(new)スクリーンドブランチネットのファイアウォール

スクリーンドブランチネットのファイアウォール（iptables編）

iptabelsのサンプルつき、解説そのうち書きます。

更新履歴

[ 2003.01.16 ]

ずいぶんと久しぶりのページ作成です、はい。とはいえ、ネタが新しいわけでもなくて、さらにスミマセン。えー、ところで、かなりiptablesにも慣れてきましたんで、スクリーンドブランチネット用のものを書いてみました。いやあ、実際、ぐだらぐだらと文章書くよりサンプルの方が喜ばれるので...私にもお客様にも好都合かと、ひひ...（決して手抜きをしているのではありません）。

こういったメズラシものは雑誌記事にはならないからなあ...。でも、金がかからずそこそこ安全、というこのLAN形式は結構お勧めなんですけどねー。

■　サンプルの概要　■

スクリーンドブランチネット形式のＬＡＮを構築します。

ＩＰマスカレードを用いてホストをＮＡＴボックスとして動作します。

ＬＡＮ内のホストはクライアントとして標準的なほぼすべてのサービスを使用できます。

ＬＡＮ内でプライベートアドレスを持ったホストを外部公開鯖にできます。つまり、グローバル固定ＩＰは不要です。ダイナミックＩＰが１つあれば十分です（サイト内の他の記事も合わせて読んでください）。

シェルスクリプトとして書いてありますので、容易に構築・破壊できます。変数値を修正することで容易に設定変更できます。静的ルーティングがあったり、モジュールが必要だったり、全てこの中に追加していけばよいでしょう。

一切検証していません（実行したことも無い）このサンプルそのままで運用するなど無茶なことはしないでください。そもそも私は鯖を持ったスクリーンドホスト形式にセキュアはありえないと思っています。本来はスクリーンドサブネットか最低でもスクリーンドブランチネット形式にするべきです（私自身そうしています）。このサンプルはあくまで教材なのです。ただし、見てもらえばわかりますが、かなり厳しいルールですので、ミスが無くて、あなたの鯖がしっかりしていれば SOHO レベルなら「やりすぎ」くらいでしょう。パフォーマンスを考えるなら削ってもよい部分は山ほどあります。というか、スループットを考えるなら、このまま使うのは正気の沙汰ではありません（削れば削るほどスループットはリニアに向上することでしょう）。例題として活用できるようにわざと冗長に書いているのです。

コメントのインチキ英語はカンベンしてください(^^;

不明点、ご質問は掲示板へ。

■　サンプル更新履歴　■

2003/01/16
公開

#!/bin/sh

##
## packet filter
## (iptables version)
## shimakero
## 2003.01.11
##

#--------------------------------------------------
# dynamic configuration
#--------------------------------------------------
#
# interface name
# (adapt current environment)
# ( ppp0 use eth0 )
#
IF_BAD='ppp0'
IF_GOOD='eth1'
IF_DMZ='eth2'

#
# local segment
#
SEG_GOOD='192.168.1'
SEG_DMZ='192.168.2'
SEG_DMZ_2ND='192.168.3'

#
# allowed ssh or other clients 
#
HOSTS_SSH_CLIENT='XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY'
HOSTS_IMAP_CLIENT='XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY'
HOSTS_HTTP_CLIENT='XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY'
HOSTS_HTTP_CLIENT_2ND='XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY'
HOSTS_SMTP_CLIENT='XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY'

#
# specified hosts
#
HOSTS_FILE_SERVER="$SEG_GOOD.51 $SEG_GOOD.51"
HOSTS_LOGGING="$SEG_GOOD.51"
HOSTS_LOGGING_DMZ="$SEG_DMZ.51"
HOSTS_LOCAL_NAME_SERVER="$SEG_DMZ.52"
HOSTS_LOCAL_SMTP_SERVER="$SEG_DMZ.52"


#--------------------------------------------------
# static configuration
#--------------------------------------------------
#
# local address
#
ADDR_GOOD_IF="$SEG_GOOD.1"
ADDR_DMZ_IF="$SEG_DMZ.1"
# dynamic
#ADDR_BAD_IF=

#
# local address group
#
ADDR_GOOD_NW="$SEG_GOOD.0/24"
ADDR_DMZ_NW="$SEG_DMZ.0/24"
ADDR_ANYWHERE_NW="0.0.0.0/0"

#
# other address
#
ADDR_BROADCAST="255.255.255.255"
ADDR_BROADCAST_GOOD="$SEG_GOOD.255"
ADDR_BROADCAST_DMZ="$SEG_DMZ.255"

#
# port
#
PORT_USER='1024:65535'
PORT_XWINDOW='6000:6007'
PORT_NETBIOS='135:139'
PORT_TRACEROUTE='33434:33500'

PORTS_NFS_TCP=''
PORTS_NFS_UDP=''
PORTS_SMBFS_TCP='139'
PORTS_SMBFS_UDP='139'

#
# logging
# with "limit --limit 1/s --limit-burst 5" if necessary
#

#
# user's chains
#
CH_GOOD_DMZ='good-dmz'
CH_BAD_DMZ='bad-dmz'
CH_GOOD_BAD='good-bad'
CH_DMZ_GOOD='dmz-good'
CH_DMZ_BAD='dmz-bad'
CH_BAD_GOOD='bad-good'
CH_ICMP='icmp-handling'
CH_GOOD_IF_IN='good-if-in'
CH_BAD_IF_IN='bad-if-in'
CH_DMZ_IF_IN='dmz-if-in'
CH_GOOD_IF_OUT='good-if-out'
CH_BAD_IF_OUT='bad-if-out'
CH_DMZ_IF_OUT='dmz-if-out'

#LOG_LIMIT="-m limit --limit 1/s --limit-burst 5"
LOG_LIMIT=""
LOG_STD="-j LOG --log-level info --log-prefix Packetlog:DROP"
LOG_STD_INPUT="$LOG_STD:INPUT:"
LOG_STD_OUTPUT="$LOG_STD:OUTPUT:"
LOG_STD_FORWARD="$LOG_STD:FORWARD:"
LOG_STD_BAD_GOOD="$LOG_STD:$CH_BAD_GOOD:"
LOG_STD_GOOD_BAD="$LOG_STD:$CH_GOOD_BAD:"
LOG_STD_BAD_DMZ="$LOG_STD:$CH_BAD_DMZ:"
LOG_STD_DMZ_BAD="$LOG_STD:$CH_DMZ_BAD:"
LOG_STD_GOOD_DMZ="$LOG_STD:$CH_GOOD_DMZ:"
LOG_STD_DMZ_GOOD="$LOG_STD:$CH_DMZ_GOOD:"
LOG_STD_BAD_IF_IN="$LOG_STD:$CH_BAD_IF_IN:"
LOG_STD_GOOD_IF_IN="$LOG_STD:$CH_GOOD_IF_IN:"
LOG_STD_DMZ_IF_IN="$LOG_STD:$CH_DMZ_IF_IN:"
LOG_STD_BAD_IF_OUT="$LOG_STD:$CH_BAD_IF_OUT:"
LOG_STD_GOOD_IF_OUT="$LOG_STD:$CH_GOOD_IF_OUT:"
LOG_STD_DMZ_IF_OUT="$LOG_STD:$CH_DMZ_IF_OUT:"

LOG_EXTRA="-j LOG --log-level info --log-prefix Packetlog:DROP"
LOG_EXTRA_INPUT="$LOG_EXTRA:INPUT:"
LOG_EXTRA_OUTPUT="$LOG_EXTRA:OUTPUT:"
LOG_EXTRA_FORWARD="$LOG_EXTRA:FORWARD:"
LOG_EXTRA_BAD_GOOD="$LOG_EXTRA:$CH_BAD_GOOD:"
LOG_EXTRA_GOOD_BAD="$LOG_EXTRA:$CH_GOOD_BAD:"
LOG_EXTRA_BAD_DMZ="$LOG_EXTRA:$CH_BAD_DMZ"
LOG_EXTRA_DMZ_BAD="$LOG_EXTRA:$CH_DMZ_BAD:"
LOG_EXTRA_GOOD_DMZ="$LOG_EXTRA:$CH_GOOD_DMZ:"
LOG_EXTRA_DMZ_GOOD="$LOG_EXTRA:$CH_DMZ_GOOD:"
LOG_EXTRA_BAD_IF_IN="$LOG_EXTRA:$CH_BAD_IF_IN:"
LOG_EXTRA_GOOD_IF_IN="$LOG_EXTRA:$CH_GOOD_IF_IN:"
LOG_EXTRA_DMZ_IF_IN="$LOG_EXTRA:$CH_DMZ_IF_IN:"
LOG_EXTRA_BAD_IF_OUT="$LOG_EXTRA:$CH_BAD_IF_OUT:"
LOG_EXTRA_GOOD_IF_OUT="$LOG_EXTRA:$CH_GOOD_IF_OUT:"
LOG_EXTRA_DMZ_IF_OUT="$LOG_EXTRA:$CH_DMZ_IF_OUT:"

