#!/bin/tcsh
# Firewallscript für fire
# ==========================================================
# PART I: Variablen 
# ==========================================================

modprobe ip_tables
modprobe ip_conntrack
 
set IPTABLES = /usr/sbin/iptables

# ----------------------------------------------------------
# special ports

set p_high   = 1024:65535   # unprivileged ports
set p_ssh    = 500:1023     # common ssh source ports
set p_socks  = 1080         # Socks Server Port

# ----------------------------------------------------------
# interfaces

set EXT = ippp0
set INT = eth0
set DMZ = eth1

set IF  = ( $INT $DMZ $EXT )

# ----------------------------------------------------------
# ip hosts

set NS       = ( 193.101.111.10 193.101.111.20 )

set extmail  = 192.76.144.56 # uumail.de.uu.net
set intmail  = 192.168.2.2   # interner Mailserver
set sockssrv = 192.168.2.2   #
set loghost  = 192.168.1.9   # syslog purposes


set INTERN   = 192.168.1.0/255.255.255.0 # example
set DMZ_NET  = 192.168.2.0/255.255.255.0 # example
set FRIENDs  = 192.0.84.0/255.255.255.0

# ==========================================================
# PART II: Grundkonfiguration: absichern
# ==========================================================
# dynamische Kernelparameter setzen

echo "0" > /proc/sys/net/ipv4/ip_forward  # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate 

foreach if ( $IF )
   echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
   echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
   echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
   echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
   echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end

# ----------------------------------------------------------
# Default Policy und flush

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -F         # flush aller chains (Tabelle filter)
$IPTABLES -t nat -F  # flush aller chains (Tabelle nat)
$IPTABLES -X         # delete all userdefined chains 
                     # (Tabelle filter)

# ----------------------------------------------------------
# lokale Prozesse

$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT  -i lo -j ACCEPT

# ----------------------------------------------------------
# ssh fuer Fernwartung

$IPTABLES -A INPUT  -i $INT -s $INTERN \
          -p TCP --sport $p_ssh --dport ssh \
          -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $INT -d $INTERN \
          -p TCP --dport $p_ssh --sport ssh \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

# ==========================================================
# Part III: Userdefinierte Regelketten
# ==========================================================

# ----------------------------------------------------------
# DROP & LOG Chain 

$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP  -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP  -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP

# ==========================================================
# PART IV: Masquerading
# ==========================================================

# ----------------------------------------------------------
# MASQUERADING

$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward  # wieder einschalten
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# ==========================================================
# PART V: Filterregeln für lokale Dienste
# ==========================================================

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# SYSLOG

$IPTABLES -A OUTPUT -o $INT -p UDP \
          -m state --state NEW,ESTABLISHED,RELATED \
          --sport syslog -d $loghost --dport syslog -j ACCEPT

# ==========================================================
# PART VI: Forwarding: Intern --> DMZ
# ==========================================================

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A FORWARD -i $DMZ -o $INT \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $DMZ -o $INT \
          -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A FORWARD -i $INT -o $DMZ \
          -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# SOCKS

$IPTABLES -A FORWARD -i $INT -o $DMZ \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p TCP --sport $p_high --dport $p_socks -j ACCEPT

$IPTABLES -A FORWARD -i $INT -o $DMZ \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p UDP --sport $p_high --dport $p_high -j ACCEPT

# ----------------------------------------------------------
# SMTP, POP3

$IPTABLES -A FORWARD -i $INT -o $DMZ \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high -d $intmail --dport smtp \
          -j ACCEPT

$IPTABLES -A FORWARD -i $INT -o $DMZ  \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high -d $intmail --dport pop3 \
          -j ACCEPT

# ----------------------------------------------------------
# ident: reject
# 
# $IPTABLES -A FORWARD -i $DMZ \
#             -p TCP --dport auth --syn -j REJECT
# 
# $IPTABLES -A FORWARD -i $DMZ -o $INT \
#           -m state --state NEW,ESTABLISHED,RELATED \
#           -p TCP --sport $p_high --dport auth -j ACCEPT
#
# $IPTABLES -A FORWARD -i $INT -o $DMZ \
#           -m state --state ESTABLISHED,RELATED \
#           -p TCP --dport $p_high --sport auth -j ACCEPT
#
# ----------------------------------------------------------
# SSH

$IPTABLES -A FORWARD -i $INT -o $DMZ \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p TCP --sport $p_ssh --dport ssh -j ACCEPT


# ==========================================================
# PART VII: Forwarding: DMZ --> Extern
# ==========================================================

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A FORWARD -i $EXT -o $DMZ \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXT -o $DMZ \
          -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A FORWARD -i $DMZ -o $EXT \
          -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# DNS

foreach ns ( $NS )
  $IPTABLES -A FORWARD -i $DMZ -o $EXT \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p UDP --sport $p_high -d $ns --dport domain \
            -j ACCEPT

  $IPTABLES -A FORWARD -i $DMZ -o $EXT \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p TCP --sport $p_high -d $ns --dport domain \
            -j ACCEPT
end

# ----------------------------------------------------------
# SMTP, POP3

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $intmail \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high -d $extmail --dport smtp \
          -j ACCEPT

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $intmail \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high -d $extmail --dport pop3 \
          -j ACCEPT

# ----------------------------------------------------------
# HTTP

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport http \
          -j ACCEPT

# ----------------------------------------------------------
# HTTP via SSL

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport https \
          -j ACCEPT

# ----------------------------------------------------------
# ftp, out, control connection

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport ftp \
          -j ACCEPT

# ftp, out, passive data connection

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport $p_high \
          -j ACCEPT

# ----------------------------------------------------------
# SSH, nur für den Socks-Server

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport ssh \
          -j ACCEPT


# ==========================================================
# PART VIII: Forwarding: Intern --> Extern, direkt
# ==========================================================

# ----------------------------------------------------------
# ident: reject

$IPTABLES -A FORWARD -i $EXT \
            -p TCP --dport auth --syn -j REJECT

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A FORWARD -i $EXT -o $INT \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXT -o $INT \
          -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A FORWARD -i $INT -o $EXT \
          -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# DNS (nur, wenn direktes DNS erforderlich)

foreach ns ( $NS )
   $IPTABLES -A FORWARD -i $INT -o $EXT \
             -m state --state NEW,ESTABLISHED,RELATED \
             -p UDP --sport $p_high -d $ns --dport domain \
             -j ACCEPT
 
   $IPTABLES -A FORWARD -i $INT -o $EXT \
             -m state --state NEW,ESTABLISHED,RELATED \
             -p TCP --sport $p_high -d $ns --dport domain \
             -j ACCEPT
end
 
# ----------------------------------------------------------
# SSH (nur, wenn ssh nicht via SOCKS gewünscht ist)

$IPTABLES -A FORWARD -i $INT -o $EXT \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_ssh --dport ssh \
          -d $FRIENDs -j ACCEPT

# ==========================================================
# SCHLUSS
# ==========================================================

# ----------------------------------------------------------
# Ausputzer: Rest sperren, loggen

$IPTABLES -A INPUT   -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT  -j my_drop