

Merci pour toute aide
Petit souci de MTU ?

Y'a pas une règle qui joue avec le MSS ?

db

--

Courriel : usenet blas net

Bug Netfilter

5 réponses

Veuillez sélectionner un problème