firewall_iptables/ipt-static-ruleset

124 líneas
7.6 KiB
Plaintext
Archivo Ejecutable

#######################################################################################################################
# Firewall configuration for this host ################################################################################
#######################################################################################################################
# Allow minimum for all VLANS (ping, dhcp, dns, ntp)
sudo iptables -A INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept incomming pings"
sudo iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept outgoing pings"
sudo iptables -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept incomming dhcp"
sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept outgoing dhcp"
sudo iptables -A INPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept incomming dns"
sudo iptables -A INPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept incomming dns"
sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept outgoing dns"
sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept outgoing dns"
sudo iptables -A INPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept incomming ntp"
sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept outgoing ntp"
# Allow some usefull outgoing traffic for all VLANS (ssh)
sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "accept outgoing ssh"
# Allow established and related trafic
sudo iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all incomming established and related trafic"
sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all outgoing established and related trafic"
# Allow everything for trusted networks
sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"
sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"
sudo iptables -A INPUT -j ACCEPT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device"
sudo iptables -A OUTPUT -j ACCEPT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
sudo iptables -A OUTPUT -j ACCEPT -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
# Add reject rule for propper feedback
sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"
#######################################################################################################################
# Cros VLAN forwarding ################################################################################################
#######################################################################################################################
# General
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -A FORWARD -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "forward all established and related traffic"
sudo iptables -A FORWARD -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "forward all pings"
sudo iptables -A FORWARD -j ACCEPT -p udp --dport 123 -m comment --comment "forward all ntp request"
sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forward all ntp request"
#---------------------
# -> VLAN10 (Internet)
#---------------------
# Allow VLAN30 full access to the internet
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
# Allow VLAN40 access to to http,https
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
# Allow VLAN60 access to to http,https
sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
#--------------------
# -> VLAN20 (Network)
#--------------------
# Allow VLAN30 full access
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
#--------------------------------------
# -> VLAN30 (Family) - VERY RESTRICTIVE
#--------------------------------------
# Allow VLAN40 and VLAN50 access to the mqtt port
sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
#-------------------------------
# -> VLAN40 (Untrusted Internet)
#-------------------------------
# Allow VLAN30 full access
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
#---------------------------------
# -> VLAN50 (Untrusted no Internet
#---------------------------------
# Allow VLAN30 full access
sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
#------------------
# -> VLAN60 (Gäste)
#------------------
#----------------------
# Masquerade traffic to
#----------------------
sudo iptables -t nat -A POSTROUTING -o eth0.10 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"
sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"
#######################################################################################################################
# Change policy to drop all remainig ##################################################################################
#######################################################################################################################
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
#######################################################################################################################
# Show configuration ##################################################################################################
#######################################################################################################################
sudo iptables -L -n -v --line-numbers
echo "********************************************************************************************"
echo "* -> Execute sudo sh -c \"iptables-save > /etc/iptables/rules.v4\""
echo "********************************************************************************************"