mshroyer/firewall.sh

## firewall.sh
#!/bin/sh

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: iptables firewall
# Description:       Custom iptables firewall
### END INIT INFO
#
# Author:            Mark Shroyer <code@markshroyer.com>
#

# Note: if you install this script on Debian and you get an error that
# iptables doesn't have the set module available, run the following
# command:
#
# module-assistant auto-install xtables-addons

PATH=/bin:/usr/bin:/sbin:/usr/sbin
IPSET_DATA=/var/local/ipset.dat

if_lan_main=eth1
if_lan_test=eth0
if_lan="eth0 eth1"
net_lan_main="10.175.3.0/24"
net_lan_test="10.175.2.0/24"
net_lan_medley="10.175.1.0/24"

ports_nfs="sunrpc rpc.nfsd rpc.nfs-cb rpc.statd-bc rpc.statd rpc.mountd \
    rpc.lockd rpc.quotad"

set_default_nfs=""
set_default_whitelist=""

iptables=/sbin/iptables
ipset=/usr/sbin/ipset
chown=/bin/chown
chmod=/bin/chmod

. /lib/lsb/init-functions

clear_iptables() {
    $iptables -F
    $iptables --delete-chain
    $iptables -t nat -F
    $iptables -t nat --delete-chain

    $iptables -P INPUT ACCEPT
    $iptables -P OUTPUT ACCEPT
    $iptables -P FORWARD DROP
    $iptables -t nat -P PREROUTING ACCEPT
    $iptables -t nat -P POSTROUTING ACCEPT
    $iptables -t nat -P OUTPUT ACCEPT
}

case "$1" in
    start)
        clear_iptables

        # Default policies
        $iptables -P INPUT DROP
        $iptables -P FORWARD DROP

        # Gotta have loopback...
        $iptables -A INPUT -i lo -j ACCEPT

        # Continue connections with established state...
        $iptables -A INPUT -m state --state ESTABLISHED,RELATED \
            -j ACCEPT

        # Allowed ICMP types
        $iptables -A INPUT -p icmp --icmp-type echo-request
        $iptables -A INPUT -p icmp --icmp-type destination-unreachable
        $iptables -A INPUT -p icmp --icmp-type source-quench
        $iptables -A INPUT -p icmp --icmp-type time-exceeded

        # Restore saved ipsets
        if [ -f "$IPSET_DATA" ]; then
            $ipset -R <"$IPSET_DATA"
        fi

        # Default ipsets and set entries
        $ipset -N whitelist iphash 2>/dev/null
        $ipset -N nfs_clients iphash 2>/dev/null
        $ipset -N bruteforce iphash 2>/dev/null
        for item in $(echo $set_default_nfs | tr "," "\n"); do
            $ipset -A nfs_clients $item 2>/dev/null
        done
        for item in $(echo $set_default_whitelist | tr "," "\n"); do
            $ipset -A whitelist $item 2>/dev/null
        done

        # NFS access for hosts in nfs_clients ipset
        for port in $ports_nfs; do
            $iptables -A INPUT -p UDP --dport $port -m state --state NEW \
                -m set --match-set nfs_clients src -j ACCEPT
            $iptables -A INPUT -p TCP --dport $port -m state --state NEW \
                -m set --match-set nfs_clients src -j ACCEPT
        done

        # Allow any connections from whitelisted LAN hosts
        $iptables -A INPUT -i $if_lan_main -s $net_lan_main -m state \
            --state NEW -m set --match-set whitelist src -j ACCEPT
        $iptables -A INPUT -i $if_lan_test -s $net_lan_test -m state \
            --state NEW -m set --match-set whitelist src -j ACCEPT
        $iptables -A INPUT -i $if_lan_test -s $net_lan_medley -m state \
            --state NEW -m set --match-set whitelist src -j ACCEPT

