#!/bin/sh # A Sample OpenVPN-aware firewall. # eth0 is connected to the internet. # eth1 is connected to a private subnet. VPNIF=tun0 LANIF=eth0 PRIVATE=10.42.23.0/24 # Loopback address LOOP=127.0.0.1 # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do iptables -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then iptables -t $table -F $chain fi done iptables -t $table -X done # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i $LANIF -s $LOOP -j DROP iptables -A FORWARD -i $LANIF -s $LOOP -j DROP iptables -A INPUT -i $LANIF -d $LOOP -j DROP iptables -A FORWARD -i $LANIF -d $LOOP -j DROP # Anything coming from the Network should have a real Internet address, # or a known "Uninetz" private address (172.16.0.0/12) iptables -N Antispoof iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j Antispoof iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j Antispoof iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j Antispoof iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j Antispoof iptables -A Antispoof -j LOG --log-prefix "ANTISPOOFIN " iptables -A Antispoof -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the network. iptables -A FORWARD -p tcp --sport 137:139 -o $LANIF -j DROP iptables -A FORWARD -p udp --sport 137:139 -o $LANIF -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o $LANIF -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o $LANIF -j DROP # Check source address validity on packets going out to network iptables -N SourceAddr iptables -A OUTPUT -s $PRIVATE -o $LANIF -j SourceAddr iptables -A SourceAddr -j LOG --log-prefix "SOURCEADDR " iptables -A SourceAddr -j DROP # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow useful ICMP, and forward it too iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11/0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11/1 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0/0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 11/0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 11/1 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT # Allow services such as ssh iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT ## Port Forwarding for DC # Allow forwarded ports iptables -A INPUT -i eth0 -p udp -m multiport --dports 6666,6668,6670,6672 -j ACCEPT -m state --state NEW iptables -A FORWARD -i eth0 -p udp -m multiport --dports 6666,6668,6670,6672 -j ACCEPT -m state --state NEW iptables -A INPUT -i eth0 -p tcp --dport 6666:6673 -j ACCEPT -m state --state NEW iptables -A FORWARD -i eth0 -p tcp --dport 6666:6673 -j ACCEPT -m state --state NEW # Forward iptables -t nat -A PREROUTING -p udp --dport 6666 -i eth0 -j DNAT --to 10.42.23.129:6666 iptables -t nat -A PREROUTING -p tcp --dport 6666 -i eth0 -j DNAT --to 10.42.23.129:6666 iptables -t nat -A PREROUTING -p tcp --dport 6667 -i eth0 -j DNAT --to 10.42.23.129:6667 iptables -t nat -A PREROUTING -p udp --dport 6668 -i eth0 -j DNAT --to 10.42.23.131:6668 iptables -t nat -A PREROUTING -p tcp --dport 6668 -i eth0 -j DNAT --to 10.42.23.131:6668 iptables -t nat -A PREROUTING -p tcp --dport 6669 -i eth0 -j DNAT --to 10.42.23.131:6669 iptables -t nat -A PREROUTING -p udp --dport 6670 -i eth0 -j DNAT --to 10.42.23.133:6670 iptables -t nat -A PREROUTING -p tcp --dport 6670 -i eth0 -j DNAT --to 10.42.23.133:6670 iptables -t nat -A PREROUTING -p tcp --dport 6671 -i eth0 -j DNAT --to 10.42.23.133:6671 iptables -t nat -A PREROUTING -p udp --dport 6672 -i eth0 -j DNAT --to 10.42.23.135:6672 iptables -t nat -A PREROUTING -p tcp --dport 6672 -i eth0 -j DNAT --to 10.42.23.135:6672 iptables -t nat -A PREROUTING -p tcp --dport 6673 -i eth0 -j DNAT --to 10.42.23.135:6673 # Catchall iptables -A INPUT -j LOG --log-level debug --log-prefix "CATCHALL " iptables -A FORWARD -j LOG --log-level debug --log-prefix "CATCHALL " # Masquerade local subnet iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward ## Setup IPv6 IP6PRIVATE=2001:7c0:409:8e78::/64 IP6LANIP=2001:7c0:409:8e78::117:221 # Delete old iptables rules # and temporarily block all traffic. ip6tables -P OUTPUT DROP ip6tables -P INPUT DROP ip6tables -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do ip6tables -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then ip6tables -t $table -F $chain fi done ip6tables -t $table -X done # Set default policies ip6tables -P OUTPUT ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP # Loopback ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Source spoof filtering from us #ip6tables -N SSOutFilterLAN #ip6tables -A OUTPUT -o $LANIF -j SSOutFilterLAN #ip6tables -A FORWARD -o $LANIF -j SSOutFilterLAN #ip6tables -A SSOutFilterLAN -s $IP6LANIP -j RETURN #ip6tables -A SSOutFilterLAN -s fe80::/10 -j RETURN #ip6tables -A SSOutFilterLAN -j LOG --log-prefix "SOURCESPOOFOUT6 " #ip6tables -A SSOutFilterLAN -j DROP # Source spoof filtering to us ip6tables -N SSInFilterLAN ip6tables -A INPUT -i $LANIF -s $IP6LANIP -j SSInFilterLAN ip6tables -A SSInFilterLAN -j LOG --log-prefix "SOURCESPOOFIN6 " ip6tables -A SSInFilterLAN -j DROP # Route errors ip6tables -N REOutFilterLAN ip6tables -A OUTPUT -o $LANIF -d $IP6LANIP -j REOutFilterLAN ip6tables -A FORWARD -o $LANIF -d $IP6LANIP -j REOutFilterLAN ip6tables -A REOutFilterLAN -j LOG --log-prefix "ROUTEERR6 " ip6tables -A REOutFilterLAN -j DROP # State tracking ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ssh and openvpn access ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp --dport ssh -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p udp --dport 1194 -m state --state NEW -j ACCEPT # Allow useful ICMPv6 ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -m state --state NEW -j ACCEPT # Allow NDP ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT ip6tables -N NoRouterAdv ip6tables -A OUTPUT -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv # Protect from misconfiguration (we are not a router) ip6tables -A FORWARD -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv ip6tables -A NoRouterAdv -j LOG --log-prefix "NORADV6 " ip6tables -A NoRouterAdv -j DROP ip6tables -A INPUT -j LOG --log-level debug --log-prefix "CATCHALL6 " ip6tables -A FORWARD -j LOG --log-level debug --log-prefix "CATCHALL6 "