#! /bin/sh #---------------------------------------------------------------------------- # /etc/init.d/routing - configuration of eisfair as router # # Creation: 24.11.2002 fm # Last Update: 02.09.2004 fm # # Copyright (c) 2002-2004 Frank Meyer # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------- . /etc/config.d/routing kernel_version=`uname -r` convert_action () { act=$1 defact=$2 case "$act" in accept | ACCEPT) action='ACCEPT' prot=all ;; accept-tcp | ACCEPT-TCP) action='ACCEPT' prot=tcp ;; accept-udp | ACCEPT-UDP) action='ACCEPT' prot=udp ;; deny | DENY | drop | DROP) action='DROP' prot=all ;; deny-tcp | DENY-TCP | drop-tcp | DROP-TCP) action='DROP' prot=tcp ;; deny-udp | DENY-UDP | drop-udp | DROP-UDP) action='DROP'; prot=udp ;; reject | REJECT) action='REJECT'; prot=all prot=all ;; reject-tcp | REJECT-TCP) action='REJECT'; prot=tcp prot=tcp ;; reject-udp | REJECT-UDP) action='REJECT'; prot=udp prot=udp ;; tcp | TCP) action=$defact prot=tcp ;; udp | UDP) action=$defact prot=udp ;; *) action=$defact prot=all ;; esac } case $1 in start) if [ "$START_ROUTING" = "yes" ] then /usr/local/bin/colecho "activating routing ..." gn echo 1 > /proc/sys/net/ipv4/ip_forward case "$kernel_version" in 2.2.*) echo 1 > /proc/sys/net/ipv4/ip_always_defrag ;; esac #---------------------------------------------------------------- # Packet filter #---------------------------------------------------------------- case "$kernel_version" in 2.2.*) masq_net="$MASQ_NETWORK" # Our LAN, MASQ_NETWORK in rc.cfg route_net="$ROUTE_NETWORK" # Networks to route without masquerading ANYNET="0.0.0.0/0" # Any net adddress /sbin/ipchains -F forward /sbin/ipchains -P forward DENY /sbin/ipchains -F input /sbin/ipchains -F output #---------------------------------------------------------------------------- # Masq Timeouts: # 1 hr timeout for TCP session timeouts # 5 min timeout for traffic after the TCP/IP "FIN" packet is received # 10 min timeout for UDP traffic #---------------------------------------------------------------------------- /sbin/ipchains -M -S 3600 300 600 #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules comes first in the chain - so beware of bloated rulesets which # are used uncommonly #---------------------------------------------------------------------------- for ext in /etc/init.d/fwrules.pre.* do if [ -f "$ext" ] then /usr/local/bin/dtou $ext . $ext fi done idx=1 while [ "$idx" -le "$FORWARD_DENY_HOST_N" ] do eval deny_host='$FORWARD_DENY_HOST_'$idx # reject forwarding of packets sent by host deny_host /sbin/ipchains -A forward -s $deny_host -j DENY idx=`/usr/bin/expr $idx + 1` done for j in $FORWARD_TRUSTED_NETS do for i in $FORWARD_TRUSTED_NETS do if [ "$j" != "$i" ] then /sbin/ipchains -A input -s $j -d $i -j ACCEPT /sbin/ipchains -A forward -s $j -d $i -j ACCEPT fi done done idx=1 while [ "$idx" -le "$FORWARD_DENY_PORT_N" ] do eval port='$FORWARD_DENY_PORT_'$idx set $port port=$1 action=$2 case "$action" in deny | DENY) action='DENY'; prot=all;; deny-tcp | DENY-TCP) action='DENY'; prot=tcp;; deny-udp | DENY-UDP) action='DENY'; prot=udp;; "" | reject | REJECT) action='REJECT'; prot=all;; "" | reject-tcp | REJECT-TCP) action='REJECT'; prot=tcp;; "" | reject-udp | REJECT-UDP) action='REJECT'; prot=udp;; *) action='REJECT'; prot=all;; esac # reject forwarding of ports if [ "$prot" = "all" -o "$prot" = "tcp" ] then /sbin/ipchains -A forward -p tcp -b -s $ANYNET -d $ANYNET \ $port -j $action fi if [ "$prot" = "all" -o "$prot" = "udp" ] then /sbin/ipchains -A forward -p udp -b -s $ANYNET -d $ANYNET \ $port -j $action fi idx=`/usr/bin/expr $idx + 1` done for j in $route_net do # route following extern networks without masquerading: /sbin/ipchains -A input -b -s $j -j ACCEPT /sbin/ipchains -A forward -b -s $j -j ACCEPT # don't masquerade done for j in $masq_net do # masquerade all LAN adresses: /sbin/ipchains -A forward -s $j -j MASQ done # accept connections from localhost: /sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # accept answers from anynet: /sbin/ipchains -A input -p tcp ! -y -s $ANYNET -j ACCEPT for j in $masq_net do # accept all masqueraded LAN adresses: /sbin/ipchains -A input -s $j -d $ANYNET -j ACCEPT done if [ "$FIREWALL_LOG" = "yes" ] then l='-l' else l='' fi #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules are added in the end of the ACCEPT rules # put uncommon rulesets here #---------------------------------------------------------------------------- for ext in /etc/init.d/fwrules.post.* do if [ -f "$ext" ] then /usr/local/bin/dtou $ext . $ext fi done idx=1 while [ "$idx" -le "$FIREWALL_DENY_PORT_N" ] # ports to deny do eval port='$FIREWALL_DENY_PORT_'$idx set $port port=$1 action=$2 case "$action" in deny | DENY) action='DENY';; "" | reject | REJECT) action='REJECT';; *) action='REJECT';; esac # reject/deny connections to port x: /sbin/ipchains -A input $l -p tcp -s $ANYNET -d $ANYNET $port -j $action /sbin/ipchains -A input $l -p udp -s $ANYNET -d $ANYNET $port -j $action idx=`/usr/bin/expr $idx + 1` done if [ "$FIREWALL_DENY_ICMP" = "yes" ] then for j in $route_net $masq_net do # accept ping from inner net ipchains -A input -j ACCEPT -p icmp -s $j echo-request done # accept ping from localhost: ipchains -A input -j ACCEPT -p icmp -s 127.0.0.1 echo-request # deny ping from elsewhere: ipchains -A input $l -j DENY -p icmp -s $ANYNET echo-request fi for j in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $j # anti-spoofing done #---------------------------------------------------------------- # masquerading #---------------------------------------------------------------- >/var/run/masq-modules idx=1 while [ "$idx" -le "$MASQ_MODULE_N" ] # masquerading modules (ftp etc) do eval drv='$MASQ_MODULE_'$idx case "$drv" in "udp_dloose") echo 1 > /proc/sys/net/ipv4/ip_masq_udp_dloose ;; "ftp") options="" delim="ports=" port_idx=1 while [ "$port_idx" -le "$MASQ_FTP_PORT_N" ] do eval newport='$MASQ_FTP_PORT_'$port_idx options="$options$delim$newport" delim="," port_idx=`/usr/bin/expr $port_idx + 1` done /sbin/insmod ip_masq_ftp $options echo ip_masq_ftp >>/var/run/masq-modules ;; *) /sbin/insmod ip_masq_$drv echo ip_masq_$drv >>/var/run/masq-modules ;; esac idx=`/usr/bin/expr $idx + 1` done #---------------------------------------------------------------- # port forwarding #---------------------------------------------------------------- if [ "$PORTFW_N" -gt 0 ] then echo "initializing port forwarding ..." /sbin/insmod ip_masq_autofw echo ip_masq_autofw >>/var/run/masq-modules /sbin/insmod ip_masq_portfw echo ip_masq_portfw >>/var/run/masq-modules /usr/sbin/ipmasqadm portfw -f # ipportfw: clear old tables /usr/sbin/ipmasqadm autofw -F # ipautofw: flush old tables fi ;; *) # 2.4.x INPUT_POLICY=reject grep ipt_register_table /proc/ksyms > /dev/null 2>&1 if [ $? -ne 0 ] then insmod ip_tables insmod ip_conntrack insmod iptable_filter insmod iptable_nat insmod ipt_state insmod ipt_MASQUERADE insmod ipt_REJECT ipt_modules_needed='yes' fi /sbin/iptables -F FORWARD /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -P FORWARD DROP # forward policy is drop /sbin/iptables -P INPUT DROP # REJECT is not possible here :-( /sbin/iptables -P OUTPUT ACCEPT # output policy is accept /sbin/iptables -X fdrop 2>/dev/null # delete fdrop chain /sbin/iptables -N fdrop # log packets and drop them #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules comes first in the chain - so beware of bloated rulesets which # are used uncommonly #---------------------------------------------------------------------------- for ext in /etc/init.d/fwrules.pre.