#!/bin/sh #---------------------------------------------------------------------------- # /etc/init.d/routing - configuration of eisfair as router # # Creation: 2002-11-24 fm # Last Update: $Id$ # # Copyright (c) 2002-2004 Frank Meyer, frank(at)eisfair(dot)org # Copyright (c) 2012-@@YEAR@@ Holger Bruenjes, holgerbruenjes(at)gmx(dot)net # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------- NAME=iptables DAEMON=/usr/sbin/${NAME} DTOU='/usr/bin/dtou' # read functions . /etc/init.d/functions # set package name package_name="routing" # read configuration . /etc/config.d/${package_name} load='/usr/sbin/modprobe' unload='/usr/sbin/modprobe -r' # --------------------------------------------------------------------------- # usage # --------------------------------------------------------------------------- usage() { cat < /proc/sys/net/ipv4/ip_forward # ------------------------------------------------------------------- # Packet filter # ------------------------------------------------------------------- INPUT_POLICY=reject base_modules='ip_tables ip_conntrack iptable_filter iptable_nat ipt_state ipt_MASQUERADE ipt_REJECT' for mod in ${base_modules} do if ! grep -q "^${mod} " /proc/modules then ${load} ${mod} fi done ${DAEMON} -F FORWARD ${DAEMON} -F INPUT ${DAEMON} -F OUTPUT ${DAEMON} -t nat -F POSTROUTING ${DAEMON} -P FORWARD DROP # forward policy is drop ${DAEMON} -P INPUT DROP # REJECT is not possible here :-( ${DAEMON} -P OUTPUT ACCEPT # output policy is accept ${DAEMON} -F fdrop 2>/dev/null # delete fdrop chain ${DAEMON} -X fdrop 2>/dev/null # delete fdrop chain ${DAEMON} -N fdrop # log packets and drop them ${DAEMON} -F white 2>/dev/null # delete white chain ${DAEMON} -X white 2>/dev/null # delete white chain # ------------------------------------------------------------------- # running chain commands from additional packages # these rules comes first in the chain - so beware of bloated # rulesets which are used uncommonly # ------------------------------------------------------------------- for ext in /etc/init.d/fwrules.pre.* do if [ -f "${ext}" ] then ${DTOU} ${ext} . ${ext} fi done # ------------------------------------------------------------------- # filter table # # input handles only packets which are delivered locally # # accepts all packets # # - from hosts in ROUTE_NETWORK, MASQ_NETWORK, TRUSTED_NETS # - from localhost to localhost # - from anynet for established connections # - from anynet to ports specified in INPUT_ACCEPT_PORT_x # - icmp packets (except ping requests if deny_icmp is set; # then only icmp echo requests from hosts # in TRUSTED_NETS, ROUTE_NETWORK, # MASQ_NETWORK and localhost are accepted) # # forward handles all packets which have to be routed to other subnets # # - forward only pakets # * from hosts in MASQ_NETWORK and ROUTE_NETWORK # * from one trusted net into another # - allows free communication between trusted networks # - blocks communication to ports in $FORWARD_DENY_PORT_x # - either # * blocks hosts on the blacklist # or # * allows communication for hosts on the white list # - accepts pakets from anynet which are related to established # connections # # output has no special rules, default policy accept # - local applications are free to communicate with any other host # ------------------------------------------------------------------- # ------------------------------------------------------------------- # input chain # ------------------------------------------------------------------- for j in ${ROUTE_NETWORK} ${MASQ_NETWORK} ${TRUSTED_NETS} do ${DAEMON} -A INPUT -s ${j} -j ACCEPT done ${DAEMON} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ${DAEMON} -A INPUT -i lo -j ACCEPT