        # Web access for all LAN hosts (not just whitelisted)
        $iptables -A INPUT -i $if_lan_main -s $net_lan_main -p tcp \
            --dport 80 -m state --state NEW -j ACCEPT
        $iptables -A INPUT -i $if_lan_test -s $net_lan_test -p tcp \
            --dport 80 -m state --state NEW -j ACCEPT
        $iptables -A INPUT -i $if_lan_test -s $net_lan_medley -p tcp \
            --dport 80 -m state --state NEW -j ACCEPT

        # Brute force detection chain
        $iptables -N BRUTECHECK
        $iptables -A BRUTECHECK -m set --match-set bruteforce src -j DROP
        $iptables -A BRUTECHECK -j ACCEPT

        # Allow SSH connections from anywhere, but try to prevent brute
        # force attacks...
        $iptables -N SSHSCAN
        $iptables -N SSHREJECT

        # Handle incoming SSH clients
        $iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j SSHSCAN
        $iptables -A SSHSCAN -m set --match-set whitelist src -j ACCEPT
        $iptables -A SSHSCAN -m recent --set --name SSH
        $iptables -A SSHSCAN -m recent --update --hitcount 6 --seconds 600 \
            --name SSH -j SSHREJECT
        $iptables -A SSHSCAN -j BRUTECHECK
        $iptables -A SSHREJECT -j SET --add-set bruteforce src
        $iptables -A SSHREJECT -j LOG --log-level info \
            --log-prefix "SSH bruteforce detected: "
        $iptables -A SSHREJECT -j DROP

        # Reject all other connections w/ ICMP
        $iptables -A INPUT -j REJECT
        ;;

    stop)
        clear_iptables

        $ipset -S >"$IPSET_DATA"
        $chown root:root "$IPSET_DATA"
        $chmod 600 "$IPSET_DATA"
        $ipset -X
        ;;

    force-reload|restart)
        $0 stop
        $0 start
        ;;

    status)
        $iptables -t nat -L
        $iptables -L
        $ipset -L
        ;;

    *)
        echo "Usage: /etc/init.d/firewall {start|stop|restart|force-reload|status}"
        exit 1
        ;;
esac
	#!/bin/sh

	### BEGIN INIT INFO
	# Provides: firewall
	# Required-Start: $local_fs $remote_fs
	# Required-Stop: $local_fs $remote_fs
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: iptables firewall
	# Description: Custom iptables firewall
	### END INIT INFO
	#
	# Author: Mark Shroyer <code@markshroyer.com>
	#

	# Note: if you install this script on Debian and you get an error that
	# iptables doesn't have the set module available, run the following
	# command:
	#
	# module-assistant auto-install xtables-addons

	PATH=/bin:/usr/bin:/sbin:/usr/sbin
	IPSET_DATA=/var/local/ipset.dat

	if_lan_main=eth1
	if_lan_test=eth0
	if_lan="eth0 eth1"
	net_lan_main="10.175.3.0/24"
	net_lan_test="10.175.2.0/24"
	net_lan_medley="10.175.1.0/24"

	ports_nfs="sunrpc rpc.nfsd rpc.nfs-cb rpc.statd-bc rpc.statd rpc.mountd \
	rpc.lockd rpc.quotad"

	set_default_nfs=""
	set_default_whitelist=""

	iptables=/sbin/iptables
	ipset=/usr/sbin/ipset
	chown=/bin/chown
	chmod=/bin/chmod

	. /lib/lsb/init-functions

	clear_iptables() {
	$iptables -F
	$iptables --delete-chain
	$iptables -t nat -F
	$iptables -t nat --delete-chain

	$iptables -P INPUT ACCEPT
	$iptables -P OUTPUT ACCEPT
	$iptables -P FORWARD DROP
	$iptables -t nat -P PREROUTING ACCEPT
	$iptables -t nat -P POSTROUTING ACCEPT
	$iptables -t nat -P OUTPUT ACCEPT
	}

	case "$1" in
	start)
	clear_iptables

	# Default policies
	$iptables -P INPUT DROP
	$iptables -P FORWARD DROP

	# Gotta have loopback...
	$iptables -A INPUT -i lo -j ACCEPT

	# Continue connections with established state...
	$iptables -A INPUT -m state --state ESTABLISHED,RELATED \
	-j ACCEPT

	# Allowed ICMP types
	$iptables -A INPUT -p icmp --icmp-type echo-request
	$iptables -A INPUT -p icmp --icmp-type destination-unreachable
	$iptables -A INPUT -p icmp --icmp-type source-quench
	$iptables -A INPUT -p icmp --icmp-type time-exceeded

	# Restore saved ipsets
	if [ -f "$IPSET_DATA" ]; then
	$ipset -R <"$IPSET_DATA"
	fi

	# Default ipsets and set entries
	$ipset -N whitelist iphash 2>/dev/null
	$ipset -N nfs_clients iphash 2>/dev/null
	$ipset -N bruteforce iphash 2>/dev/null
	for item in $(echo $set_default_nfs \| tr "," "\n"); do
	$ipset -A nfs_clients $item 2>/dev/null
	done
	for item in $(echo $set_default_whitelist \| tr "," "\n"); do
	$ipset -A whitelist $item 2>/dev/null
	done

	# NFS access for hosts in nfs_clients ipset
	for port in $ports_nfs; do
	$iptables -A INPUT -p UDP --dport $port -m state --state NEW \
	-m set --match-set nfs_clients src -j ACCEPT
	$iptables -A INPUT -p TCP --dport $port -m state --state NEW \
	-m set --match-set nfs_clients src -j ACCEPT
	done

	# Allow any connections from whitelisted LAN hosts
	$iptables -A INPUT -i $if_lan_main -s $net_lan_main -m state \
	--state NEW -m set --match-set whitelist src -j ACCEPT
	$iptables -A INPUT -i $if_lan_test -s $net_lan_test -m state \
	--state NEW -m set --match-set whitelist src -j ACCEPT
	$iptables -A INPUT -i $if_lan_test -s $net_lan_medley -m state \
	--state NEW -m set --match-set whitelist src -j ACCEPT

	# Web access for all LAN hosts (not just whitelisted)
	$iptables -A INPUT -i $if_lan_main -s $net_lan_main -p tcp \
	--dport 80 -m state --state NEW -j ACCEPT
	$iptables -A INPUT -i $if_lan_test -s $net_lan_test -p tcp \
	--dport 80 -m state --state NEW -j ACCEPT
	$iptables -A INPUT -i $if_lan_test -s $net_lan_medley -p tcp \
	--dport 80 -m state --state NEW -j ACCEPT

	# Brute force detection chain
	$iptables -N BRUTECHECK
	$iptables -A BRUTECHECK -m set --match-set bruteforce src -j DROP
	$iptables -A BRUTECHECK -j ACCEPT

	# Allow SSH connections from anywhere, but try to prevent brute
	# force attacks...
	$iptables -N SSHSCAN
	$iptables -N SSHREJECT

	# Handle incoming SSH clients
	$iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j SSHSCAN
	$iptables -A SSHSCAN -m set --match-set whitelist src -j ACCEPT
	$iptables -A SSHSCAN -m recent --set --name SSH
	$iptables -A SSHSCAN -m recent --update --hitcount 6 --seconds 600 \
	--name SSH -j SSHREJECT
	$iptables -A SSHSCAN -j BRUTECHECK
	$iptables -A SSHREJECT -j SET --add-set bruteforce src
	$iptables -A SSHREJECT -j LOG --log-level info \
	--log-prefix "SSH bruteforce detected: "
	$iptables -A SSHREJECT -j DROP

	# Reject all other connections w/ ICMP
	$iptables -A INPUT -j REJECT
	;;

	stop)
	clear_iptables

	$ipset -S >"$IPSET_DATA"
	$chown root:root "$IPSET_DATA"
	$chmod 600 "$IPSET_DATA"
	$ipset -X
	;;

	force-reload\|restart)
	$0 stop
	$0 start
	;;

	status)
	$iptables -t nat -L
	$iptables -L
	$ipset -L
	;;

	*)
	echo "Usage: /etc/init.d/firewall {start\|stop\|restart\|force-reload\|status}"
	exit 1
	;;
	esac