#!/bin/bash

# Company:  PowerCraft Technology
# Author:   Copyright Jelle de Jong <jelledejong@powercraft.nl>
# Note:     Please send me an email if you enhanced the document
# Date:     2010-07-27
# License:  CC-BY-SA

# This document is free documentation; you can redistribute it and/or
# modify it under the terms of the Creative Commons Attribution Share
# Alike as published by the Creative Commons Foundation; either version
# 3.0 of the License, or (at your option) any later version.
#
# This document is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# Creative Commons BY-SA License for more details.
#
# http://creativecommons.org/licenses/by-sa/

#-----------------------------------------------------------------------

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html
http://www.debian-administration.org/article/Routing_for_multiple_uplinks
http://www.aboutdebian.com/network.htm

iptables -p icmp -h
iptables -p esp -h

#-----------------------------------------------------------------------

cat /etc/udev/rules.d/70-persistent-net.rules

# PCI device 0x1106:0x3053 (via-rhine)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0d:b9:1e:60:10", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x1106:0x3053 (via-rhine)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0d:b9:1e:60:12", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

# PCI device 0x1106:0x3053 (via-rhine)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0d:b9:1e:60:11", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

#-----------------------------------------------------------------------

vim $HOME/iptables-setup.sh
dG
:set paste

#-----------------------------------------------------------------------

#!/bin/sh

# Load the kernel modules into the kernel
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat

# Activate forwarding in kernel
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

# Disable antispoofing
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Export enviorment settings
# LAN is the device connect to the private internal network
# WAN is the device connect to the outside internet network
export WAN01=vlan5
export LAN01=bond0
export LAN01=vlan2
export LAN02=vlan3
export LAN03=vlan4

# Remove any existing rules from all chains
/sbin/iptables --flush
/sbin/iptables --flush --table nat
/sbin/iptables --flush --table mangle

# Remove any pre-existing user-defined chains
/sbin/iptables --delete-chain
/sbin/iptables --delete-chain --table nat
/sbin/iptables --delete-chain --table mangle

# Zero counts
/sbin/iptables --zero

# Drop all invalid incomming connections
/sbin/iptables --append INPUT --match state --state INVALID --jump DROP
# Accept incomming trafic when a local initiated connection already excists
/sbin/iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept incomming connections for DHCP on udp port 67:68
/sbin/iptables --append INPUT --protocol udp --sport 67:68 --dport 67:68 --jump ACCEPT
# Accept incomming connections for DNS on udp port 53
/sbin/iptables --append INPUT --protocol udp --dport 53 --jump ACCEPT
/sbin/iptables --append INPUT --protocol udp --sport 53 --jump ACCEPT
# Accept incomming connections for SSH server on port 22 and 223 up to 225
/sbin/iptables --append INPUT --protocol tcp --dport 22 --jump ACCEPT
/sbin/iptables --append INPUT --protocol tcp --dport 223:225 --jump ACCEPT

# Accept incomming connections for flomotion
/sbin/iptables --append INPUT --in-interface ${WAN01} --protocol tcp --dport 8600:8610 --jump ACCEPT
/sbin/iptables --append INPUT --in-interface ${WAN01} --protocol tcp --dport 8700:8710 --jump ACCEPT
/sbin/iptables --append INPUT --in-interface ${WAN01} --protocol tcp --dport 8800:8810 --jump ACCEPT

# Accept incomming connections for icmp-type 8 requests
/sbin/iptables --append INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
# Accept incomming connections for icmp type 3 code 4 requests
/sbin/iptables --append INPUT --protocol icmp --icmp-type fragmentation-needed --jump ACCEPT

# Accept incomming connections from internal trafic of the router itself
/sbin/iptables --append INPUT --in-interface lo --jump ACCEPT
# Accept incomming connections from private internal network
/sbin/iptables --append INPUT --in-interface ${LAN01} --jump ACCEPT
/sbin/iptables --append INPUT --in-interface ${LAN02} --jump ACCEPT
/sbin/iptables --append INPUT --in-interface ${LAN03} --jump ACCEPT

# Enable logging this is only for debugging
# /sbin/iptables --append INPUT --jump LOG
# Drop all other incomming connections
/sbin/iptables --append INPUT --jump DROP

# Drop all invalid forwarded connections
/sbin/iptables --append FORWARD --match state --state INVALID --jump DROP
# Accept forwarding when a local initiated connection already excists
/sbin/iptables --append FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept new connections for forwarding designated from our private internal network
/sbin/iptables --append FORWARD --in-interface ${LAN01} --jump ACCEPT
/sbin/iptables --append FORWARD --in-interface ${LAN02} --jump ACCEPT
/sbin/iptables --append FORWARD --in-interface ${LAN03} --jump ACCEPT
/sbin/iptables --append FORWARD --in-interface ${WAN01} --jump ACCEPT

#~ /sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${WAN01} --jump ACCEPT
#~ /sbin/iptables --append FORWARD --in-interface ${LAN02} --out-interface ${WAN01} --jump ACCEPT
#~ /sbin/iptables --append FORWARD --in-interface ${LAN03} --out-interface ${WAN01} --jump ACCEPT
#~ /sbin/iptables --append FORWARD --in-interface ${WAN01} --out-interface ${WAN01} --jump ACCEPT
#~ /sbin/iptables --append FORWARD --in-interface ${WAN01} --out-interface ${LAN03} --jump ACCEPT

