#!/bin/sh /etc/rc.common IPTABLES="/usr/sbin/iptables" BIGBOX=192.168.3.2 KLAPTOP=192.168.2.2 START=45 start() { include /lib/network scan_interfaces config_load /var/state/network # Get interfaces/ip adresses/netmasks [ -z "$LO_IF" ] && config_get LO_IF loopback ifname [ -z "$WAN_IF" ] && config_get WAN_IF wan ifname [ -z "$MYTH_IF" ] && config_get MYTH_IF myth ifname [ -z "$LAN_IF" ] && config_get LAN_IF lan ifname [ -z "$WIFI_IF" ] && config_get WIFI_IF wifi ifname [ -z "$PUBLIC_IF" ] && config_get PUBLIC_IF public ifname [ -z "$WAN_IP" ] && config_get WAN_IP wan ipaddr [ -z "$MYTH_IP" ] && config_get MYTH_IP myth ipaddr [ -z "$LAN_IP" ] && config_get LAN_IP lan ipaddr [ -z "$WIFI_IP" ] && config_get WIFI_IP wifi ipaddr [ -z "$PUBLIC_IP" ] && config_get PUBLIC_IP public ipaddr [ -z "$WAN_NETMASK" ] && config_get WAN_NETMASK wan netmask [ -z "$MYTH_NETMASK" ] && config_get MYTH_NETMASK myth netmask [ -z "$LAN_NETMASK" ] && config_get LAN_NETMASK lan netmask [ -z "$WIFI_NETMASK" ] && config_get WIFI_NETMASK wifi netmask [ -z "$PUBLIC_NETMASK" ] && config_get PUBLIC_NETMASK public netmask # ------------- # DEFAULT rules # ------------- $IPTABLES -P INPUT DROP; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -P FORWARD DROP; # ------------ # CLEAR TABLES # ------------ $IPTABLES -F $IPTABLES -X $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -N Icmp_Related_And_New # established,related doorlaten $IPTABLES -I INPUT 1 -p ! icmp -m state --state RELATED,ESTABLISHED -j ACCEPT # icmp regels behandelen $IPTABLES -I INPUT 2 -p icmp -j Icmp_Related_And_New # alles wat niet nieuw is nu... drop (hou je fw logs clean) $IPTABLES -I INPUT 3 -m state --state ! NEW -j DROP # established,related doorlaten $IPTABLES -I FORWARD 1 -p ! icmp -m state --state RELATED,ESTABLISHED -j ACCEPT # icmp regels behandelen $IPTABLES -I FORWARD 2 -p icmp -j Icmp_Related_And_New # alles wat niet nieuw is nu... drop (hou je fw logs clean) $IPTABLES -I FORWARD 3 -m state --state ! NEW -j DROP # ---------- # CHAIN defs # ---------- $IPTABLES -N PUBLIC_TO_WAN $IPTABLES -N TO_MYTH # ----------- # INPUT rules # ----------- $IPTABLES -A INPUT -i $LO_IF -j ACCEPT $IPTABLES -A INPUT -i $WAN_IF -j DROP $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT $IPTABLES -A INPUT -p tcp --destination-port 53 -j ACCEPT $IPTABLES -A INPUT -p udp --source-port 68 --destination-port 67 -j ACCEPT $IPTABLES -A INPUT -i ! $PUBLIC_IF -p tcp --destination-port 22 -j ACCEPT $IPTABLES -A INPUT -i ! $PUBLIC_IF -p tcp --destination-port 80 -j ACCEPT $IPTABLES -A INPUT -i ! $PUBLIC_IF -p tcp --destination-port 6566 -j ACCEPT $IPTABLES -A INPUT -i ! $PUBLIC_IF -p tcp --destination-port 9100 -j ACCEPT # ------------- # FORWARD rules # ------------- # all except "public" are trusted, they can live... $IPTABLES -A FORWARD -i $MYTH_IF -s $MYTH_IP/$MYTH_NETMASK -o $WAN_IF -j ACCEPT $IPTABLES -A FORWARD -i $WIFI_IF -s $WIFI_IP/$WIFI_NETMASK -o $WAN_IF -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IF -s $LAN_IP/$LAN_NETMASK -o $WAN_IF -j ACCEPT $IPTABLES -A FORWARD -i $WAN_IF -o $MYTH_IF -p tcp -d $BIGBOX --dport 22 -j ACCEPT # ooooooooh no... only kittenwar for you. $IPTABLES -A FORWARD -i $PUBLIC_IF -s $PUBLIC_IP/$PUBLIC_NETMASK -o $WAN_IF -j PUBLIC_TO_WAN $IPTABLES -A FORWARD -i $WIFI_IF -s $KLAPTOP/32 -o $MYTH_IF -d $MYTH_IP/$MYTH_NETMASK -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IF -s $LAN_IP/$LAN_NETMASK -o $MYTH_IF -d $MYTH_IP/$MYTH_NETMASK -j TO_MYTH $IPTABLES -A FORWARD -i $WIFI_IF -s $WIFI_IP/$WIFI_NETMASK -o $MYTH_IF -d $MYTH_IP/$MYTH_NETMASK -j TO_MYTH # ------------------- # PUBLIC_TO_WAN rules # ------------------- $IPTABLES -A PUBLIC_TO_WAN -p tcp --destination-port 80 -j ACCEPT # ------------------- # TO_MYTH rules # ------------------- $IPTABLES -A TO_MYTH -p tcp --destination-port 22 -j ACCEPT $IPTABLES -A TO_MYTH -p tcp --destination-port 80 -j ACCEPT $IPTABLES -A TO_MYTH -p tcp --destination-port 6543 -j ACCEPT $IPTABLES -A TO_MYTH -p tcp --destination-port 6544 -j ACCEPT $IPTABLES -A TO_MYTH -p tcp --destination-port 3306 -j ACCEPT # ---------------------------- # SNAT/DNAT/MASQUERADING rules # ---------------------------- # go to bigbox for fun and pleasure... $IPTABLES -t nat -A PREROUTING -i $WAN_IF -p tcp --destination-port 2222 -j DNAT --to-destination $BIGBOX:22 # mighty kittenwar for everyone $IPTABLES -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --destination-port 80 -j DNAT --to-destination 205.196.209.62:80 $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -s $MYTH_IP/$MYTH_NETMASK -j SNAT --to-source $WAN_IP $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -s $WIFI_IP/$WIFI_NETMASK -j SNAT --to-source $WAN_IP $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -s $LAN_IP/$LAN_NETMASK -j SNAT --to-source $WAN_IP $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -s $PUBLIC_IP/$PUBLIC_NETMASK -j SNAT --to-source $WAN_IP # ---------- # ICMP rules # ---------- $IPTABLES -A Icmp_Related_And_New -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A Icmp_Related_And_New -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT $IPTABLES -A Icmp_Related_And_New -p icmp --icmp-type destination-unreachable -m state --state RELATED -j ACCEPT $IPTABLES -A Icmp_Related_And_New -p icmp --icmp-type source-quench -m state --state RELATED -j ACCEPT $IPTABLES -A Icmp_Related_And_New -p icmp --icmp-type parameter-problem -m state --state RELATED -j ACCEPT $IPTABLES -A Icmp_Related_And_New -p icmp --icmp-type time-exceeded -m state --state RELATED -j ACCEPT $IPTABLES -A Icmp_Related_And_New -j DROP } stop() { iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X }