firewall.sh

#!/bin/bash -v
﻿
echo "Bringing up firewall..."
echo ""
﻿
EXTERNAL_IFACE='eth0'
INTERNAL_IFACE='eth1'
WIRELESS_IFACE='eth2'
IPTABLES=`which iptables`
EXTERNAL_IP=`ifconfig ${EXTERNAL_IFACE} | grep "inet addr" | cut -d \: -f 2 | cut -d ' ' -f 1`
INTERNAL_IP='192.168.1.0/24' # /24 covers both subnets
# These numbers must match the numbers in the classes.sh file
VOIP='10'
WWW='11'
GAMES='12'
P2P='13'
OTHER='14'
﻿
# Clear old rules
${IPTABLES} -F
${IPTABLES} -F -t nat
${IPTABLES} -F -t mangle
﻿
# Our default policy is to DROP packets
${IPTABLES} -P INPUT DROP
﻿
### Configure classes ###
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --restore-mark
${IPTABLES} -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT # If we have already marked it then accept it
﻿
# We need to classify packets on all ethernet devices except lo, both incoming and outgoing.
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p udp \
	--dport 10000:20000 -j MARK --set-mark ${VOIP}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p udp \
	--dport 10000:20000 -j MARK --set-mark ${VOIP} # VoIP
﻿
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p udp \
	--dport 53 -j MARK --set-mark ${WWW}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p udp \
	--dport 53 -j MARK --set-mark ${WWW} # DNS
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	-m multiport --dport 80,443 -j MARK --set-mark ${WWW}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p tcp \
	-m multiport --dport 80,443 -j MARK --set-mark ${WWW} # HTTP/HTTPS
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 5900:5901 -j MARK --set-mark ${WWW}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 5900:5901 -j MARK --set-mark ${WWW} # VNC
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 22 -j MARK --set-mark ${WWW}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 22 -j MARK --set-mark ${WWW} # SSH
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 21 -j MARK --set-mark ${WWW}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 21 -j MARK --set-mark ${WWW} # FTP
﻿
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 3724 -j MARK --set-mark ${GAMES}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 3724 -j MARK --set-mark ${GAMES} # World of Warcraft
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 6112 -j MARK --set-mark ${GAMES}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 6112 -j MARK --set-mark ${GAMES} # Guild Wars
﻿
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 7000:7100 -j MARK --set-mark ${P2P} # BitTorrent
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 6112 -j MARK --set-mark ${P2P}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 -p tcp \
	--dport 6881:6999 -j MARK --set-mark ${P2P} # WoW downloader
﻿
# All other packets, on the tcp and udp protocols, need to be classified as "other".
${IPTABLES} -t mangle -A PREROUTING -i ! lo --dst ${EXTERNAL_IP} -m mark --mark 0 \
	-j MARK --set-mark ${OTHER}
${IPTABLES} -t mangle -A PREROUTING -i ! lo --src ${INTERNAL_IP} -m mark --mark 0 \
	-j MARK --set-mark ${OTHER} # Everything else
﻿
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --save-mark # Save the mark to the connection tracking.
## Classes configured ##
﻿
## Forward ports ##
${IPTABLES} -t nat -A PREROUTING --dst ${EXTERNAL_IP} -p udp --dport 10000:20000 -j DNAT --to 192.168.1.3
${IPTABLES} -t nat -A PREROUTING --dst ${EXTERNAL_IP} -p tcp --dport 22 -j DNAT --to 192.168.1.5
${IPTABLES} -t nat -A PREROUTING --dst ${EXTERNAL_IP} -p tcp --dport 5900 -j DNAT --to 192.168.1.5
${IPTABLES} -t nat -A PREROUTING --dst ${EXTERNAL_IP} -p tcp --dport 7000 -j DNAT --to 192.168.1.5
${IPTABLES} -t nat -A PREROUTING --dst ${EXTERNAL_IP} -p tcp --dport 5901 -j DNAT --to 192.168.1.6
## ##
﻿
## Setup filters ##
${IPTABLES} -A INPUT --dst ${EXTERNAL_IP} -p icmp --icmp-type echo-request -m limit \
	--limit 10 -j ACCEPT # Sure, let's reply to pings.
${IPTABLES} -A INPUT --dst ${EXTERNAL_IP} -m state \
	--state INVALID -j DROP # We don't want any invalid packets.
${IPTABLES} -A INPUT --dst ${EXTERNAL_IP} -m state \
	--state ESTABLISHED,RELATED -j ACCEPT # Only connections that were initiated from the inside.
${IPTABLES} -A INPUT --src ${INTERNAL_IP} -j ACCEPT # Accept connections from the LAN.
## Filters configured ##
﻿
# Make all outbound packets look like they are coming from one IP
${IPTABLES} -t nat -A POSTROUTING -o ${EXTERNAL_IFACE} -j MASQUERADE
# Enable packet forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward