system toolbox » router

#!/bin/sh

#

# This is automatically generated file. DO NOT MODIFY !

#

# Firewall Builder fwb_ipt v2.1.14-1

#

# Generated Thu Apr 24 13:37:59 2008 CEST by hernad

#

# files: * router-wan-rg-2.fw

#

#

#

#

#

#

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

export PATH

LSMOD="/sbin/lsmod"

MODPROBE="/sbin/modprobe"

IPTABLES="/usr/sbin/iptables"

IPTABLES_RESTORE="/usr/sbin/iptables-restore"

IP="/usr/sbin/ip"

LOGGER="/usr/bin/logger"

#

# Prolog script

#

#

# End of prolog script

#

log() {

echo "$1"

test -x "$LOGGER" && $LOGGER -p info "$1"

}

check_file() {

test -r "$2" || {

echo "Can not find file $2 referenced by AddressTable object $1"

exit 1

}

}

va_num=1

add_addr() {

addr=$1

nm=$2

dev=$3

type=""

aadd=""

L=`$IP -4 link ls $dev | head -n1`

if test -n "$L"; then

OIFS=$IFS

IFS=" /:,<"

set $L

type=$4

IFS=$OIFS

if test "$type" = "NO-CARRIER"; then

type=$5

fi

L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`

if test -n "$L"; then

OIFS=$IFS

IFS=" /"

set $L

aadd=$2

IFS=$OIFS

fi

fi

if test -z "$aadd"; then

if test "$type" = "POINTOPOINT"; then

$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}

va_num=`expr $va_num + 1`

fi

if test "$type" = "BROADCAST"; then

$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}

va_num=`expr $va_num + 1`

fi

fi

}

getInterfaceVarName() {

echo $1 | sed 's/\./_/'

}

getaddr() {

dev=$1

name=$2

L=`$IP -4 addr show dev $dev | grep inet | grep -v :`

test -z "$L" && {

eval "$name=''"

return

}

OIFS=$IFS

IFS=" /"

set $L

eval "$name=$2"

IFS=$OIFS

}

getinterfaces() {

NAME=$1

$IP link show | grep ": $NAME" | while read L; do

OIFS=$IFS

IFS=" :"

set $L

IFS=$OIFS

echo $2

done

}

# increment ip address

incaddr()

{

n1=$4

n2=$3

n3=$2

n4=$1

vn1=`eval "echo \\$$n1"`

R=`expr $vn1 \< 255`

if test $R = "1"; then

eval "$n1=`expr $vn1 + 1`"

else

eval "$n1=0"

incaddr XX $n4 $n3 $n2

fi

}

if $IP link ls >/dev/null 2>&1; then

echo;

else

echo "iproute not found"

exit 1

fi

MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"

MODULES=`find $MODULES_DIR -name '*conntrack*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`

MODULES="$MODULES `find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`"

for module in $MODULES; do

if $LSMOD | grep ${module} >/dev/null; then continue; fi

$MODPROBE ${module} || exit 1

done

# Using 0 address table files

# Configure interfaces

$IP -4 neigh flush dev br-lan >/dev/null 2>&1

$IP -4 addr flush dev br-lan secondary label "br-lan:FWB*" >/dev/null 2>&1

getaddr ppp1 i_ppp1

getaddr ppp0 i_ppp0

# Add virtual addresses for NAT rules

log 'Activating firewall script generated Thu Apr 24 13:37:59 2008 by hernad'

$IPTABLES -P OUTPUT DROP

$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD DROP

ip6tables -L -n > /dev/null 2>&1 && {

ip6tables -P OUTPUT DROP

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT

}

cat /proc/net/ip_tables_names | while read table; do

$IPTABLES -t $table -L -n | while read c chain rest; do

if test "X$c" = "XChain" ; then

$IPTABLES -t $table -F $chain

fi

done

$IPTABLES -t $table -X

done

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#

# Rule 0 (NAT)

#

echo "Rule 0 (NAT)"

#

#

test -n "$i_ppp0" && $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d $i_ppp0 --dports 25,80,443 -j DNAT --to-destination 192.168.55.12

#

# Rule 1 (NAT)

#

echo "Rule 1 (NAT)"

#

#

$IPTABLES -t nat -N Cid480E19E47826.0

$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.55.0/24 -j Cid480E19E47826.0