LOG_EXTENDED="-j LOG --log-level info --log-prefix Packetlog:DROP"
LOG_EXTENDED_INPUT="$LOG_EXTENDED:INPUT:"
LOG_EXTENDED_OUTPUT="$LOG_EXTENDED:OUTPUT:"
LOG_EXTENDED_FORWARD="$LOG_EXTENDED:FORWARD:"
LOG_EXTENDED_BAD_GOOD="$LOG_EXTENDED:$CH_BAD_GOOD:"
LOG_EXTENDED_GOOD_BAD="$LOG_EXTENDED:$CH_GOOD_BAD:"
LOG_EXTENDED_BAD_DMZ="$LOG_EXTENDED:$CH_BAD_DMZ"
LOG_EXTENDED_DMZ_BAD="$LOG_EXTENDED:$CH_DMZ_BAD:"
LOG_EXTENDED_GOOD_DMZ="$LOG_EXTENDED:$CH_GOOD_DMZ:"
LOG_EXTENDED_DMZ_GOOD="$LOG_EXTENDED:$CH_DMZ_GOOD:"
LOG_EXTENDED_BAD_IF_IN="$LOG_EXTENDED:$CH_BAD_IF_IN:"
LOG_EXTENDED_GOOD_IF_IN="$LOG_EXTENDED:$CH_GOOD_IF_IN:"
LOG_EXTENDED_DMZ_IF_IN="$LOG_EXTENDED:$CH_DMZ_IF_IN:"
LOG_EXTENDED_BAD_IF_OUT="$LOG_EXTENDED:$CH_BAD_IF_OUT:"
LOG_EXTENDED_GOOD_IF_OUT="$LOG_EXTENDED:$CH_GOOD_IF_OUT:"
LOG_EXTENDED_DMZ_IF_OUT="$LOG_EXTENDED:$CH_DMZ_IF_OUT:"


#--------------------------------------------------
# server configuration
#--------------------------------------------------
#
# for authentificated users only
#
#
PORT_HTTPD_HIDDEN='8080'
PORT_HTTPD_HIDDEN_2ND=''

PORT_SSHD_HIDDEN='12321'
PORT_SSHD_HIDDEN_2ND=''

##PORT_IMAPD_HIDDEN='143'
##PORT_IMAPSD_HIDDEN='993'

PORT_SMTPD_HIDDEN='25'

#
# for all users
#
# (single)
PORT_HTTPD_DEBUG='65535'

PORT_SSHD_PUBLIC='22'
PORT_HTTPD_PUBLIC='80'
PORT_HTTPD_PUBLIC_2ND='7380'
PORT_SMTPD_PUBLIC='25'

#
# real port
#
PORT_SSHD_DMZ="22"
PORT_HTTPD_DMZ="80"
PORT_SMTPD_DMZ="25"
PORT_NAMED_DMZ="53"
PORT_IMAPD_DMZ="143"
PORT_IMAPSD_DMZ="993"

#
# as client
# for good network
#
# 2401 : pserver
PORTS_CLIENT_GOOD_TCP=\
"domain www 8080 pop3 smtp ftp ftp-data ssh sftp https 554 2401 imap imaps"
PORTS_CLIENT_GOOD_UDP="domain 123 $PORT_TRACEROUTE"

#
# as client
# for dmz network
#
# 'pop(110)' is required by fetchemail (from ISP) 
PORTS_CLIENT_DMZ_TCP='ftp domain www 110 smtp'
PORTS_CLIENT_DMZ_UDP='domain 123'

#
# as server
# for dmz network
#
# add smtpd 2002/12/16
PORTS_SERVER_DMZ_TCP=\
"$PORT_HTTPD_DMZ $PORT_SSHD_DMZ $PORT_SMTPD_DMZ"
PORTS_SERVER_DMZ_UDP=''

#
# as server on internet
# ( only authentificated users )
#
# format '--to' style
HOST_PORT_LOCAL_SSHD="$SEG_DMZ.51:$PORT_SSHD_DMZ"
HOST_PORT_LOCAL_SSHD_2ND="$SEG_DMZ.52:$PORT_SSHD_DMZ"
HOST_PORT_LOCAL_HTTPD="$SEG_DMZ.51:$PORT_HTTPD_DMZ"
HOST_PORT_LOCAL_HTTPD_2ND="$SEG_DMZ.52:$PORT_HTTPD_DMZ"
HOST_PORT_LOCAL_SMTPD="$SEG_DMZ.52:$PORT_SMTPD_DMZ"

##HOST_PORT_LOCAL_IMAPD="$SEG_DMZ.52:$PORT_IMAPD_DMZ"
##HOST_PORT_LOCAL_IMAPSD="$SEG_DMZ.52:$PORT_IMAPSD_DMZ"

#
# as server on internet
# ( no authentification )
#HOST_PORT_PUBLIC_HTTPD="$SEG_DMZ.53:$PORT_HTTPD_DMZ"

#
# as server on internet 
# (no authentification )
# --- runnning fdweb
#
HOST_PORT_PUBLIC_HTTPD_2ND="$SEG_DMZ.53:$PORT_HTTPD_DMZ"
# 192.168.3.0 network
#HOST_PORT_PUBLIC_HTTPD_2ND="$SEG_DMZ_2ND.53:$PORT_HTTPD_DMZ"

#
# as client
# for this firewall host
#
PORTS_CLIENT_BAD_TCP="domain www ftp"
PORTS_CLIENT_BAD_UDP="domain 123 $PORT_TRACEROUTE"

#
# block and log at bad-interface
# ( verbose rules ) 
#
PORTS_EXTRA_GUARD_TCP='8080 21 110 23 111'
PORTS_EXTRA_GUARD_UDP=''

