µWallet

antarctis eudecem-9f-v0

April 5th, 2010 Leave a comment Go to comments

#!/bin/bash

clear
echo “”
echo “[FIREWALL - Bringing up]”

echo “##### DEFINITIONS”
echo “# setting definitions”
IPTABLES=”/sbin/iptables”

WAN_IF=”eth0″
LAN_IF=”eth1″
DMZ_IF=”eth2″

WAN_0000=”78.46.52.192/28″
WAN_0001=”78.46.52.201″
WAN_0002=”78.46.52.202″
WAN_0003=”78.46.52.203″

LAN_0000=”172.21.0.0/16″
LAN_0001=”172.21.0.1″ # F9-Firewall
LAN_0002=”172.21.0.201″ # 07-Datastorage
LAN_0003=”172.21.0.101″ # 00-Database
LAN_0004=”172.21.101.101″ # 01-Web-v0
LAN_0005=”172.21.101.102″ # 01-Web-v1
LAN_0006=”172.21.101.103″ # 01-Web-v2
LAN_0007=”172.21.101.201″ # 36-Mail

DMZ_0000=”172.22.0.0/16″
DMZ_0001=”172.22.0.1″ # F9-Firewall
DMZ_0002=”172.22.101.101″ # MS-Terminal01
DMZ_0003=”172.22.101.102″ # MS-Terminal02 Prog
DMZ_0004=”172.22.101.103″ # NX-Terminal

EXT_0000=”78.46.52.193″

DNS_0001=”213.133.98.98″
DNS_0002=”213.133.99.99″

echo “##### PREPARATIONS”
echo “# clear existing configuration”
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X

echo “##### DEFINING CHAINS”
$IPTABLES -N antarctis
$IPTABLES -A antarctis -p TCP -j LOG –log-level debug –log-prefix “ANTARCTIS: TCP ”
$IPTABLES -A antarctis -p UDP -j LOG –log-level debug –log-prefix “ANTARCTIS: UDP ”
$IPTABLES -A antarctis -j DROP

echo “##### INBOUNDING RULES”
echo “# allow ICMP”
$IPTABLES -A OUTPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
echo “# allow SSH”
$IPTABLES -A INPUT -p tcp -i $WAN_IF –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $WAN_IF –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT

echo “##### OUTBOUNDING RULES”
echo “# allow ICMP”
$IPTABLES -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “# allow DNS”
$IPTABLES -A OUTPUT -p udp –sport 1024: –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 1024: –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $DNS_0001 –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $DNS_0001 –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $DNS_0002 –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $DNS_0002 –sport 53 -j ACCEPT
echo “# allow SSH”
$IPTABLES -A OUTPUT -p tcp –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “# allow HTTP”
$IPTABLES -A OUTPUT -p tcp -o $WAN_IF –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $WAN_IF –sport 80 -m state –state ESTABLISHED,RELATED -j ACCEPT

echo “##### INBOUND FROM HOSTSYSTEM”
echo “# allow NFS”
$IPTABLES -t nat -A PREROUTING -s $EXT_0000 -d $WAN_0001 -p tcp –dport 2049 -j DNAT –to-destination $LAN_0002:2049
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -s $EXT_0000 -d $LAN_0002 –dport 2049 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -d $EXT_0000 -s $LAN_0002 –sport 2049 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $EXT_0000 -d $WAN_0001 -p udp –dport 2049 -j DNAT –to-destination $LAN_0002:2049
$IPTABLES -A FORWARD -i $WAN_IF -p udp -s $EXT_0000 -d $LAN_0002 –dport 2049 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p udp -d $EXT_0000 -s $LAN_0002 –sport 2049 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $EXT_0000 -d $WAN_0001 -p tcp –dport 111 -j DNAT –to-destination $LAN_0002:111
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -s $EXT_0000 -d $LAN_0002 –dport 111 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -d $EXT_0000 -s $LAN_0002 –sport 111 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $EXT_0000 -d $WAN_0001 -p udp –dport 111 -j DNAT –to-destination $LAN_0002:111
$IPTABLES -A FORWARD -i $WAN_IF -p udp -s $EXT_0000 -d $LAN_0002 –dport 111 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p udp -d $EXT_0000 -s $LAN_0002 –sport 111 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $EXT_0000 -d $WAN_0001 -p tcp –dport 32769 -j DNAT –to-destination $LAN_0002:32769
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -s $EXT_0000 -d $LAN_0002 –dport 32769 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -d $EXT_0000 -s $LAN_0002 –sport 32769 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $EXT_0000 -d $WAN_0001 -p udp –dport 32769 -j DNAT –to-destination $LAN_0002:32769
$IPTABLES -A FORWARD -i $WAN_IF -p udp -s $EXT_0000 -d $LAN_0002 –dport 32769 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p udp -d $EXT_0000 -s $LAN_0002 –sport 32769 -m state –state ESTABLISHED,RELATED -j ACCEPT

