#! /bin/bash # @(#)(CAcert) $Id: firewall,v 1.7 2015/11/06 08:15:33 root Exp $ # ------------------------------------------------------------------------------ # *** common functions *** iptables() # function for setting IPv4/IPv6 rules at the same time { /usr/sbin/iptables "$@" /usr/sbin/ip6tables "$@" } ip4tables() # function for setting IPv4-specific rules { /usr/sbin/iptables "$@" } ip6tables() # function for setting IPv6-specific rules { /usr/sbin/ip6tables "$@" } # ------------------------------------------------------------------------------ # *** log current state *** iptables -n -L -v >/var/log/firewall.d/`date +%Y%m%d%H%M%S`.log # ------------------------------------------------------------------------------ # *** default policies *** iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ------------------------------------------------------------------------------ # *** input filtering *** iptables --flush INPUT # allow established traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow everything on loopback interface iptables -A INPUT -i lo -j ACCEPT # allow incoming ICMP Echo and ICMP Time Exceeded and all ICMPv6 ip4tables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT ip4tables -A INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT ip6tables -A INPUT -p ICMPv6 -j ACCEPT # allow incoming SSH on port 22 only from hopper and sunservice (backup) ip4tables -A INPUT -p TCP -s 172.28.50.100 --dport 22 -j ACCEPT #BIT hopper.intra.cacert.org ip4tables -A INPUT -p TCP -s 172.28.50.53 --dport 22 -j ACCEPT #BIT sun2ilo.intra.cacert.org # allow incoming traffic for boxbackup server ip4tables -A INPUT -p TCP -s 172.28.50/24 -d 172.28.50.80 --dport 2201 -j ACCEPT # don't log incoming BOOTP broadcasts, but simply drop them iptables -A INPUT -p UDP --dport 67 -j DROP # log all other traffic before dropping it on the floor (by default policy) iptables -A INPUT -j LOG --log-level info --log-prefix "INPUT -- DENY " # ------------------------------------------------------------------------------ # *** forwarding filtering *** iptables --flush FORWARD # allow established traffic iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # log all other traffic before dropping it on the floor (by default policy) iptables -A FORWARD -j LOG --log-level info --log-prefix "FORWARD -- DENY " # ------------------------------------------------------------------------------ # *** output filtering *** iptables --flush OUTPUT # allow established traffic iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow syslog to logger ip4tables -A OUTPUT -p udp -d 172.28.50.101 --dport 514 -j ACCEPT # allow everything on loopback interface iptables -A OUTPUT -o lo -j ACCEPT # allow outgoing ICMP Echo and ICMP Time Exceeded and all ICMPv6 ip4tables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT ip4tables -A OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT ip6tables -A OUTPUT -p ICMPv6 -j ACCEPT # allow outgoing DNS iptables -A OUTPUT -p UDP --dport 53 -j ACCEPT iptables -A OUTPUT -p TCP --dport 53 -j ACCEPT # allow outgoing SMTP iptables -A OUTPUT -p TCP --dport 25 -j ACCEPT # allow outgoing HTTP iptables -A OUTPUT -p TCP --dport 80 -j ACCEPT # allow outgoing NTP iptables -A OUTPUT -p UDP --dport 123 -j ACCEPT # allow outgoing boxbackup traffic to backup.intra.cacert.org ip4tables -A OUTPUT -p TCP -d 172.28.50.80 --dport 2201 -j ACCEPT # allow outgoing TCP ACK+RST packets iptables -A OUTPUT -p TCP --tcp-flags ACK,RST ACK,RST -j ACCEPT # log all other traffic before dropping it on the floor (by default policy) iptables -A OUTPUT -j LOG --log-level info --log-prefix "OUTPUT -- DENY " # ------------------------------------------------------------------------------