#
# reject at bad-interface
# (verbose rules) 
# TCP 6346 : gnutella, 113 : auth
# UDP 6699 : napster
#
PORTS_REJECT_TCP='6699 6346 113'
PORTS_REJECT_UDP='6699'

#
# * Reference *
# 
# tcp: ssh auth 554(QuickTime)
# udp: 6970:6999(QuickTime) 6970:7170(RealAudio)
#

if [ "$1" = '-d' ]; then

    iptables -F $CH_GOOD_DMZ
    iptables -F $CH_BAD_DMZ
    iptables -F $CH_GOOD_BAD
    iptables -F $CH_DMZ_GOOD
    iptables -F $CH_DMZ_BAD
    iptables -F $CH_BAD_GOOD
    iptables -F $CH_ICMP
    iptables -F $CH_GOOD_IF
    iptables -F $CH_BAD_IF
    iptables -F $CH_DMZ_IF
    iptables -F $CH_GOOD_IF_OUT
    iptables -F $CH_BAD_IF_OUT
    iptables -F $CH_DMZ_IF_OUT

    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -t nat -F PREROUTING
    iptables -t nat -F POSTROUTING

    iptables -X $CH_GOOD_DMZ
    iptables -X $CH_BAD_DMZ
    iptables -X $CH_GOOD_BAD
    iptables -X $CH_DMZ_GOOD
    iptables -X $CH_DMZ_BAD
    iptables -X $CH_BAD_GOOD
    iptables -X $CH_ICMP
    iptables -X $CH_GOOD_IF_IN
    iptables -X $CH_BAD_IF_IN
    iptables -X $CH_DMZ_IF_IN
    iptables -X $CH_GOOD_IF_OUT
    iptables -X $CH_BAD_IF_OUT
    iptables -X $CH_DMZ_IF_OUT

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

else
    # disable packet fowarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    # against SYN Flooding(if server exists)
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # for ip spoofing
    for f in /proc/sys/net/ipv4/conf/*/rp_filter
    do
        echo 1 >  $f
    done

    # ppp0 has a dynamic IP address
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

    # for IP Masquerade (kernel 2.2. only ?)
#    echo 1 > /proc/sys/net/ipv4/ip_always_defrag

#
# exclusive
#
#    rmmod ipchains 
#
# default policy
#
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
#
# loopback interface
#
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

#
# require modules
# ( verbose ) 
#
#    depmod -a
    modprobe ip_nat_ftp
    modprobe ip_conntrack_ftp


#==================================================
#
# for accepting icmp
#
##
## user defined chains 
##
    iptables -N $CH_ICMP
#
# handle icmp
#
    iptables -A $CH_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A $CH_ICMP -p icmp --icmp-type source-quench -j ACCEPT
    iptables -A $CH_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A $CH_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT


#==================================================
#
# NAT
#
##
## enable masqueraded servers visible ( port forward )
## (handle carefully)
## 
    
    for ADDR in $HOSTS_SSH_CLIENT
    do
        if ! [ "$PORT_SSHD_HIDDEN" = '' ]; then
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_SSHD_HIDDEN\
 -j DNAT --to $HOST_PORT_LOCAL_SSHD
        fi
        if ! [ "$PORT_SSHD_HIDDEN_2ND" = '' ]; then
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_SSHD_HIDDEN_2ND\
 -j DNAT --to $HOST_PORT_LOCAL_SSHD_2ND
        fi
    done

    for ADDR in $HOSTS_IMAP_CLIENT
    do
        if ! [ "$PORT_IMAPD_HIDDEN" = '' ]; then
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_IMAPD_HIDDEN\
 -j DNAT --to $HOST_PORT_LOCAL_IMAPD
        fi
        if ! [ "$PORT_IMAPSD_HIDDEN" = '' ]; then
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_IMAPSD_HIDDEN\
 -j DNAT --to $HOST_PORT_LOCAL_IMAPSD
        fi
    done

    if ! [ "$PORT_HTTPD_HIDDEN" = '' ]; then
        for ADDR in $HOSTS_HTTP_CLIENT
        do
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_HTTPD_HIDDEN\
 -j DNAT --to $HOST_PORT_LOCAL_HTTPD
        done
    fi
    if ! [ "$PORT_HTTPD_HIDDEN_2ND" = '' ]; then
        for ADDR in $HOSTS_HTTP_CLIENT_2ND
        do
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_HTTPD_HIDDEN_2ND\
 -j DNAT --to $HOST_PORT_LOCAL_HTTPD_2ND
        done
    fi

    for ADDR in $HOSTS_SMTP_CLIENT
    do
        if ! [ "$PORT_SMTPD_HIDDEN" = '' ]; then
            iptables -A PREROUTING -t nat -p tcp -i ppp0 -s $ADDR --dport $PORT_SMTPD_HIDDEN\
 -j DNAT --to $HOST_PORT_LOCAL_SMTPD
        fi
    done