# Enable logging this is only for debugging
/sbin/iptables --append FORWARD --jump LOG
# Drop all other forwarded connections
/sbin/iptables --append FORWARD --jump DROP

# Prerouting connections for SSH server on tcp port 22 to flomotion video appliances
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 223 --jump LOG --log-prefix "PREROUTING01: "
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 223 --jump DNAT --to 192.168.30.10:22
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 224 --jump LOG --log-prefix "PREROUTING02: "
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 224 --jump DNAT --to 192.168.30.11:22
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 225 --jump LOG --log-prefix "PREROUTING03: "
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 225 --jump DNAT --to 192.168.30.12:22
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 8600:8610 --jump LOG --log-prefix "PREROUTING04: "
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 8600:8610 --jump DNAT --to 192.168.30.10
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 8700:8710 --jump LOG --log-prefix "PREROUTING05: "
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 8700:8710 --jump DNAT --to 192.168.30.11
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 8800:8810 --jump LOG --log-prefix "PREROUTING06: "
/sbin/iptables -t nat -A PREROUTING -p tcp --in-interface ${WAN01} --dport 8800:8810 --jump DNAT --to 192.168.30.12

# Drop all invalid outgoing connections
/sbin/iptables --append OUTPUT --match state --state INVALID --jump DROP
# Accept outgoing trafic when a local initiated connection already excists
/sbin/iptables --append OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept all outgoing tcp trafic
/sbin/iptables --append OUTPUT --protocol tcp --jump ACCEPT
# Accept outgoing connections for sink null on udp port 9
/sbin/iptables --append OUTPUT --protocol udp --dport 9 --jump ACCEPT
# Accept outgoing connections for DNS on udp port 53
/sbin/iptables --append OUTPUT --protocol udp --dport 53 --jump ACCEPT
/sbin/iptables --append OUTPUT --protocol udp --sport 53 --jump ACCEPT
# Accept outgoing connections for mDNS on udp port 5353
/sbin/iptables --append OUTPUT --protocol udp --dport 5353 --jump ACCEPT
# Accept outgoing connections for NTP (Network Time Protocol) on udp port 53
/sbin/iptables --append OUTPUT --protocol udp --dport 123 --jump ACCEPT
# Accept outgoing connections for DHCP on udp port 67:68
/sbin/iptables --append OUTPUT --protocol udp --sport 67:68 --dport 67:68 --jump ACCEPT
# Accept outgoing connections for ping fragmentation requests
/sbin/iptables --append OUTPUT --protocol icmp --icmp-type fragmentation-needed --jump ACCEPT
# Accept outgoing connections for ping echo requests
/sbin/iptables --append OUTPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
# Accept outgoing connections for ping echo replies
/sbin/iptables --append OUTPUT --protocol icmp --icmp-type echo-reply --jump ACCEPT
# Accept outgoing connections from internal trafic of the router itself
/sbin/iptables --append OUTPUT --out-interface lo --jump ACCEPT
# Enable logging this is only for debugging
/sbin/iptables --append OUTPUT --jump LOG
# Drop all other outgoing connections
/sbin/iptables --append OUTPUT --jump DROP

# Use masquerade so the outside world sees only one ip source for all outgoing trafic
/sbin/iptables --table nat --append POSTROUTING --jump SNAT --out-interface ${WAN01}+ --to-source 145.52.240.5-145.52.240.25 --random --persistent

# Deny all incomming and forwarded trafic, but allow outgoing trafic
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy FORWARD DROP
/sbin/iptables --policy OUTPUT ACCEPT

#-----------------------------------------------------------------------

cat $HOME/iptables-setup.sh
bash -x $HOME/iptables-setup.sh

#-----------------------------------------------------------------------

/etc/init.d/fail2ban restart

#-----------------------------------------------------------------------

# /sbin/iptables -L -n --line-numbers | less
# /usr/bin/tail -f -n 25 /var/log/syslog
# grep 465 /etc/services
# getent services 465

#-----------------------------------------------------------------------

[ ! -e /etc/iptables/ ] && mkdir --verbose /etc/iptables/
iptables-save > /etc/iptables/iptables.rules
chmod 700 /etc/iptables/iptables.rules
ls -hal /etc/iptables/iptables.rules
cat /etc/iptables/iptables.rules

echo '#!/bin/sh
logger -t iptables-config running
if [ "$IFACE" = lo ] || [ "$MODE" != start ]; then exit 0; fi
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
iptables-restore < /etc/iptables/iptables.rules
logger -t iptables-config done' > /etc/network/if-up.d/iptables

chmod 700 /etc/network/if-up.d/iptables
ls -hal /etc/network/if-up.d/iptables
cat /etc/network/if-up.d/iptables

#-----------------------------------------------------------------------

route -n
iptables -L -v
iptables -L -v -t nat
iptables -L -v -t mangle
iptables -L -n --line-numbers
netstat -l

#-----------------------------------------------------------------------
