-
Notifications
You must be signed in to change notification settings - Fork 0
/
practica1.sh
173 lines (134 loc) · 7.85 KB
/
practica1.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#!/bin/bash
clear
# -------------------------------------------
# Initialize iptables and set default policy
# -------------------------------------------
# -> Delete all previous rules and set counters to 0
echo "------------------------------"
echo "-- Cleaning previous config --"
echo "------------------------------"
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
# -> Establish the default policy
echo "------------------------------"
echo "-- Setting def policy: DROP --"
echo "------------------------------"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# -> Enable IP forwarding
echo "------------------------------"
echo "-- Enabling IP forwarding --"
echo "------------------------------"
echo 1 > /proc/sys/net/ipv4/ip_forward
# -------------------------------------------
# Firewall interfaces
# -------------------------------------------
# -> eth2 -> 192.168.56.101/24 -> LAN
# -> eth3 -> 192.168.0.195/24 -> DMZ
# -> eth1 -> 10.0.2.16/24 -> WAN
# -> Variable declaration
IFACE_LAN = "eth2"
IFACE_DMZ = "eth3"
IFACE_WAN = "eth1"
NETWK_LAN = "192.168.56.0/24"
NETWK_DMZ = "192.168.0.0/24"
NETWK_WAN = "10.0.2.0/24"
IP_DMZ_SERVER = "192.168.0.193"
IP_WAN_INET = "0.0.0.0/0"
echo "------------------------------"
echo "-- Starting configuration --"
echo "------------------------------"
# -------------------------------------------
# Enable NAT from LAN -> DMZ
# -------------------------------------------
iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -o eth3 -d 192.168.0.193 -j MASQUERADE
# -------------------------------------------
# Allow http and ftp traffic from LAN -> DMZ
# -------------------------------------------
iptables -A FORWARD -i eth2 -s 192.168.56.0/24 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.56.0/24 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.56.0/24 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth2 -d 192.168.56.0/24 -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth2 -d 192.168.56.0/24 -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth2 -d 192.168.56.0/24 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# -------------------------------------------
# Allow ftp pasv traffic from LAN -> DMZ
# -------------------------------------------
# pasv_enable=YES
# pasv_min_port=10090
# pasv_max_port=10100
iptables -A FORWARD -i eth2 -s 192.168.56.0/24 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 10090:10100 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth2 -d 192.168.56.0/24 -p tcp --sport 10090:10100 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# -------------------------------------------
# Allow ssh traffic from LAN -> Firewall
# -------------------------------------------
iptables -A INPUT -i eth2 -s 192.168.56.0/24 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth2 -d 192.168.56.0/24 -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# -------------------------------------------
# Allow outgoing ping from Firewall -> LAN
# -------------------------------------------
iptables -A OUTPUT -o eth2 -d 192.168.56.0/24 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.56.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
# -------------------------------------------
# Allow outgoing ping from Firewall -> DMZ
# -------------------------------------------
iptables -A OUTPUT -o eth3 -d 192.168.0.193 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth3 -s 192.168.0.193 -p icmp --icmp-type echo-reply -j ACCEPT
# -------------------------------------------
# Enable nat from LAN -> INET
# -------------------------------------------
iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -o eth1 -d 0.0.0.0/0 -j SNAT --to 10.0.2.16
# -------------------------------------------
# Enable http traffic from LAN -> INET
# for real navigation it will be necessary DNS traffic from our DNS server (TCP) or clients to an external DNS server. this configuration has been omitted
# -------------------------------------------
iptables -A FORWARD -i eth2 -s 192.168.56.0/24 -o eth1 -d 0.0.0.0/0 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 0.0.0.0/0 -o eth2 -d 192.168.56.0/24 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# -------------------------------------------
# Enable ssh traffic from LAN -> INET
# -------------------------------------------
iptables -A FORWARD -i eth2 -s 192.168.56.0/24 -o eth1 -d 0.0.0.0/0 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 0.0.0.0/0 -o eth2 -d 192.168.56.0/24 -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# -------------------------------------------
# Enable port nat for incoming http and ftp traffic from INET -> DMZ
# -------------------------------------------
iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0 -p tcp --dport 20 -j DNAT --to 192.168.0.193:20
iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0 -p tcp --dport 21 -j DNAT --to 192.168.0.193:21
iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0 -p tcp --dport 80 -j DNAT --to 192.168.0.193:80
# -------------------------------------------
# Enable http and ftp traffic from INET -> DMZ
# -------------------------------------------
iptables -A FORWARD -i eth1 -s 0.0.0.0/0 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 0.0.0.0/0 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 0.0.0.0/0 -o eth3 -d 192.168.0.193 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth1 -d 0.0.0.0/0 -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth1 -d 0.0.0.0/0 -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth3 -s 192.168.0.193 -o eth1 -d 0.0.0.0/0 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# -------------------------------------------
# Enable nat from DMZ -> INET
# -------------------------------------------
iptables -t nat -A POSTROUTING -s 192.168.0.193 -o eth1 -d 0.0.0.0/0 -j SNAT --to 10.0.2.16
# -------------------------------------------
# Enable logging for dropped packets
# -------------------------------------------
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A FORWARD -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
# -------------------------------------------
# Save configuration
# -------------------------------------------
echo "------------------------------"
echo "-- Saving iptables config --"
echo "------------------------------"
service iptables save
echo "------------------------------"
echo "-- FINISH! --"
echo "------------------------------"