#
# public servers
#
    if ! [ "$PORT_HTTPD_PUBLIC" = '' -a "$HOST_PORT_PUBLIC_HTTPD" = '' ]; then  
        iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport $PORT_HTTPD_PUBLIC -j DNAT --to $HOST_PORT_PUBLIC_HTTPD
    fi
    if ! [ "$PORT_HTTPD_PUBLIC_2ND" = '' -a "$HOST_PORT_PUBLIC_HTTPD_2ND" = '' ]; then
        iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport $PORT_HTTPD_PUBLIC_2ND -j DNAT --to $HOST_PORT_PUBLIC_HTTPD_2ND
    fi

##
## mangle
##
#    iptables -A PREROUTING -t mangle -p tcp --sport ssh  -j TOS --set-tos Minimize-Delay
#    iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
#    iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput


#==================================================
#
# against packet black hole problem
#
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#==================================================
#
# drop and not logging denyed NetBIOS packets
#
    iptables -A INPUT -p tcp --sport $PORT_NETBIOS -j DROP
    iptables -A INPUT -p udp --sport $PORT_NETBIOS -j DROP
    iptables -A FORWARD -p tcp --sport $PORT_NETBIOS -j DROP
    iptables -A FORWARD -p udp --sport $PORT_NETBIOS -j DROP
    iptables -A FORWARD -p tcp --dport $PORT_NETBIOS -j DROP
    iptables -A FORWARD -p udp --dport $PORT_NETBIOS -j DROP

#==================================================
#
# FORWARD 
#
##
## user defined chains 
##
    iptables -N $CH_GOOD_DMZ
    iptables -N $CH_BAD_DMZ
    iptables -N $CH_GOOD_BAD
    iptables -N $CH_DMZ_GOOD
    iptables -N $CH_DMZ_BAD
    iptables -N $CH_BAD_GOOD

##
## restrictedly and exclusive
##
    iptables -A FORWARD -i $IF_GOOD -o $IF_DMZ  -j $CH_GOOD_DMZ
    iptables -A FORWARD -i $IF_DMZ  -o $IF_GOOD -j $CH_DMZ_GOOD
    iptables -A FORWARD -i $IF_GOOD -o $IF_BAD  -j $CH_GOOD_BAD
    iptables -A FORWARD -i $IF_DMZ  -o $IF_BAD  -j $CH_DMZ_BAD
    iptables -A FORWARD -i $IF_BAD  -o $IF_DMZ  -j $CH_BAD_DMZ
    iptables -A FORWARD -i $IF_BAD  -o $IF_GOOD -j $CH_BAD_GOOD
    iptables -A FORWARD $LOG_EXTENDED_FORWARD
    iptables -A FORWARD -j DROP

##################################################
#
# GOOD ---> DMZ
#
# check done
#

##
## to servers ( full access )
##
    iptables -A $CH_GOOD_DMZ -m state --state NEW -j ACCEPT

##
## established
##
    iptables -A $CH_GOOD_DMZ -m state --state ESTABLISHED -j ACCEPT

##
## ping only ( drop pong )
##
    iptables -A $CH_GOOD_DMZ -p icmp --icmp-type ping -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_GOOD_DMZ -p icmp -j $CH_ICMP        

##
## logging ( extended )
##
    iptables -A $CH_GOOD_DMZ $LOG_EXTENDED_GOOD_DMZ
    iptables -A $CH_GOOD_DMZ -j DROP


#--------------------------------------------------
#
# DMZ ---> GOOD
# ( disable stat connection )
#

##
## from servers
##
    iptables -A $CH_DMZ_GOOD -m state --state ESTABLISHED -j ACCEPT

##
## pong only ( drop ping )
##
    iptables -A $CH_DMZ_GOOD -p icmp --icmp-type pong -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_DMZ_GOOD -p icmp -j $CH_ICMP

##
## logging ( extended )
##
    iptables -A $CH_DMZ_GOOD $LOG_EXTENDED_DMZ_GOOD
    iptables -A $CH_DMZ_GOOD -j DROP


#--------------------------------------------------
#
# GOOD ---> BAD
#

##
## as client ( limited port )
##
    for SVC in $PORTS_CLIENT_GOOD_TCP
    do
        iptables -A $CH_GOOD_BAD -p tcp --dport $SVC --sport $PORT_USER -m state --state NEW -j ACCEPT
    done
    for SVC in $PORTS_CLIENT_GOOD_UDP
    do
        iptables -A $CH_GOOD_BAD -p udp --dport $SVC --sport $PORT_USER -m state --state NEW -j ACCEPT
        iptables -A $CH_GOOD_BAD -p udp --dport $SVC --sport $SVC -m state --state NEW -j ACCEPT
    done

##
## established or related
##
    iptables -A $CH_GOOD_BAD -p tcp --sport $PORT_USER -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A $CH_GOOD_BAD -p udp -m state --state ESTABLISHED -j ACCEPT

##
## ping only ( drop pong )
##
    iptables -A $CH_GOOD_BAD -p icmp --icmp-type ping -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_GOOD_BAD -p icmp -j $CH_ICMP
##
## logging ( extended )
##
    iptables -A $CH_GOOD_BAD $LOG_EXTENDED_GOOD_BAD
    iptables -A $CH_GOOD_BAD -j DROP


