Firewall Specifics

[achillies]

###Basically here's a summary of what i want to achieve by using the firewall:->
HTTP port 80 is open for everyone in my network. Some specific ports such as 5000:5050 (yahoo), 1863 (msn), 5222:5223 (gtalk), 443 (gmail) are CLOSE by default but some extra rules will take care of any exceptions in this rule. I don't want packets having my internal network address comming from the outside interface. I want to open Ssh port only to some trusted IP addresses outside of my network, for rest of the world it's closed. Similariry, I want the Ftp port (20:21) open to only some selected (trusted) candidates. I also want to enable logging. By default my network policy will be to DROP all packets if there are no extra rules to match. I want a rule that allows some candidates to bypass the SQUID proxy that runs behind IPTABLES. Lastly I want to enable the connection tracking.

###Here's the Firewall rules that i have come up with to do the need:->
#!/bin/bash

##DEFINITIONS

###FOR NETWORKS
NET1="NET1_IP_POOL" ##MY INTERNAL NETWORK, JUST ASSUME
NET2="NET2_IP_POOL" ##MY TRUSTED NETWORK

###FOR PORTS
SSH="2001"
FTP="20:21"
SQUID="3128"
DNS_SPRT="53"
DNS_DPRT="1024"
SMTP="25"

YAHOO="5000:5050"
GMAIL="443"
MSN="1863"
GTALK_1="5222"
GTALK_2="5223"


###FOR EXTERNAL NETWORK CARD CONFIGURATION
#IF0="eth0"
#IF0_IP=`/sbin/ifconfig $IF0|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#IF0_MASK=`/sbin/ifconfig $IF0|grep inet|awk '{print $4}'|awk -F: '{print $2}'`
#IF0_NET="$IF0_IP/$IF0_MASK"

###FOR INTERNAL NETWORK (LAN) CARD CONFIGURATION
IF1="eth1"
IF1_IP=`/sbin/ifconfig $IF1|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
IF1_MASK=`/sbin/ifconfig $IF1|grep inet|awk '{print $4}'|awk -F: '{print $2}'`
IF1_NET="$IF1_IP/$IF1_MASK"

###FOR IPTABLES (SHORTHAND)
FW="/sbin/iptables"
INPUT="$FW -A INPUT"
OUTPUT="$FW -A OUTPUT"
FORWARD="$FW -A FORWARD"
LOG="LOG --log-level DEBUG"
LOGOPTIONS="-m limit --limit 3/minute --limit-burst 3"
IN_INT="-i"
OUT_INT="-o"
DROP="DROP"

###START
LOGGING=1
###LOAD STARTUP MODULES
/sbin/depmod -a

###FLUSH ALL RULES BEFORE DOING NEW ONES
$FW -F
$FW -F -t nat
$FW -X

###ACCEPT EVERYTHING
$FW -P INPUT ACCEPT
$FW -P OUTPUT ACCEPT
$FW -P FORWARD ACCEPT

###ACCEPT EVERYTHING FROM THE LOCAL INTERFACE
$INPUT $IN_INT lo -j ACCEPT
$INPUT -p tcp ! --syn -d $IF0_IP --dport 1024: -j ACCEPT
$INPUT -p tcp ! --syn -d $IF1_IP --dport 1024: -j ACCEPT
$INPUT -p udp -d $IF0_IP --dport 1024: -j ACCEPT
$INPUT -p udp -d $IF1_IP --dport 1024: -j ACCEPT

###ACCEPT ALL OUTGOING TRAFFIC
$OUTPUT $OUT_INT lo -j ACCEPT
OUTPUT -s $IF0_IP -j ACCEPT
OUTPUT -s $IF1_IP -j ACCEPT
OUTPUT -s $NET1 -j ACCEPT

###TRANSPROXY
$FW -t nat -A PREROUTING -i $IF1 -p tcp --dport 80 -j REDIRECT --to-port 3128

###SQUID TRAFFIC
$INPUT -p tcp -s $NET1 --dport 3128 -j ACCEPT

###ICMP TRAFFIC
INPUT -p icmp -j ACCEPT
FORWARD -p icmp -j ACCEPT

###DNS TRAFFIC
INPUT -p udp --dport 53 -j ACCEPT
INPUT -p tcp --dport 53 -j ACCEPT
INPUT -p udp --sport 53 --dport 1024: -j ACCEPT

###TRACE-ROUTE TRAFFIC
$INPUT -p udp --dport 33434:33523 -j ACCEPT
$INPUT -p udp --sport 33434:33523 -j ACCEPT
$FORWARD -p udp --dport 33434:33523 -j ACCEPT
$FORWARD -p udp --sport 33434:33523 -j ACCEPT

###FTP TRAFFIC (ESTABLISHED)
$INPUT -p tcp --sport 20 -j ACCEPT #CONFUSED HERE

###SSH TRAFFIC (ONLY TRUSTED ONES)
$FORWARD -p tcp -s $NET1 -d SOME_IP --dport 3128 -j ACCEPT
$FORWARD -p tcp -d $NET1 -s SOME_IP --dport 3128 -j ACCEPT

##DONOT ALLOW Gtalk
$FORWARD -s $NET1 -p tcp --dport 5222 -j $DROP
$FORWARD -s $NET1 -p tcp --dport 5223 -j $DROP

###DONOT ALLOW MSN
$FORWARD -s $NET1 -p tcp --dport 1863 -j $DROP

###DONOT ALLOW GMAIL
$FORWARD -s $NET1 -p tcp --dport 443 -j $DROP

###DEFAULT POLICYROP EVERYTHING
$FW -P INPUT DROP
$FW -P OUTPUT DROP
$FW -P FORWARD DROP

###LOG EVERYTHING
if [ "$LOGGING" = 1 ]
then
$INPUT $LOGOPTIONS -j $LOG --log-prefix "Input Logging: "
$OUTPUT $LOGOPTIONS -j $LOG --log-prefix "Output Logging: "
$FORWARD $LOGOPTIONS -j $LOG --log-prefix "Forward Logging: "
fi

###TRACK CONNECTIONS
echo 522496 > /proc/sys/net/ipv4/ip_conntrack_max

#END

I am a little confused here. Is this script going in the right direction or am i just fooling myself?

[achillies]

Hey guys!
Forget the whole damn episode okie! I did it myself <yeah i wrote the whole firewall> and surprisingly its good. Thanx for your unsupportive approach though.

You keep saying that word again and again. I don't think it means what you think it means.