#!/bin/sh # ---------------------------------------------------------------------------- # /etc/rc.d/rc.firewall # paleisti is /etc/rc.d/rc.inet2 echo "Starting firewalling... " # ---------------------------------------------------------------------------- LOOPBACK_INTERFACE="lo" # or your local naming convention EXTERNAL_INTERFACE_1="eth0" # Internet connected interface EXTERNALIP_1="80.1.2.3" LOCAL_INTERFACE_1="eth1" # Local connected interface INTERNALIP_1="192.168.0.1" # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter iptables -F iptables -F -t nat # Remove any existing user-defined chains. iptables -X # Set the default policy of the filter to deny. iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # ---------------------------------------------------------------------------- # Masquerade internal traffic. iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_1 -j MASQUERADE # ---------------------------------------------------------------------------- # Unlimited traffic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ---------------------------------------------------------------------------- #Ports forward #----------------------------------------------------------------- # FTP (tcp 20, 21) port forward from eth0 to internal ip iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport 20 \ -j DNAT --to-destination 192.168.0.250:20 iptables -A INPUT -i eth0 -p tcp --dport 20 -j DROP iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport 21 \ -j DNAT --to-destination 192.168.0.250:21 iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP #----------------------------------------------------------------- # HTTP (tcp 80) port forward from eth0 to internal ip iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport 80 \ -j DNAT --to-destination 192.168.0.250:80 iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP #------------------------------------------------------------------------------------ # SMTP (tcp 25) port forward from eth0 to internal ip iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport 25 \ -j DNAT --to-destination 192.168.0.200:25 iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP #------------------------------------------------------------------------------------ # POP3 (tcp 110) port forward from eth0 to internal ip iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE_1 -p tcp -d $EXTERNALIP_1 --dport 110 \ -j DNAT --to-destination 192.168.0.200:25 iptables -A INPUT -i eth0 -p tcp --dport 110 -j DROP #------------------------------------------------------------------------------------ # End of port forwarding #------------------------------------------------------------------------------------ # Isjungti nereikalingus/nesaugius portus # Disable 23/tcp (telnet) port from external network iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP # Disable 37 tcp (time) port from external network iptables -A INPUT -i eth0 -p tcp --dport 37 -j DROP # Disable 53/tcp (DNS) port from external network iptables -A INPUT -i eth0 -p tcp --dport 53 -j DROP # Disable 53/udp (DNS) port from external network iptables -A INPUT -i eth0 -p udp --dport 53 -j DROP # Disable 79/tcp (finger) port from external network iptables -A INPUT -i eth0 -p tcp --dport 79 -j DROP # Disable 111/tcp (sunrpc) port from external network iptables -A INPUT -i eth0 -p tcp --dport 111 -j DROP # Disable 111/udp (sunrpc) port from external network iptables -A INPUT -i eth0 -p udp --dport 111 -j DROP # Disable 113/tcp (auth) port from external network iptables -A INPUT -i eth0 -p tcp --dport 113 -j DROP # Disable 113/udp (auth) port from external network iptables -A INPUT -i eth0 -p udp --dport 113 -j DROP # Disable 135/tcp (epmap, loc-srv) port from external network iptables -A FORWARD -i eth1 -p tcp --dport 135 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 135 -j DROP # Disable 135/udp (epmap, loc-srv) port from external network iptables -A FORWARD -i eth1 -p udp --dport 135 -j DROP iptables -A INPUT -i eth0 -p udp --dport 135 -j DROP # Disable 137-139/tcp (filtered netbios-ns, netbios-dgm, netbios-ssn ) ports # from external network iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 137:139 -j DROP # Disable 137-139/udp (filtered netbios-ns, netbios-dgm, netbios-ssn ) ports # from external network iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP iptables -A INPUT -i eth0 -p udp --dport 137:139 -j DROP # Disable 389/tcp (LDAP) port from external network iptables -A INPUT -i eth0 -p tcp --dport 389 -j DROP # Disable 636/tcp (LDAPS) port from external network iptables -A INPUT -i eth0 -p tcp --dport 636 -j DROP # Disable 445/tcp (microsoft-ds) port from external network iptables -A FORWARD -i eth1 -p tcp --dport 445 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 445 -j DROP # Disable 445/udp (microsoft-ds) port from external network iptables -A FORWARD -i eth1 -p udp --dport 445 -j DROP iptables -A INPUT -i eth0 -p udp --dport 445 -j DROP # Disable 513/tcp (rlogin) port from external network iptables -A INPUT -i eth0 -p tcp --dport 513 -j DROP # Disable 587/tcp () port from external network iptables -A INPUT -i eth0 -p tcp --dport 587 -j DROP # Disable 901/tcp (samba-swat) port from external network iptables -A INPUT -i eth0 -p tcp --dport 901 -j DROP # Disable 1433-1434 (MS SQL) port from external network iptables -A INPUT -i eth0 -p tcp --dport 1433:1434 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1433:1434 -j DROP # Disable 3050/tcp (Interbase/Firebird SQL) port from external network iptables -A INPUT -i eth0 -p tcp --dport 3050 -j DROP # Disable 3128/tcp (squid-http) port from external network iptables -A INPUT -i eth0 -p tcp --dport 3128 -j DROP # Pries MyDoom, Novarg, Mimail.R kirmina iptables -A INPUT -i eth0 -p tcp --dport 3127 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 3129:3198 -j DROP # Disable 3130/udp (squid-ipc) port from external network iptables -A INPUT -i eth0 -p udp --dport 3130 -j DROP # Disable 3268/udp (LDAP Active directory) port from external network iptables -A INPUT -i eth0 -p udp --dport 3269 -j DROP # Disable 3389/udp (MS Terminal) port from external network iptables -A INPUT -i eth0 -p tcp --dport 3389 -j DROP # Disable 5801/tcp ( vnc ) port from external network iptables -A INPUT -i eth0 -p tcp --dport 5801 -j DROP # Disable 5901/tcp ( vnc-1) port from external network iptables -A INPUT -i eth0 -p tcp --dport 5901 -j DROP # Disable 6000-6063/tcp (X11) port from external network iptables -A INPUT -i eth0 -p tcp --dport 6000:6063 -j DROP # Disable 8080/tcp (http-proxy) port from external network iptables -A INPUT -i eth0 -p tcp --dport 8080 -j DROP # Disable 10000/tcp (webmin) port from external network iptables -A INPUT -i eth0 -p tcp --dport 10000 -j DROP # Disable others/tcp (others port) port from external network iptables -A INPUT -i eth0 -p tcp --dport 427 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 1104 -j DROP # Nepageidaujami reklamos saltiniai iptables -I FORWARD -s 192.190.109.20 -j REJECT echo "firewall started."