#--------------------------------------------------
#
# BAD ---> GOOD
#

##
## bad access
##
    iptables -A $CH_BAD_GOOD -m state --state INVALID $LOG_EXTENDED_BAD_GOOD
    iptables -A $CH_BAD_GOOD -m state --state INVALID -j DROP

##
## verbose
##
    iptables -A $CH_BAD_GOOD -m state --state INVALID,NEW $LOG_EXTENDED_BAD_GOOD
    iptables -A $CH_BAD_GOOD -m state --state INVALID,NEW -j DROP

##
## established
##
    iptables -A $CH_BAD_GOOD -p tcp -m state --state ESTABLISHED --dport $PORT_USER -j ACCEPT
    iptables -A $CH_BAD_GOOD -p udp -m state --state ESTABLISHED --dport $PORT_USER -j ACCEPT

##
## pong only ( drop ping )
##
    iptables -A $CH_BAD_GOOD -p icmp --icmp-type pong -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_BAD_GOOD -p icmp -j $CH_ICMP

##
## logging ( extended )
##
    iptables -A $CH_BAD_GOOD $LOG_EXTENDED_BAD_GOOD
    iptables -A $CH_BAD_GOOD -j DROP


#--------------------------------------------------
#
# DMZ ---> BAD
#

##
## as client
##
    for SVC in $PORTS_CLIENT_DMZ_TCP
    do 
        iptables -A $CH_DMZ_BAD -p tcp --dport $SVC --sport $PORT_USER -m state --state NEW -j ACCEPT
    done
    for SVC in $PORTS_CLIENT_DMZ_UDP
    do
        iptables -A $CH_DMZ_BAD -p udp --dport $SVC --sport $PORT_USER -m state --state NEW -j ACCEPT
        iptables -A $CH_DMZ_BAD -p udp --dport $SVC --sport $SVC -m state --state NEW -j ACCEPT
    done

##
## as server
## established
##
    for SVC in $PORTS_SERVER_DMZ_TCP
    do
        iptables -A $CH_DMZ_BAD -p tcp --sport $SVC --dport $PORT_USER -m state --state ESTABLISHED -j ACCEPT
    done

##
## as client
## established
##
    iptables -A $CH_DMZ_BAD -p tcp --sport $PORT_USER -m state --state ESTABLISHED -j ACCEPT

##
## as client or server
## established
##
    iptables -A $CH_DMZ_BAD -p udp -m state --state ESTABLISHED -j ACCEPT

##
## as client ( for passive ftp )
## related
##
    iptables -A $CH_DMZ_BAD -p tcp --sport $PORT_USER -m state --state RELATED -j ACCEPT

##
## pong only ( drop ping )
##
    iptables -A $CH_DMZ_BAD -p icmp --icmp-type pong -j ACCEPT

##
## logging ( extended )
##
    iptables -A $CH_DMZ_BAD $LOG_EXTENDED_DMZ_BAD
    iptables -A $CH_DMZ_BAD -j DROP


#--------------------------------------------------
#
# BAD ---> DMZ
#

##
## bad access
##
    iptables -A $CH_BAD_DMZ -m state --state INVALID $LOG_EXTENDED_BAD_DMZ
    iptables -A $CH_BAD_DMZ -m state --state INVALID -j DROP

##
## as server
##
    for SVC in $PORTS_SERVER_DMZ_TCP
    do
        iptables -A $CH_BAD_DMZ -p tcp --dport $SVC -m state --state NEW -j ACCEPT
    done
    for SVC in $PORTS_SERVER_DMZ_UDP
    do
        iptables -A $CH_BAD_DMZ -p udp --dport $SVC -m state --state NEW -j ACCEPT
    done

##
## verbose
##
    iptables -A $CH_BAD_DMZ -m state --state INVALID,NEW $LOG_EXTENDED_BAD_DMZ
    iptables -A $CH_BAD_DMZ -m state --state INVALID,NEW -j DROP