$IPTABLES -t nat -A Cid480E19E47826.0 -d 195.222.62.0/24 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19E47826.0 -d 195.222.57.0/24 -j MASQUERADE

#

# Rule 2 (NAT)

#

echo "Rule 2 (NAT)"

#

#

$IPTABLES -t nat -N Cid480E19F97826.0

$IPTABLES -t nat -A POSTROUTING -o ppp1 -s 192.168.55.0/24 -j Cid480E19F97826.0

$IPTABLES -t nat -A Cid480E19F97826.0 -d 208.0.0.0/4 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 200.0.0.0/5 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 196.0.0.0/6 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 195.224.0.0/11 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 195.222.0.0/15 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 224.0.0.0/4 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 240.0.0.0/5 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 248.0.0.0/6 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 252.0.0.0/7 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 254.0.0.0/8 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.0.0.0/9 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.128.0.0/10 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.192.0.0/11 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.224.0.0/12 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.240.0.0/13 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.248.0.0/14 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.252.0.0/15 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.254.0.0/16 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 255.255.0.0 -j MASQUERADE

$IPTABLES -t nat -A Cid480E19F97826.0 -d 80.65.85.0/24 -j MASQUERADE

#

# Rule 3 (NAT)

#

echo "Rule 3 (NAT)"

#

#

$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.55.0/24 -j MASQUERADE

#

# Rule 0 (lo)

#

echo "Rule 0 (lo)"

#

#

#

$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT

#

# Rule 1 (global)

#

echo "Rule 1 (global)"

#

#

#

$IPTABLES -N RULE_1

$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j RULE_1

$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j RULE_1

$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 22,25,443,80 -m state --state NEW -j RULE_1

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j RULE_1

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j RULE_1

$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 22,25,443,80 -m state --state NEW -j RULE_1

$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j RULE_1

$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j RULE_1

$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 22,25,443,80 -m state --state NEW -j RULE_1

$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "

$IPTABLES -A RULE_1 -j ACCEPT

#

# Rule 2 (global)

#

echo "Rule 2 (global)"

#

#

#

$IPTABLES -N RULE_2

$IPTABLES -A INPUT -s 192.168.55.0/24 -m state --state NEW -j RULE_2

$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "

$IPTABLES -A RULE_2 -j ACCEPT

#

# Rule 3 (global)

#

echo "Rule 3 (global)"

#

# Firewall uses one of the machines

# on internal network for DNS

#

$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.55.0/24 --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p udp -m udp -d 192.168.55.0/24 --dport 53 -m state --state NEW -j ACCEPT

#

# Rule 4 (global)

#

echo "Rule 4 (global)"

#

#

#

$IPTABLES -N Cid480E19897826.0

$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 53,873 -m state --state NEW -j Cid480E19897826.0

$IPTABLES -A INPUT -p udp -m udp -m multiport --dports 53,123,1194 -m state --state NEW -j Cid480E19897826.0

$IPTABLES -A Cid480E19897826.0 -s 192.168.55.254 -j ACCEPT

test -n "$i_ppp1" && $IPTABLES -A Cid480E19897826.0 -s $i_ppp1 -j ACCEPT

test -n "$i_ppp0" && $IPTABLES -A Cid480E19897826.0 -s $i_ppp0 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 53,873 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 53,123,1194 -m state --state NEW -j ACCEPT

#

# Rule 5 (global)

#

echo "Rule 5 (global)"

#

#

#

$IPTABLES -N RULE_5

$IPTABLES -A INPUT -s 192.168.55.0/24 -m state --state NEW -j RULE_5

$IPTABLES -A OUTPUT -s 192.168.55.0/24 -m state --state NEW -j RULE_5

$IPTABLES -A FORWARD -s 192.168.55.0/24 -m state --state NEW -j RULE_5

$IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT "

$IPTABLES -A RULE_5 -j ACCEPT

#

# Rule 6 (global)

#

echo "Rule 6 (global)"

#

#

#

$IPTABLES -N RULE_6

$IPTABLES -A OUTPUT -j RULE_6

$IPTABLES -A INPUT -j RULE_6

$IPTABLES -A FORWARD -j RULE_6

$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "POLICY-DENY "

$IPTABLES -A RULE_6 -j DROP

#

#

echo 1 > /proc/sys/net/ipv4/ip_forward

#

# Epilog script

#

# End of epilog script

#