#!/bin/sh # # aryzhov@spasu.net # [ -z "$SID" ] && SID=/tmp/install_config [ X$SubrIsRead = XYes ] || . $SID/Scripts/Misc/!Includes/Subroutines [ X$VarsAreSet = XYes ] || SetJVars SetRootOpts ; [ X$ROOT != X/ ] && exec Chroot_Script $0 $* echo "\n\n=== Configuring IPFilter ===\n" IPFilter_Conf_Dir=/etc/ipf/. IPFil_Conf_File=$IPFilter_Conf_Dir/ipf.conf IPNat_Conf_File=$IPFilter_Conf_Dir/ipnat.conf Internet_NIC=eri0 Internet_Net=213.160.42 Public_NIC=ce2 Public_Net=192.168.1 Private_NIC=ce0 Private_Net=196.1.1 Fake_NIC=ce3 Fake_Net=177.1.1 echo " eri -1 0 pfil ce -1 0 pfil " >>$IPFilter_Conf_Dir/pfil.ap echo "#!/bin/sh echo Enabling ip_forwarding /usr/sbin/ndd -set /dev/ip ip_forwarding 1 " >/etc/rc3.d/S99ip_forwarding chmod +x /etc/rc3.d/S99ip_forwarding IPFil_Conf=" # # # # # # # # # # # # # # # # # # # # # # # # # # # # Interface naming and configuration # $Internet_NIC \t= External NIC, facing the world # $Private_NIC \t= Internal NIC, facing private LAN # $Public_NIC \t= Internal NIC, facing public LAN # $Fake_NIC \t= Internal fake network for RDR and inter-zone communications only # block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick all with short block out quick proto tcp from any to any port = 135 # Anti-Spoofing Rules # Bad Source Addresses block in log quick from 172.16.0.0/12 to any block in log quick from 10.0.0.0/8 to any block in log quick from 0.0.0.0/8 to any block in log quick from 127.0.0.0/8 to any block in log quick from 169.254.0.0/16 to any block in log quick from 192.0.2.0/24 to any block in log quick from 204.152.64.0/23 to any block in log quick from 224.0.0.0/3 to any # Bad Destination Addresses block in log quick from any to 172.16.0.0/12 block in log quick from any to 0.0.0.0/8 block in log quick from any to 127.0.0.0/8 block in log quick from any to 169.254.0.0/16 block in log quick from any to 192.0.2.0/24 block in log quick from any to 204.152.64.0/23 block in log quick from any to 224.0.0.0/3 block in log quick from any to 10.0.0.255/32 # Beginning Outbound rules # Bad Destination addresses block out log quick from any to 172.16.0.0/12 block out log quick from any to 0.0.0.0/8 block out log quick from any to 10.0.0.0/8 block out log quick from any to 127.0.0.0/8 block out log quick from any to 169.254.0.0/16 block out log quick from any to 192.0.2.0/24 block out log quick from any to 204.152.64.0/23 block out log quick from any to 224.0.0.0/3 # Bad Source addresses block out log quick from 172.16.0.0/12 to any block out log quick from 0.0.0.0/8 to any block out log quick from 127.0.0.0/8 to any block out log quick from 169.254.0.0/16 to any block out log quick from 192.0.2.0/24 to any block out log quick from 204.152.64.0/23 to any block out log quick from 224.0.0.0/3 to any # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Bad guys # block in log quick from 221.147.128.253/32 to any block in log quick from any to 221.147.128.253/32 # block in log quick from 213.25.217.194/32 to any # block in log quick from 62.195.136.174/32 to any block in log quick from 64.124.85.0/24 to any block in log quick from 68.142.250.0/24 to any block in log quick from 84.177.138.137/32 to any block in log quick from 195.49.22.162/32 to any block in log quick from 65.214.44.69/32 to any # block in log quick from 213.160.161.0/24 to any block in log quick from 213.160.162.0/24 to any block in log quick from 213.160.167.0/24 to any block in log quick from 213.160.168.0/24 to any block in log quick from 213.160.169.0/24 to any block in log quick from 213.160.170.0/24 to any block in log quick from 63.241.61.0/24 to any block in log quick from 66.249.65.0/24 to any block in log quick from 66.234.139.216/32 to any block in log quick from 218.28.85.54/32 to any block in log quick from 204.119.61.211/32 to any block in log quick from 66.154.103.122/32 to any block in log quick from 66.154.102.104/32 to any block in log quick from 66.249.65.2/32 to any ###### # # Kids Internet - will be flipped via crontab # block in quick on $Public_NIC from $Public_Net.7/32 to any # block in quick on $Public_NIC from $Public_Net.9/32 to any # block in on $Internet_NIC all block in quick on $Internet_NIC proto icmp from any to any # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Pass rules # # # Mail & HTTP/HTTPS # pass in quick on $Fake_NIC proto tcp from any to 177.1.1.205/32 port = 25 flags S keep state keep frags pass in quick on $Fake_NIC proto tcp from any to 177.1.1.202/32 port = 80 flags S keep state keep frags pass in quick on $Fake_NIC proto tcp from any to 177.1.1.202/32 port = 443 flags S keep state keep frags # # # # # # # # Block all other inbound connections and log them # # # # # # # # block in log quick on $Internet_NIC