##
## established( as server , as client )
##
    iptables -A $CH_BAD_DMZ -m state --state ESTABLISHED -j ACCEPT

##
## drop all the icmp protocol packets except pong
##

##
## ping only ( drop pong )
##
    iptables -A $CH_BAD_DMZ -p icmp --icmp-type ping -j ACCEPT

##
## jump to the user's chain (icmp)
## ( disable )

##
## logging (extended)
##
    iptables -A $CH_BAD_DMZ $LOG_EXTENDED_BAD_DMZ
    iptables -A $CH_BAD_DMZ -j DROP


#==================================================
#
# interface level INPUT
#

##
## user defined chains 
##
    iptables -N $CH_BAD_IF_IN
    iptables -N $CH_DMZ_IF_IN
    iptables -N $CH_GOOD_IF_IN

##
## restrictedly and exclusive
##
    iptables -A INPUT -i $IF_BAD -j $CH_BAD_IF_IN
    iptables -A INPUT -i $IF_DMZ -j $CH_DMZ_IF_IN
    iptables -A INPUT -i $IF_GOOD -j $CH_GOOD_IF_IN
##
## anti spoofing
##
    iptables -A $CH_BAD_IF_IN  -s $ADDR_GOOD_NW $LOG_STD_BAD_IF_IN
    iptables -A $CH_BAD_IF_IN  -s $ADDR_DMZ_NW $LOG_STD_BAD_IF_IN
    iptables -A $CH_DMZ_IF_IN  -s ! $ADDR_DMZ_NW $LOG_STD_DMZ_IF_IN
    iptables -A $CH_GOOD_IF_IN -s ! $ADDR_GOOD_NW $LOG_STD_GOOD_IF_IN

    iptables -A $CH_BAD_IF_IN  -s $ADDR_GOOD_NW -j DROP
    iptables -A $CH_BAD_IF_IN  -s $ADDR_DMZ_NW -j DROP
    iptables -A $CH_DMZ_IF_IN  -s ! $ADDR_DMZ_NW -j DROP
    iptables -A $CH_GOOD_IF_IN -s ! $ADDR_GOOD_NW -j DROP


#--------------------------------------------------
#
# interface BAD
#

##
## bad access
##
    iptables -A $CH_BAD_IF_IN -m state --state INVALID $LOG_EXTENDED_BAD_IF_IN
    iptables -A $CH_BAD_IF_IN -m state --state INVALID -j DROP

##
## extra observation ( verbose )
##
    for SVC in $PORTS_EXTRA_GUARD_TCP
    do
        iptables -A $CH_BAD_IF_IN -p tcp --dport $SVC $LOG_EXTRA_BAD_IF_IN
        iptables -A $CH_BAD_IF_IN -p tcp --dport $SVC -j DROP
    done
    for SVC in $PORTS_EXTRA_GUARD_UDP
    do
        iptables -A $CH_BAD_IF_IN -p udp --dport $SVC $LOG_EXTRA_BAD_IF_IN
        iptables -A $CH_BAD_IF_IN -p udp --dport $SVC -j DROP
    done

##
## reject
##
    for SVC in $PORTS_REJECT_TCP
    do
        iptables -A $CH_BAD_IF_IN -p tcp --dport $SVC -j REJECT --reject-with icmp-host-unreachable
    done
    for SVC in $PORTS_REJECT_UDP
    do
        iptables -A $CH_BAD_IF_IN -p udp --dport $SVC -j REJECT --reject-with icmp-host-unreachable
    done

##
## verbose
##
    iptables -A $CH_BAD_IF_IN -m state --state INVALID,NEW $LOG_EXTENDED_BAD_IF_IN
    iptables -A $CH_BAD_IF_IN -m state --state INVALID,NEW -j DROP

##
## as client
##
    for SVC in $PORTS_CLIENT_BAD_TCP
    do
        iptables -A $CH_BAD_IF_IN -p tcp --sport $SVC --dport $PORT_USER -m state --state ESTABLISHED -j ACCEPT
    done
    for SVC in $PORTS_CLIENT_BAD_UDP
    do
        iptables -A $CH_BAD_IF_IN -p udp --sport $SVC --dport $PORT_USER -m state --state ESTABLISHED -j ACCEPT
        iptables -A $CH_BAD_IF_IN -p udp --sport $SVC --dport $SVC -m state --state ESTABLISHED -j ACCEPT
    done

##
## pong only ( drop ping )
##
    iptables -A $CH_BAD_IF_IN -p icmp --icmp-type pong -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_BAD_IF_IN -j $CH_ICMP

##
## logging ( extended )
##
    iptables -A $CH_BAD_IF_IN $LOG_EXTENDED_BAD_IF_IN
    iptables -A $CH_BAD_IF_IN -j DROP


#--------------------------------------------------
#
# interface DMZ
#

##
## syslog
##
    for H in $HOSTS_LOGGING_DMZ
    do
        # except Linux Hosts
        iptables -A $CH_DMZ_IF_IN -p udp -s $H --sport 514 -d $ADDR_DMZ_IF -m state --state ESTABLISHED -j ACCEPT
    done

##
## pong only (drop ping)
##
    iptables -A $CH_DMZ_IF_IN -p icmp --icmp-type pong -j ACCEPT

##
## jump to the user's chain (icmp)
##
    iptables -A $CH_DMZ_IF_IN -p icmp -j $CH_ICMP

##
## logging
##
    iptables -A $CH_DMZ_IF_IN $LOG_STD_DMZ_IF_IN
    iptables -A $CH_DMZ_IF_IN -j DROP


#--------------------------------------------------
#
# interface GOOD
#

##
## syslog
##
    for H in $HOSTS_LOGGING
    do
        # except Linux Hosts
        iptables -A $CH_GOOD_IF_IN -p udp -s $H --sport 514 -d $ADDR_GOOD_IF -m state --state ESTABLISHED -j ACCEPT
    done

