#!/bin/sh

#
# $Id: rc.iptables.1,v 1.3 2006/04/03 09:02:38 raptor Exp $
#
# rc.iptables.1 - sample iptables rules for host firewall
# Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Iptables is used to set up, maintain, and inspect the tables of IP packet 
# filter rules in the Linux kernel. This is a sample basic ruleset for the
# configuration of a Linux 2.4 stateful packet filter (basic host firewall).
#
# Tested on Linux 2.4.26 with 2 NICs, change it to fit your configuration.
#

###############################################################################
# Variables
#
# User-defined variables may be defined and used later, simplifying the
# configuration file.
#

# available interfaces
EXT_IF="eth0"
INT_IF="eth1"
VPN_IF="cipcb0"

# list of networks
EXT_NET="x.x.x.0/24"

# list of hosts
FW_EXT="x.x.x.x"
VPN_GW="y.y.y.y"

# misc
TRUSTED="$EXT_NET"

###############################################################################
# Options
#
# Options tune the behaviour of the kernel.
#

# enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# prevent syn floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###############################################################################
# Kernel Modules
#
# Load kernel modules for connection tracking of weird/stupid protocols
# (e.g. FTP).
#

# load kernel modules
/sbin/modprobe ip_conntrack_ftp

###############################################################################
# Packet Filtering
#
# Stateful and stateless packet filtering provides rule-based blocking or
# passing of packets.
#

# default policy
/usr/sbin/iptables -F
/usr/sbin/iptables -X
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP

# trusted interfaces
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i $INT_IF -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o $INT_IF -j ACCEPT
/usr/sbin/iptables -A INPUT -i $VPN_IF -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o $VPN_IF -j ACCEPT
/usr/sbin/iptables -A FORWARD -i $VPN_IF -j ACCEPT
/usr/sbin/iptables -A FORWARD -o $VPN_IF -j ACCEPT

# egress filtering
/usr/sbin/iptables -A OUTPUT -o $EXT_IF -s ! $FW_EXT -j DROP

# anti-spoofing
/usr/sbin/iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
/usr/sbin/iptables -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
/usr/sbin/iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP

# keep state (inbound and outbound)
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# outbound traffic
/usr/sbin/iptables -A OUTPUT -o $EXT_IF -m state --state NEW -j ACCEPT

# inbound traffic
/usr/sbin/iptables -A INPUT -i $EXT_IF -p tcp -s $TRUSTED -d $FW_EXT --dport 22 --syn -j ACCEPT
/usr/sbin/iptables -A INPUT -i $EXT_IF -p udp -s $VPN_GW --sport 6999 -d $FW_EXT --dport 6999 -j ACCEPT