* do if [ -f "$ext" ] then /usr/local/bin/dtou $ext . $ext fi done #---------------------------------------------------------------------------- # filter table # # input handles only packets which are delivered locally # # accepts all packets # # - from hosts in ROUTE_NETWORK, MASQ_NETWORK, TRUSTED_NETS # - from localhost to localhost # - from anynet for established connections # - from anynet to ports specified in INPUT_ACCEPT_PORT_x # - icmp packets (except ping requests if deny_icmp is set; then only icmp # echo requests from hosts in TRUSTED_NETS, ROUTE_NETWORK, # MASQ_NETWORK and localhost are accepted) # # forward handles all packets which have to be routed to other subnets # # - forward only pakets # * from hosts in MASQ_NETWORK and ROUTE_NETWORK # * from one trusted net into another # - allows free communication between trusted networks # - blocks communication to ports in $FORWARD_DENY_PORT_x # - either # * blocks hosts on the blacklist # or # * allows communication for hosts on the white list # - accepts pakets from anynet which are related to established # connections # # output has no special rules, default policy accept # - local applications are free to communicate with any other host #---------------------------------------------------------------------------- #---------------------------------------------------------------------------- # input chain #---------------------------------------------------------------------------- for j in $ROUTE_NETWORK $MASQ_NETWORK $TRUSTED_NETS do /sbin/iptables -A INPUT -s $j -j ACCEPT done /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT idx=1 while [ "$idx" -le "$INPUT_ACCEPT_PORT_N" ] # ports to accept do eval port='$INPUT_ACCEPT_PORT_'$idx set $port port=$1 action=$2 convert_action $action ACCEPT if [ "$prot" = "all" -o "$prot" = "tcp" ] then /sbin/iptables -A INPUT -p tcp --dport $port -j $action fi if [ "$prot" = "all" -o "$prot" = "udp" ] then /sbin/iptables -A INPUT -p udp --dport $port -j $action fi idx=`/usr/bin/expr $idx + 1` done if [ "$DENY_ICMP" = "yes" ] then # ping from MASQ_NETWORK, TRUSTED_NETS, ROUTE_NETWORK and localhost # are accepted by default, deny ping from anywhere else: /sbin/iptables -A INPUT -j DROP -p icmp --icmp-type echo-request fi /sbin/iptables -A INPUT -j ACCEPT -p icmp #---------------------------------------------------------------------------- # forward chain #---------------------------------------------------------------------------- for j in $TRUSTED_NETS do for i in $TRUSTED_NETS do if [ "$j" != "$i" ] then /sbin/iptables -A FORWARD -s $j -d $i -j ACCEPT fi done done idx=1 while [ "$idx" -le "$FORWARD_DENY_PORT_N" ] do eval port='$FORWARD_DENY_PORT_'$idx set $port port=$1 action=$2 convert_action $action REJECT # reject forwarding of ports if [ "$prot" = "all" -o "$prot" = "tcp" ] then /sbin/iptables -A FORWARD -p tcp --dport $port -j fdrop fi if [ "$prot" = "all" -o "$prot" = "udp" ] then /sbin/iptables -A FORWARD -p udp --dport $port -j fdrop fi idx=`/usr/bin/expr $idx + 1` done if [ "$FORWARD_HOST_WHITE" = "yes" ] # whitelist then /sbin/iptables -N white action=white chain='white' else # blacklist action=fdrop chain='FORWARD' fi # idx=1 # while [ "$idx" -le "$FORWARD_HOST_N" ] # do # eval deny_host='$FORWARD_HOST_'$idx # # either jump to drop table or to white list table # /sbin/iptables -A FORWARD -s $deny_host -j $action # idx=`/usr/bin/expr $idx + 1` # done for j in $MASQ_NETWORK $ROUTE_NETWORK do /sbin/iptables -A $chain -s $j -j ACCEPT done /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #---------------------------------------------------------------------------- # nat table # # prerouting has no