#!/bin/sh ## # # initialize.fw: setup the default firewall rules # # *** NOTE *** # # If you want to have local firewall rules in addition to what NoCat # provides, add them at the bottom of this file. They will be recreated # each time gateway is restarted. # ## # dme26 - put your gateway's DNS name / IP address here. snatIP=$(host wifinat.kings.cam.ac.uk | cut '-d ' -f4) # The current service classes by fwmark are: # # 1: Owner # 2: Co-op # 3: Public # 4: Free # Note: your PATH is inherited from the gateway process # if [ $(id -u) = 0 ]; then # Enable IP forwarding and rp_filter (to kill IP spoof attempts). # echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter # Load alllll the kernel modules we need. # rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users. for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT \ ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \ ip_conntrack ip_conntrack_ftp ip_conntrack_irc \ ip_nat_irc ipt_mac ipt_state ipt_mark; do modprobe $module done fi # Flush all user-defined chains # iptables -t filter -N NoCat 2>/dev/null iptables -t filter -F NoCat iptables -t filter -D FORWARD -j NoCat 2>/dev/null iptables -t filter -A FORWARD -j NoCat iptables -t filter -N NoCat_Ports 2>/dev/null iptables -t filter -F NoCat_Ports iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null iptables -t filter -A NoCat -j NoCat_Ports iptables -t filter -N NoCat_Inbound 2>/dev/null iptables -t filter -F NoCat_Inbound iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null iptables -t filter -A NoCat -j NoCat_Inbound iptables -t nat -N NoCat_Capture 2>/dev/null iptables -t nat -F NoCat_Capture iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null iptables -t nat -A PREROUTING -j NoCat_Capture iptables -t nat -N NoCat_NAT 2>/dev/null iptables -t nat -F NoCat_NAT # # Only nat if we're not routing # iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null [ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT iptables -t mangle -N NoCat 2>/dev/null iptables -t mangle -F NoCat iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null iptables -t mangle -A PREROUTING -j NoCat fwd="iptables -t filter -A NoCat" ports="iptables -t filter -A NoCat_Ports" nat="iptables -t nat -A NoCat_NAT" redirect="iptables -t nat -A NoCat_Capture" mangle="iptables -t mangle -A NoCat" if [ "$MembersOnly" ]; then classes="1 2" else classes="1 2 3" fi # Handle tagged traffic. # for iface in $InternalDevice; do for net in $LocalNetwork; do for fwmark in $classes; do # Only forward tagged traffic per class $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT # $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT # dme26: UCS NAT logging / fill up syslog. $nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j LOG --log-level INFO --log-prefix "NoCatNAT " # dme26: was a MASQUERADE rather than SNAT target # Masquerade permitted connections. $nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j SNAT --to-source $snatIP done # Allow web traffic to the specified hosts, and don't capture # connections intended for them. # if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then for host in $AuthServiceAddr $AllowedWebHosts; do for port in 80 443; do # dme26: was a MASQUERADE rather than SNAT target $nat -s $net -d $host -p tcp --dport $port -j SNAT --to-source $snatIP $redirect -s $net -d $host -p tcp --dport $port -j RETURN $fwd -s $net -d $host -p tcp --dport $port -j ACCEPT $fwd -d $net -s $host -p tcp --sport $port -j ACCEPT done done fi # Accept forward and back traffic to/from DNSAddr if [ "$DNSAddr" ]; then for dns in $DNSAddr; do $fwd -o $iface -d $net -s $dns -j ACCEPT for prot in tcp udp; do $fwd -i $iface -s $net -d $dns -p $prot --dport 53 -j ACCEPT # dme26: was a MASQUERADE rather than SNAT target $nat -p $prot -s $net -d $dns --dport 53 -j SNAT --to-source $snatIP # Force unauthenticated DNS traffic through this server. # Of course, only the first rule of this type will match. # But it's easier to leave them all in ATM. # # Commented out for now, it's got a syntax issue I can't # quite fathom: "iptables: Invalid argument" # --Rob # #$nat -i $InternalDevice -m mark --mark 4 -p $prot \ # --dport 53 -j DNAT --to $dns:53 done done fi done # Set packets from internal devices to fw mark 4, or 'denied', by default. $mangle -i $iface -j MARK --set-mark 4 done # Redirect outbound non-auth web traffic to the local gateway process # except to windowsupdate.microsoft.com, which is broken. # # If MembersOnly is active, then redirect public class as well # if [ "$MembersOnly" ]; then nonauth="3 4" else nonauth="4" fi for port in 80 443; do for mark in $nonauth; do $redirect -m mark --mark $mark -d windowsupdate.microsoft.com -j DROP $redirect -m mark --mark $mark -p tcp --dport $port -j REDIRECT \ --to-port $GatewayPort done done # Lock down more ports for public users, if specified. Port restrictions # are not applied to co-op and owner class users. # # There are two philosophies in restricting access: That Which Is Not # Specifically Permitted Is Denied, and That Which Is Not Specifically # Denied Is Permitted. # # If "IncludePorts" is defined, the default policy will be to deny all # traffic, and only allow the ports mentioned. # # If "ExcludePorts" is defined, the default policy will be to allow all # traffic, except to the ports mentioned. # # If both are defined, ExcludePorts will be ignored, and the default policy # will be to deny all traffic, allowing everything in IncludePorts, and # issue a warning. # if [ "$IncludePorts" ]; then if [ "$ExcludePorts" ]; then echo "Warning: ExcludePorts and IncludePorts are both defined." echo "Ignoring 'ExcludePorts'. Please check your nocat.conf." fi # Enable all ports in IncludePorts for iface in $InternalDevice; do for port in $IncludePorts; do $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT done # Always permit access to the GatewayPort (or we can't logout) $ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT $ports -p udp -i $iface --dport $GatewayPort -j ACCEPT # ...and disable access to the rest. $ports -p tcp -i $iface -m mark --mark 3 -j DROP $ports -p udp -i $iface -m mark --mark 3 -j DROP done elif [ "$ExcludePorts" ]; then # If ExcludePorts has entries, simply deny access to them. for iface in $InternalDevice; do for port in $ExcludePorts; do $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP $ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP done done fi # # Disable access on the external to GatewayPort from anything but the AuthServiceAddr # if [ "$AuthServiceAddr" ]; then $fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport $GatewayPort -j DROP fi # Filter policy. $fwd -j DROP # # Call the bandwidth throttle rules. # # Note: This feature is *highly* experimental. # # This functionality requires the 'tc' advanced router tool, # part of the iproute2 package, available at: # ftp://ftp.inr.ac.ru/ip-routing/ # # To use bandwidth throttling, edit the upload and download # bandwidth thresholds at the top of the throttle.fw file, # and make throttle.fw executable. Try something like this: # # chmod +x throttle.fw # [ -x throttle.fw ] && throttle.fw ## # Add any other local firewall rules below. ## ## # Uncomment the following to permit all 10/8 traffic *before* auth ## #AllowedNetworks="10.0.0.0/8" # #for net in $AllowedNetworks; do # iptables -t mangle -A PREROUTING -d $net -j MARK --set-mark 2 # iptables -t filter -A FORWARD -s $net -j ACCEPT #done # # Ende #