idx=1 while [ ${idx} -le ${INPUT_ACCEPT_PORT_N:-0} ] # ports to accept do eval port='${INPUT_ACCEPT_PORT_'${idx}'}' set ${port} port=${1} action=${2} convert_action ${action} ACCEPT if [ "${prot}" = "all" -o "${prot}" = "tcp" ] then ${DAEMON} -A INPUT -p tcp --dport ${port} -j ${action} fi if [ "${prot}" = "all" -o "${prot}" = "udp" ] then ${DAEMON} -A INPUT -p udp --dport ${port} -j ${action} fi idx=$((${idx} + 1)) done if [ "${DENY_ICMP}" = "yes" ] then # ping from MASQ_NETWORK, TRUSTED_NETS, ROUTE_NETWORK # and localhost are accepted by default, deny ping # from anywhere else: ${DAEMON} -A INPUT -j DROP -p icmp --icmp-type echo-request fi ${DAEMON} -A INPUT -j ACCEPT -p icmp # ------------------------------------------------------------------- # forward chain # ------------------------------------------------------------------- for j in ${TRUSTED_NETS} do for i in ${TRUSTED_NETS} do if [ "${j}" != "${i}" ] then ${DAEMON} -A FORWARD -s $j -d $i -j ACCEPT fi done done idx=1 while [ ${idx} -le ${FORWARD_DENY_PORT_N:-0} ] do eval port='${FORWARD_DENY_PORT_'${idx}'}' set ${port} port=${1} action=${2} convert_action ${action} REJECT # reject forwarding of ports if [ "${prot}" = "all" -o "${prot}" = "tcp" ] then ${DAEMON} -A FORWARD -p tcp --dport ${port} -j fdrop fi if [ "${prot}" = "all" -o "${prot}" = "udp" ] then ${DAEMON} -A FORWARD -p udp --dport ${port} -j fdrop fi idx=$((${idx} + 1)) done if [ "${FORWARD_HOST_WHITE}" = "yes" ] # whitelist then ${DAEMON} -N white action=white chain='white' else # blacklist action=fdrop chain='FORWARD' fi idx=1 while [ ${idx} -le ${FORWARD_HOST_N:-0} ] do eval deny_host='${FORWARD_HOST_'${idx}'}' # either jump to drop table or to white list table ${DAEMON} -A FORWARD -s ${deny_host} -j ${action} idx=$((${idx} + 1)) done for j in ${MASQ_NETWORK} ${ROUTE_NETWORK} do ${DAEMON} -A ${chain} -s ${j} -j ACCEPT done ${DAEMON} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ------------------------------------------------------------------- # nat table # # prerouting has no rules yet (see rc???.portfw) # # postrouting # - unmasqued communication between TRUSTED_NETS # - unmasqued communication to ROUTE_NETWORK # - masquerade all hosts in MASQ_NETWORK # # output has no rules # ------------------------------------------------------------------- if [ -n "${MASQ_NETWORK}" ] then for j in ${TRUSTED_NETS} do for i in ${TRUSTED_NETS} do if [ "${j}" != "${i}" ] then ${DAEMON} -t nat -A POSTROUTING -s ${j} -d ${i} -j ACCEPT fi done done for j in ${ROUTE_NETWORK} do # masquerade all LAN adresses: ${DAEMON} -t nat -A POSTROUTING -d ${j} -j ACCEPT done for j in ${MASQ_NETWORK} do # masquerade all LAN adresses: ${DAEMON} -t nat -A POSTROUTING -s $j -j MASQUERADE done fi # ------------------------------------------------------------------- # running chain commands from additional packages # these rules are added in the end of the ACCEPT rules # put uncommon rulesets here # ------------------------------------------------------------------- for ext in /etc/init.d/fwrules.post.* do if [ -f "${ext}" ] then ${DTOU} ${ext} . ${ext} fi done if [ "${PACKETFILTER_LOG}" = "yes" ] then if ! grep -q '^ipt_LOG' /proc/modules then ${load} ipt_LOG fi ${DAEMON} -A INPUT -j LOG ${DAEMON} -A fdrop -j LOG fi # ------------------------------------------------------------------- # close forward and white chain with a catch all rule jumping to # fdrop, close fdrop chain with a rule dropping all packets # ------------------------------------------------------------------- ${DAEMON} -A FORWARD -j fdrop if [ "${FORWARD_HOST_WHITE}" = "yes" ] # whitelist then ${DAEMON} -A white -j fdrop fi ${DAEMON} -A fdrop -j DROP if [ "${INPUT_POLICY}" = reject -o "${INPUT_POLICY}" = REJECT ] then # simulate policy REJECT on input chain ${DAEMON} -A INPUT -j REJECT fi for j in /proc/sys/net/ipv4/conf/* do echo 1 > ${j}/rp_filter # anti-spoofing done # ------------------------------------------------------------------- # masquerading # ------------------------------------------------------------------- idx=1 while [ ${idx} -le ${MASQ_MODULE_N:-0} ] # masquerading modules (ftp etc) do eval drv='${MASQ_MODULE_'${idx}'}' eval options='${MASQ_MODULE_'${idx}'_OPTION}' case "${drv}" in amanda | ftp | h323 | irc | pptp | sip | snmp_basic | tftp | proto_dccp | proto_gre | proto_sctp | proto_udplite ) ${load} ip_conntrack_${drv} ${options} 2>/dev/null # nf_nat_ftp: kernel >= 2.6.10 # only uses 'ports' for conntrack modules # ${load} ip_nat_${drv} ${options} 2>/dev/null ${load} ip_nat_${drv} 2>/dev/null ;; esac idx=$((${idx} + 1)) done # ------------------------------------------------------------------- # port forwarding # ------------------------------------------------------------------- # echo "gre 47 GRE # General Routing Encapsulation" >> /etc/protocols > /etc/portfw.conf idx=1 while [ ${idx} -le ${PORTFW_N:-0} ] do eval src='${PORTFW_'${idx}'_SOURCE}' eval dest='${PORTFW_'${idx}'_TARGET}' eval proto='${PORTFW_'${idx}'_PROTOCOL}' oldIFS="${IFS}" IFS=":" set -- ${src} if [ -z "${2}" ] then srcports="${1}" srchost="default" else srchost="${1}" srcports="${2}" fi IFS=":" set -- ${dest} desthost="${1}" if [ -z "${2}" ] then destports="$srcports" else destports="${2}" fi ipt_dst_ports=$(echo ${destports} | sed -e "s/-/:/g") IFS="${oldIFS}" echo "${srchost} ${srcports} ${desthost} ${destports} ${proto}" >> /etc/portfw.conf if [ "${srcports}" = "none" ] then ${DAEMON} -I FORWARD -p ${proto} -d ${desthost} -j ACCEPT else ${DAEMON} -I FORWARD -p ${proto} -d ${desthost} --destination-port ${ipt_dst_ports} -j ACCEPT fi idx=$((${idx} + 1)) done evaluate_retval } # --------------------------------------------------------------------------- # stop routing # --------------------------------------------------------------------------- routing_stop() { boot_mesg " * Stopping routing ..." echo 0 > /proc/sys/net/ipv4/ip_forward idx=1 while [ ${idx} -le ${MASQ_MODULE_N:-0} ] # masquerading modules (ftp etc) do eval drv='${MASQ_MODULE_'${idx}'}' case "${drv}" in amanda | ftp | h323 | irc | pptp | sip | snmp_basic | tftp | proto_dccp | proto_gre | proto_sctp | proto_udplite ) ${unload} ip_nat_${drv} 2>/dev/null ${unload} ip_conntrack_${drv} 2>/dev/null ;; esac idx=$((${idx} + 1)) done evaluate_retval } # --------------------------------------------------------------------------- # restart # --------------------------------------------------------------------------- routing_restart() { routing_stop sleep 2 routing_start } # --------------------------------------------------------------------------- # status # --------------------------------------------------------------------------- routing_status() { r=$(/usr/bin/cat /proc/sys/net/ipv4/ip_forward) if [ ${r} -eq 1 ] then echo "routing is active" else echo "routing is not active" fi } #-------------------------------------------------------------------------- # main # --------------------------------------------------------------------------- while [ "${#}" -gt 0 ] do case "${1}" in --quiet) _quiet=true shift ;; *) _action="${1}" shift ;; esac done case "${_action}" in start) routing_start ;; stop) routing_stop ;; restart) routing_restart ;; status) routing_status ;; *) usage exit 1 ;; esac exit 0 # --------------------------------------------------------------------------- # end # ---------------------------------------------------------------------------