##
## drop and not logging denyed NetBIOS packets
## 
    iptables -A $CH_GOOD_IF_IN -p tcp --sport $PORT_NETBIOS -j DROP
    iptables -A $CH_GOOD_IF_IN -p udp --sport $PORT_NETBIOS -j DROP

##
## ping only ( drop pong )
##
    iptables -A $CH_GOOD_IF_IN -p icmp --icmp-type ping -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_GOOD_IF_IN -j $CH_ICMP

##
## logging
##
    iptables -A $CH_GOOD_IF_IN $LOG_EXTENDED_GOOD_IF_IN
    iptables -A $CH_GOOD_IF_IN -j DROP


#==================================================
#
# interface level OUTPUT
#

##
## user defined chains 
##
    iptables -N $CH_BAD_IF_OUT
    iptables -N $CH_GOOD_IF_OUT
    iptables -N $CH_DMZ_IF_OUT

##
## restrictedly and exclusive
##
    iptables -A OUTPUT -o $IF_BAD -j $CH_BAD_IF_OUT
    iptables -A OUTPUT -o $IF_GOOD -j $CH_GOOD_IF_OUT
    iptables -A OUTPUT -o $IF_DMZ -j $CH_DMZ_IF_OUT

##
## anti spoofing
##
    iptables -A $CH_GOOD_IF_OUT -d ! $ADDR_GOOD_NW $LOG_STD_GOOD_IF_OUT
    iptables -A $CH_DMZ_IF_OUT -d ! $ADDR_DMZ_NW $LOG_STD_DMZ_IF_OUT
    iptables -A $CH_GOOD_IF_OUT -d ! $ADDR_GOOD_NW -j DROP
    iptables -A $CH_DMZ_IF_OUT -d ! $ADDR_DMZ_NW -j DROP


#--------------------------------------------------
#
# interface BAD
#

##
## as client
##
    for SVC in $PORTS_CLIENT_BAD_TCP
    do
        iptables -A $CH_BAD_IF_OUT -p tcp --dport $SVC --sport $PORT_USER -m state --state NEW -j ACCEPT
    done
    for SVC in $PORTS_CLIENT_BAD_UDP
    do
        iptables -A $CH_BAD_IF_OUT -p udp --dport $SVC --sport $PORT_USER -m state --state NEW -j ACCEPT
        iptables -A $CH_BAD_IF_OUT -p udp --dport $SVC --sport $SVC -m state --state NEW -j ACCEPT
    done

##
## established or related
## 
    iptables -A $CH_BAD_IF_OUT -p tcp --sport $PORT_USER -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A $CH_BAD_IF_OUT -p udp -m state --state ESTABLISHED -j ACCEPT

##
## ping only ( drop pong )
##
    iptables -A $CH_BAD_IF_OUT -p icmp --icmp-type ping -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_BAD_IF_OUT -p icmp -j $CH_ICMP

##
## logging
##
    iptables -A $CH_BAD_IF_OUT $LOG_EXTENDED_BAD_IF_OUT
    iptables -A $CH_BAD_IF_OUT -j DROP


#--------------------------------------------------
#
# interface GOOD
#

##
## syslog
##
    for H in $HOSTS_LOGGING
    do
        # except Linux Hosts
        iptables -A $CH_GOOD_IF_OUT -p udp -d $H --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
    done

##
## pong only ( drop ping ) 
##
    iptables -A $CH_GOOD_IF_OUT -p icmp --icmp-type pong -d $ADDR_GOOD_NW -j ACCEPT

##
## jump to the user's chain ( icmp )
##
    iptables -A $CH_GOOD_IF_OUT -p icmp -j $CH_ICMP

##
## logging
##
    iptables -A $CH_GOOD_IF_OUT $LOG_EXTENDED_GOOD_IF_OUT
    iptables -A $CH_GOOD_IF_OUT -j DROP


#--------------------------------------------------
#
# interface DMZ
#

##
## syslog
##
    for H in $HOSTS_LOGGING_DMZ
    do
    # except Linux Hosts
    iptables -A $CH_DMZ_IF_OUT -p udp -d $H --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
    done

##
## drop all the icmp protocol packets except pong
##

##
## ping only ( drop pong )
##
    iptables -A $CH_DMZ_IF_OUT -p icmp --icmp-type ping -j ACCEPT

##
## jump to the user's chain ( icmp )
## ( disable )

##
## logging
##
    iptables -A $CH_DMZ_IF_OUT $LOG_EXTENDED_DMZ_IF_OUT
    iptables -A $CH_DMZ_IF_OUT -j DROP


#==================================================
#
# IP MASQUERADE and Port Forward
#

##
## for IP Masquerade
##
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


#==================================================
##
## logging all the unmatched packets
## 
    iptables -A INPUT $LOG_STD_INPUT
    iptables -A OUTPUT $LOG_STD_OUTPUT
    iptables -A FORWARD $LOG_STD_FORWARD

    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP
    iptables -A FORWARD -j DROP

    # enable packet fowarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

fi

トップページ