rules yet (see rc???.portfw) # # postrouting # - unmasqued communication between TRUSTED_NETS # - unmasqued communication to ROUTE_NETWORK # - masquerade all hosts in MASQ_NETWORK # # output has no rules #---------------------------------------------------------------------------- if [ "$MASQ_NETWORK" != "" ] then for j in $TRUSTED_NETS do for i in $TRUSTED_NETS do if [ "$j" != "$i" ] then /sbin/iptables -t nat -A POSTROUTING -s $j -d $i -j ACCEPT fi done done for j in $ROUTE_NETWORK do # masquerade all LAN adresses: /sbin/iptables -t nat -A POSTROUTING -d $j -j ACCEPT done for j in $MASQ_NETWORK do # masquerade all LAN adresses: /sbin/iptables -t nat -A POSTROUTING -s $j -j MASQUERADE done fi #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules are added in the end of the ACCEPT rules # put uncommon rulesets here #---------------------------------------------------------------------------- for ext in /etc/init.d/fwrules.post.* do if [ -f "$ext" ] then /usr/local/bin/dtou $ext . $ext fi done if [ "$PACKETFILTER_LOG" = "yes" ] then if [ "$ipt_modules_needed" = "yes" ] then insmod ipt_LOG fi /sbin/iptables -A INPUT -j LOG /sbin/iptables -A fdrop -j LOG fi #---------------------------------------------------------------------------- # close forward and white chain with a catch all rule jumping to fdrop # close fdrop chain with a rule dropping all packets #---------------------------------------------------------------------------- /sbin/iptables -A FORWARD -j fdrop if [ "$FORWARD_HOST_WHITE" = "yes" ] # whitelist then /sbin/iptables -A white -j fdrop fi /sbin/iptables -A fdrop -j DROP if [ "$INPUT_POLICY" = reject -o "$INPUT_POLICY" = REJECT ] then # simulate policy REJECT on input chain /sbin/iptables -A INPUT -j REJECT fi for j in /proc/sys/net/ipv4/conf/* do echo 1 > $j/rp_filter # anti-spoofing done #---------------------------------------------------------------- # masquerading #---------------------------------------------------------------- idx=1 while [ "$idx" -le "$MASQ_MODULE_N" ] # masquerading modules (ftp etc) do eval drv='$MASQ_MODULE_'$idx case "$drv" in ftp | tftp | irc) insmod ip_conntrack_$drv insmod ip_nat_$drv ;; amanda) insmod ip_conntrack_amanda ;; esac idx=`/usr/bin/expr $idx + 1` done #---------------------------------------------------------------- # port forwarding #---------------------------------------------------------------- # echo "gre 47 GRE # General Routing Encapsulation" >> /etc/protocols > /etc/portfw.conf idx=1 while [ "$idx" -le "$PORTFW_N" ] do eval src='$PORTFW_'$idx'_SOURCE' eval dest='$PORTFW_'$idx'_TARGET' eval proto='$PORTFW_'$idx'_PROTOCOL' oldIFS="$IFS" IFS=":" set -- $src if [ "$2" = "" ] then srcports="$1" srchost="default" else srchost="$1" srcports="$2" fi IFS=":" set -- $dest desthost="$1" if [ "$2" = "" ] then destports="$srcports" else destports="$2" fi ipt_dst_ports=`echo $destports | sed -e "s/-/:/g"` IFS="$oldIFS" echo "$srchost $srcports $desthost $destports $proto" >> /etc/portfw.conf if [ "$srcports" = "none" ] then /sbin/iptables -I FORWARD -p $proto -d $desthost -j ACCEPT else /sbin/iptables -I FORWARD -p $proto -d $desthost --destination-port $ipt_dst_ports -j ACCEPT fi idx=`/usr/bin/expr $idx + 1` done ;; esac else /usr/local/bin/colecho "deactivating routing ..." gn echo 0 > /proc/sys/net/ipv4/ip_forward case "$kernel_version" in 2.2.*) echo 0 > /proc/sys/net/ipv4/ip_always_defrag ;; esac fi ;; stop) /usr/local/bin/colecho "deactivating routing ..." gn echo 0 > /proc/sys/net/ipv4/ip_forward case "$kernel_version" in 2.2.*) echo 0 > /proc/sys/net/ipv4/ip_always_defrag ;; esac if [ -f /var/run/masq-modules ] then for j in `cat /var/run/masq-modules` do /sbin/rmmod ip_masq_ftp 2>/dev/null done rm /var/run/masq-modules fi ;; esac