all # Outbound traffic from intranet to extranet pass out quick on $Internet_NIC proto tcp all flags S keep state keep frags pass out quick on $Internet_NIC proto udp all keep state keep frags pass out quick on $Internet_NIC proto icmp all keep state keep frags block out quick on $Internet_NIC all # Internal are unlimited # pass in quick on $Private_NIC all pass out quick on $Private_NIC all # pass in quick on $Public_NIC all pass out quick on $Public_NIC all # pass out quick on $Fake_NIC all keep state keep frags # Full block block in quick all block out quick all " ########################## IPNat ############################### IPNat_Conf=" # # # Redirect unwanted traffic to the black hole # rdr $Internet_NIC from any to $Internet_Net.176/28 port 1 >< 21 -> 1.2.3.4 port 9000 tcp rdr $Internet_NIC from any to $Internet_Net.176/28 port 23 >< 24 -> 1.2.3.4 port 9000 tcp rdr $Internet_NIC from any to $Internet_Net.176/28 port 26 >< 79 -> 1.2.3.4 port 9000 tcp rdr $Internet_NIC from any to $Internet_Net.176/28 port 81 >< 442 -> 1.2.3.4 port 9000 tcp rdr $Internet_NIC from any to $Internet_Net.176/28 port 444 >< 30000 -> 1.2.3.4 port 9000 tcp # rdr $Internet_NIC from any to $Internet_Net.176/28 port = 1026 -> 1.2.3.4 port 9000 udp rdr $Internet_NIC from any to $Internet_Net.176/28 port = 1027 -> 1.2.3.4 port 9000 udp # # Bad ICMP guy rdr $Internet_NIC from 213.55.87.0/24 to any port 1 >< 99999 -> 1.2.3.4 port 69 icmp # # Suspicious HTTP # rdr $Internet_NIC from 65.214.44.69/32 to any port 1 >< 99999 -> 1.2.3.4 port 69 tcp rdr $Internet_NIC from 65.214.44.69/32 to any port 1 >< 99999 -> 1.2.3.4 port 69 udp rdr $Internet_NIC from 65.214.44.69/32 to any port 1 >< 99999 -> 1.2.3.4 port 69 icmp ################# Intranet clients specific rules ############################ map $Internet_NIC $Public_Net.2/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.2/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.3/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.3/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.5/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.5/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.7/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.7/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.8/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.8/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.9/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.9/32 -> $Internet_Net.178/32 ############################## map $Internet_NIC $Public_Net.11/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.11/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.12/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.13/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.13/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.14/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.14/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.15/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.15/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.16/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.16/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.17/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.17/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.18/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.18/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.19/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.19/32 -> $Internet_Net.178/32 ##################################### map $Internet_NIC $Public_Net.91/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.91/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.93/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.93/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.95/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.95/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.97/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.97/32 -> $Internet_Net.178/32 map $Internet_NIC $Public_Net.99/32 -> $Internet_Net.178/32 portmap tcp/udp 40000:60000 map $Internet_NIC $Public_Net.99/32 -> $Internet_Net.178/32 ################ Services ########################### rdr $Internet_NIC $Internet_Net.180/32 port 25 -> $Fake_Net.205 port 25 tcp rdr $Internet_NIC $Internet_Net.180/32 port 443 -> $Fake_Net.202 port 443 tcp rdr $Internet_NIC $Internet_Net.180/32 port 80 -> $Fake_Net.202 port 80 tcp " ########################## Main ############################### ########################## Main ############################### ########################## Main ############################### echo "$IPFil_Conf" >$IPFil_Conf_File echo "$IPNat_Conf" >$IPNat_Conf_File # echo "# No NAT on interlal machine" >$IPNat_Conf_File