echo “##### DNAT”
echo “DNAT Remotecontrols”
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 2201 -j DNAT –to-destination $LAN_0004:22
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0004 –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0004 –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 2207 -j DNAT –to-destination $LAN_0002:22
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0002 –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0002 –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 2220 -j DNAT –to-destination $LAN_0003:22
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0003 –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0003 –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 2236 -j DNAT –to-destination $LAN_0007:22
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0007 –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0007 –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 2248 -j DNAT –to-destination $DMZ_0004:22
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $DMZ_0004 –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IF -p tcp -s $DMZ_0004 –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT

echo “DNAT v1:80 to eudecem-01-v1:80″
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 80 -j DNAT –to-destination $LAN_0004:80
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0004 –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0004 –sport 80 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “DNAT v1:443 to eudecem-01-v1:443″
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 443 -j DNAT –to-destination $LAN_0004:443
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0004 –dport 443 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0004 –sport 443 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “DNAT v2:443 to eudecem-01-v2:443″
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 443 -j DNAT –to-destination $LAN_0005:443
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0005 –dport 443 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0005 –sport 443 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “DNAT v3:443 to eudecem-01-v3:443″
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 443 -j DNAT –to-destination $LAN_0006:443
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0006 –dport 443 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0006 –sport 443 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “DNAT v1:3389 to eudecem-ms-v0:3389″
$IPTABLES -t nat -A PREROUTING -d $WAN_0001 -p tcp –dport 3389 -j DNAT –to-destination $DMZ_0002:3389
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $DMZ_0002 –dport 3389 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IF -p tcp -s $DMZ_0002 –sport 3389 -m state –state ESTABLISHED,RELATED -j ACCEPT

echo “##### OUTBOUND RULES FOR HOSTS”
echo “# allow SSH”
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0000 –dport 22 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0000 –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “# allow DNS”
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0000 –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0000 –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IF -p udp -s $LAN_0000 –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p udp -d $LAN_0000 –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IF -p tcp -s $DMZ_0000 –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $DMZ_0000 –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IF -p udp -s $DMZ_0000 –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p udp -d $DMZ_0000 –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “# allow HTTP”
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0000 –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0000 –sport 80 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IF -p tcp -s $DMZ_0000 –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $DMZ_0000 –sport 80 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “# allow HTTPS”
$IPTABLES -A FORWARD -i $LAN_IF -p tcp -s $LAN_0000 –dport 443 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $LAN_0000 –sport 443 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IF -p tcp -s $DMZ_0000 –dport 443 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -p tcp -d $DMZ_0000 –sport 443 -m state –state ESTABLISHED,RELATED -j ACCEPT

echo “# PREPARING NAT”
echo “1″ > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat –append POSTROUTING –out-interface $WAN_IF -j MASQUERADE
$IPTABLES -t nat –append POSTROUTING –out-interface $LAN_IF -j MASQUERADE
$IPTABLES -t nat –append POSTROUTING –out-interface $DMZ_IF -j MASQUERADE

echo “# allow LOOPBACKIF”
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

echo “# drop ALL”
$IPTABLES -A INPUT -j antarctis
$IPTABLES -A OUTPUT -j antarctis
$IPTABLES -A FORWARD -j antarctis

echo “[FIREWALL - Finish]”
echo “##### THANKS FOR USING OPENWALLET IPTABLES-GENERATOR v. 1.0″
echo “”
exit 0
##### EOF

Comments (0) Trackbacks (0) Leave a comment Trackback

No comments yet.

No trackbacks yet.

antarctis eudecem-9f-v0

counterroot@twitter

Meta

Archives

heise – security news

Categories

Blogroll

Archives

Meta

September 2010
M	T	W	T	F	S	S
« Aug
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30