#!/bin/tcsh
#
# Firewallkript für exa
# ==========================================================
# PART I: Variablen 
# ==========================================================

# modprobe ip_tables
# modprobe ip_conntrack

set IPTABLES = /usr/sbin/iptables

# ----------------------------------------------------------
# special ports

set p_high   = 1024:65535   # unprivileged ports
set p_ssh    = 500:1023    # common ssh source ports
set p_socks  = 1080         # Socks Server Port

# ----------------------------------------------------------
# interfaces

set EXT = ippp0
set DMZ = eth0

set IF  = ( $DMZ $EXT )

# ----------------------------------------------------------
# ip hosts

set ext_ip   = 192.0.82.55   # externe IP-Adresse, bitte durch
                             # die eigene ersetzen.

set NS       = ( 193.101.111.10 193.101.111.20 )
set ns_int   = 192.168.2.2   # caching only Nameserver

set extmail  = 192.76.144.56 # uumail.de.uu.net
set intmail  = 192.168.2.2   # interner Mailserver
set sockssrv = 192.168.2.2   #
set loghost  = 192.168.1.9   # syslog purposes

set INT_NET  = 192.168.1.0/255.255.255.0 # example
set DMZ_NET  = 192.168.2.0/255.255.255.0 # example
set FRIENDs  = 192.0.84.0/255.255.255.0

# ==========================================================
# PART II: Grundkonfiguration: absichern
# ==========================================================
# dynamische Kernelparameter setzen

echo "0" > /proc/sys/net/ipv4/ip_forward  # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate 

foreach if ( $IF )
   echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
   echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
   echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
   echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
   echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end

# ----------------------------------------------------------
# Default Policy und flush

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -F         # flush aller chains (Tabelle filter)
$IPTABLES -t nat -F  # flush aller chains (Tabelle nat)
$IPTABLES -X         # delete all userdefined chains 
                     # (Tabelle filter)

# ----------------------------------------------------------
# lokale Prozesse

$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT  -i lo -j ACCEPT


# ----------------------------------------------------------
# ssh fuer Fernwartung

$IPTABLES -A INPUT  -i $DMZ -s $INT_NET \
          -p TCP --sport $p_ssh --dport ssh \
          -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $DMZ -d $INT_NET \
          -p TCP --dport $p_ssh --sport ssh \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

# ==========================================================
# PART III: Userdefinierte Regelketten
# ==========================================================

# ----------------------------------------------------------
# DROP & LOG Chain 

$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP  -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP  -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP

# ==========================================================
# PART IV: Source-NAT
# ==========================================================

$IPTABLES -t nat -A POSTROUTING -o $EXT \
          -j SNAT --to-source $ext_ip

echo "1" > /proc/sys/net/ipv4/ip_forward  # wieder einschalten

# ==========================================================
# PART V: Filterregeln für lokale Dienste
# ==========================================================

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# SYSLOG

$IPTABLES -A OUTPUT -o $DMZ -d $loghost \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p UDP --sport syslog --dport syslog -j ACCEPT

# ==========================================================
# PART VII: Forwarding: DMZ --> Extern
# ==========================================================

# ----------------------------------------------------------
# ident: reject

$IPTABLES -A FORWARD -i $EXT \
            -p TCP --dport auth --syn -j REJECT


# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden 
# ausgehenden Verbindung

$IPTABLES -A FORWARD -i $EXT -o $DMZ -d $DMZ_NET \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

# ----------------------------------------------------------
# Rückkanal: ausgehende Pakete zu einer bestehenden 
# eingehenden Verbindung (Serverdienste)

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $DMZ_NET \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

# ----------------------------------------------------------
# generell ungültige Pakete verwerfen

$IPTABLES -A FORWARD -m state --state INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $DMZ_NET \
          -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# DNS

foreach ns ( $NS )
  $IPTABLES -A FORWARD -i $DMZ -o $EXT -s $ns_int -d $ns \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p UDP --sport $p_high --dport domain \
            -j ACCEPT

  $IPTABLES -A FORWARD -i $DMZ -o $EXT -s $ns_int -d $ns \
            -m state --state NEW,ESTABLISHED,RELATED \
            -p TCP --sport $p_high --dport domain \
            -j ACCEPT
end

# ----------------------------------------------------------
# SMTP ausgehend

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $intmail -d $extmail \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport smtp -j ACCEPT

# ----------------------------------------------------------
# SMTP eingehend (Serverdienst)

$IPTABLES -A FORWARD -i $EXT -o $DMZ -s $extmail -d $intmail \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport smtp -j ACCEPT

# ----------------------------------------------------------
# HTTP

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport http \
          -j ACCEPT

# ----------------------------------------------------------
# HTTP via SSL

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport https \
          -j ACCEPT

# ----------------------------------------------------------
# ftp, out, control connection

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport ftp \
          -j ACCEPT

# ftp, out, passive data connection

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport $p_high \
          -j ACCEPT

# ----------------------------------------------------------
# SSH, nur für den Socks-Server

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $sockssrv \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_high --dport ssh \
          -j ACCEPT


# ==========================================================
# PART VIII: Forwarding: Intern --> Extern, direkt
# ==========================================================

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A FORWARD -i $EXT -o $DMZ -d $INT_NET \
          -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXT -o $DMZ -d $INT_NET \
          -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $INT_NET \
          -p ICMP --icmp-type echo-request -j ACCEPT

# ----------------------------------------------------------
# SSH

$IPTABLES -A FORWARD -i $DMZ -o $EXT -s $INT_NET -d $FRIENDs \
          -m state --state NEW,ESTABLISHED,RELATED \
          -p TCP --sport $p_ssh --dport ssh -j ACCEPT

# ==========================================================
# SCHLUSS
# ==========================================================

# ----------------------------------------------------------
# Ausputzer: Rest sperren, loggen

$IPTABLES -A INPUT   -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT  -j my_drop