#!/bin/bash #firewall script by folkert@feedface.com 12/2k3 IPTABLES=/share/hotspot/sbin/iptables WIFI_SELF="10.11.12.13" WIFI_NET="10.11.12.0/24" WIFI_DEV="wlan0" #INET_SELF="172.23.5.12" #INET_NET="172.23.5.16/27" INET_SELF="10.20.40.80" INEWT_NET="10.20.40.0/24" INET_DEV="eth0" #NS1="213.148.129.10" #NS2="213.148.130.10" NS1="127.0.0.1" NS2="127.0.0.1" usage() { echo "usage:" echo "$0 reset" echo "$0 show" echo "$0 show auth" echo "$0 addClient IP MAC" echo "$0 delClient IP MAC" echo "$0 addServer IP" echo "$0 delServer IP" exit 1; } fferror() { echo "^_^'" echo "error setting netfilter: $1" exit $1 } case "$1" in reset) #flush and zero all tables for TABLE in filter nat mangle; do for SWITCH in F X Z; do $IPTABLES -t $TABLE -$SWITCH done done #create filter chain for accepting authenticated clients $IPTABLES -t filter -N FCLIENT #create filter chain for accepting allowed destination websites $IPTABLES -t filter -N FSERVER #create filter chain for not rerouting authenticated clients $IPTABLES -t nat -N DCLIENT #create filter chain for not rerouting allowed servers $IPTABLES -t nat -N DSERVER #create filter chain for routing from authenticated clients $IPTABLES -t nat -N SCLIENT #create filter chain for routing to allowed servers $IPTABLES -t nat -N SSERVER #default filter policy is DROP $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P OUTPUT DROP $IPTABLES -t filter -P FORWARD DROP #allow all local traffic $IPTABLES -t filter -A INPUT -i lo0 -j ACCEPT $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT #allow all icmp traffic self<->wifi $IPTABLES -t filter -A INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p icmp -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p icmp -j ACCEPT #allow all icmp traffic self<->inet $IPTABLES -t filter -A INPUT -i $INET_DEV -d $INET_SELF -p icmp -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $INET_DEV -s $INET_SELF -p icmp -j ACCEPT #allow dhcp traffic self<->wifi $IPTABLES -t filter -A INPUT -i $WIFI_DEV -s 0.0.0.0/0 -d 255.255.255.255 -p udp --dport 67:68 -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 67:68 -j ACCEPT #allow all web traffic self<->wifi for PORT in 80 443; do $IPTABLES -t filter -A INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p tcp --dport $PORT -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p tcp --sport $PORT -j ACCEPT done ### ENABLE IF USING OWN DNS FSERVER ### # # #allow dns traffic self<->wifi # $IPTABLES -t filter -A INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p udp --dport 53 -j ACCEPT # $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 53 -j ACCEPT # #allow dns traffic self<->dns # for NS in $NS1 $NS2; do # $IPTABLES -t filter -A OUTPUT -o $INET_DEV -s $INET_SELF -d $NS -p udp --dport 53 -j ACCEPT # $IPTABLES -t filter -A INPUT -i $INET_DEV -s $NS -d $INET_SELF -p udp --sport 53 -j ACCEPT # done; # ### /ENABLE ########################### ### DISABLE IF USING OWN DNS FSERVER ### # for NS in $NS1 $NS2; do #allow wifi->dns $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -d $NS -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -s $NS -d $WIFI_NET -p udp --sport 53 -j ACCEPT #enable source network address translation for dns $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -p udp --dport 53 -d $NS -o $INET_DEV -j SNAT --to $INET_SELF done # ### /DISABLE ########################## ### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ### # #allow all telnet and smb traffic to/from self for PORT in 23 139; do $IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT done # ### /DISABLE ####################################################### #check for wifi->allowed servers $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FSERVER #check for allowed clients -> inet $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FCLIENT #reject all other clients $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j REJECT --reject-with icmp-net-prohibited #allow established connections wifi<->inet $IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -d $WIFI_NET -m state --state ESTABLISHED -j ACCEPT #snat traffic from authenticated clients $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SCLIENT #snat traffic to allowed servers $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SSERVER #do not dnat traffic from authenticated clients $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DCLIENT #do not dnat web traffic allowed servers $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DSERVER #enable dnat to self for all web traffic for PORT in 80 443; do $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -p tcp --dport $PORT -j DNAT --to $WIFI_SELF done ### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ### # #log all other packets #$IPTABLES -t filter -A INPUT -j LOG --log-level warning --log-prefix " >>INPUT<< " #$IPTABLES -t filter -A OUTPUT -j LOG --log-level warning --log-prefix " <> " #$IPTABLES -t filter -A FORWARD -j LOG --log-level warning --log-prefix ">>FORWARD>> " # ### /DISABLE ####################################################### #add default REJECT rule (just more polite than DROP) for CHAIN in INPUT OUTPUT FORWARD; do $IPTABLES -t filter -A $CHAIN -j REJECT; done ;; addClient) [ "ff"$2 != "ff" ] || usage; [ "ff"$3 != "ff" ] || usage; #allow client $IPTABLES -t filter -A FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $? $IPTABLES -t nat -A DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $? $IPTABLES -t nat -A SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $? echo "added Client: IP $2 MAC $3"; ;; delClient) [ "ff"$2 != "ff" ] || usage; [ "ff"$3 != "ff" ] || usage; $IPTABLES -t filter -D FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $? $IPTABLES -t nat -D DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $? $IPTABLES -t nat -D SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $? echo "removed Client: IP $2 MAC $3"; ;; addServer) [ "ff"$2 != "ff" ] || usage; $IPTABLES -t filter -A FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $? $IPTABLES -t nat -A DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $? $IPTABLES -t nat -A SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $? echo "added Server: IP $2"; ;; delServer) [ "ff"$2 != "ff" ] || usage; $IPTABLES -t filter -D FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $? $IPTABLES -t nat -D DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $? $IPTABLES -t nat -D SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $? echo "removed Server: IP $2"; ;; show) case "$2" in mangle) echo "___mangle_______________________________________" $IPTABLES -t mangle --list -n echo; echo; ;; nat) echo "___nat__________________________________________" $IPTABLES -t nat --list -n echo; echo; ;; filter) echo "___filter_______________________________________" $IPTABLES -t filter --list -n echo; echo; ;; auth) echo "___clients______________________________________" $IPTABLES -t filter --list FCLIENT -n $IPTABLES -t nat --list DCLIENT -n $IPTABLES -t nat --list SCLIENT -n echo "___servers______________________________________" $IPTABLES -t filter --list FSERVER -n $IPTABLES -t nat --list DSERVER -n $IPTABLES -t nat --list SSERVER -n ;; *) echo "___mangle_______________________________________" $IPTABLES -t mangle --list -n echo; echo; echo "___nat__________________________________________" $IPTABLES -t nat --list -n echo; echo; echo "___filter_______________________________________" $IPTABLES -t filter --list -n echo; echo; esac ;; *) usage; ;; esac exit