#!/bin/zsh -f
#
# firewall       Activate/Deactivate the network firewall.
#
# description: this script manages the firewall between the local network \
#              and the outer world.
#
# prcs $Id: firewall_iptable_hector 1.14 Thu, 02 Sep 2004 18:59:05 +0200 basile $
# prcsproj $ProjectHeader: Scripts 0.104 Fri, 11 Feb 2005 07:13:35 +0100 basile $
# from fare firewall 1.26 2001/12/27 01:15:27 fare Exp
# Last ipchains version 1.20
#
# For Samaris only
#
# Kudos to <efge@mail.com>, <tril@tunes.org>
# See also:
# [netfilter.samba.org]
# [www.cs.princeton.edu]
# [www.boingworld.com]

#DEBUG=1

function DO () {
  print -r "$*" >&2
  $@
}

function disable_fw () {
  echo '0' >>/proc/sys/net/ipv4/ip_forward
}
function enable_fw () {
  echo '1' >>/proc/sys/net/ipv4/ip_forward
}

function environment () {
  PATH=/sbin:/bin:/usr/sbin:/usr/bin
  LANG= LC_CTYPE=
  LANG=C
  export LANG

  LOCALNET=127.0.0.0/8  
  HIDDENLAN=192.168.0.0/8
  WIFILAN=192.168.1.0/8
  TRUSTEDLANS=192.168.0.0/9
  ADSLIP=62.212.121.80 
  PPP0=
  ALL=0.0.0.0/0
  BLOCKED=REJECT
  #BLOCKED=DENY
  ICMPPOL=ACCEPT
  LANDEV=eth0
  WIFIDEV=eth1  # le router Wifi est sur eth1
  WIFIROUTER=192.168.1.1
  #CABLEDEV=eth2
#       ADSLDEV=eth1
  PPPDEV=ppp0

# A=( $(ifcfg2IP $ADSLDEV addr) )
# if [ "$#A" = 4 ] ; then
#   ADSLIP=$A[1].$A[2].$A[3].$A[4]
#   ADSL=$A[1].$A[2].$A[3].0/24
# else
#   print "# No ADSL modem!" >&2
#   ADSLIP=
#   ADSL=$ADSL0
# fi

  A=( $(ifcfg2IP $PPPDEV inet.addr ) )
  if [ "$#A" = 4 ] ; then
    PPPIP=$A[1].$A[2].$A[3].$A[4]
    PPP=$A[1].$A[2].0.0/16
  else
    print "# No ADSL connection!" >&2
    PPPIP=
    PPP=$PPP0
  fi

  A=( $(ifcfg2IP $WIFIDEV inet.addr ) )
  if [ "$#A" = 4 ] ; then
    WIFIIP=$A[1].$A[2].$A[3].$A[4]
    echo wifi ip $WIFIIP
  else
    print "# No Wifi connection!" >&2
    WIFIIP=
  fi
}

# Load appropriate modules.
load_modules () {
  modprobe -r ipchains
  modprobe ip_tables #|| exit 1
  modprobe ip_conntrack
  modprobe ip_conntrack_ftp
  #modprobe ip_conntrack_irc # not in standard kernels
  modprobe iptable_nat
  modprobe ip_nat_ftp
  #modprobe ip_nat_irc # not in standard kernels
}

ifcfg2IP () {
  local DEV=$1 STR=$2
  export LANG=C
  =ifconfig $DEV | grep "${STR}:" | sed -e \
  's/^.*'"$STR"':\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\) .*$/\1 \2 \3 \4/'
}

ipt () { iptables $@ || (logger failed "ipt $*" ; exit 1)  }
INPUT () { ipt -A INPUT $@ }
OUTPUT () { ipt -A OUTPUT $@ }
INPUText () { INPUT -i $PPPDEV $@ }
OUTPUText () { OUTPUT -o $PPPDEV $@ }
FORWARD () { ipt -A FORWARD $@ }
PREROUTING () { ipt -A PREROUTING $@ }
POSTROUTING () { ipt -A POSTROUTING $@ }
PRENAT () { PREROUTING -t nat $@ }
POSTNAT () { POSTROUTING -t nat $@ }
PRENAText () { PRENAT -i $PPPDEV $@ }
POSTNAText () { POSTNAT -o $PPPDEV $@ }
log=(-j LOG --log-prefix)

drop_packets () {
  # Set up a default DROP policy for the built-in chains. If we modify and
  # re-run the script mid-session then (because we have a default DROP
  # policy), what happens is that there is a small time period when
  # packets are denied until the new rules are back in place. There is no
  # period, however small, when packets we don't want are allowed.
  ipt -P INPUT DROP
  ipt -P FORWARD DROP
  ipt -P OUTPUT ACCEPT
  ipt -t nat -P PREROUTING ACCEPT
  ipt -t nat -P POSTROUTING ACCEPT
  ipt -t nat -P OUTPUT ACCEPT
}

clear_tables () {
  # These lines are here in case rules are already in place and the script
  # is ever rerun on the fly. We want to remove all rules and
  # pre-exisiting user defined chains and zero the counters before we
  # implement new rules.
  ipt -F
  ipt -F -t nat
  ipt -X
  ipt -X -t nat
  ipt -Z
}

configure_kernel () {
  # To dynamically change kernel parameters and variables on the fly you
  # need CONFIG_SYSCTL defined in your kernel. I would advise the
  # following:

  # Disable ECN, which causes problems with some sites.
  if [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
    echo "0" > /proc/sys/net/ipv4/tcp_ecn
  fi

  # TCP Syncookies protection.
  if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  fi

  # TIME_WAIT assassination protection.
  echo "1" > /proc/sys/net/ipv4/tcp_rfc1337

  # Don't disable response to ping.
  echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

  # Disable response to broadcasts.
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

  # Don't accept source routed packets.
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

  # Disable ICMP redirect acceptance.
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

  # Enable bad error message protection.
  echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

  # Log spoofed packets, source routed packets, redirect packets.
  echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

  # Make sure that IP forwarding is turned on. We want this for a
  # multi-homed host.
  echo "1" > /proc/sys/net/ipv4/ip_forward

  # Turn on reverse path filtering.
  echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

  # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
  # this option. This enables dynamic-ip address hacking in IP MASQ,
  # making the connection with Diald and similar programs much easier.
  #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

  # Note: With connection tracking, all fragments are reassembled before
  # being passed to the packet-filtering code so there is no
  # ip_always_defrag switch as there was in the 2.2 kernel.
}

## ---------- Rules ----------

debug_rules () {
  if [ -n "$DEBUG" ]; then
    debugopt=( -j LOG --log-level DEBUG --log-prefix )
    INPUT $debugopt "IPTABLES DEBUG INPUT: "
    OUTPUT $debugopt "IPTABLES DEBUG OUTPUT: "
    FORWARD $debugopt "IPTABLES DEBUG FORWARD: "
    PRENAT $debugopt "IPTABLES DEBUG NATPRER: "
    POSTNAT $debugopt "IPTABLES DEBUG NATPOSTR: "
    OUTPUT -t nat $debugopt "IPTABLES DEBUG NATOUT: "
  fi
}

REDIRext () {
  # Define a redirected service
  # By default, all sources are good; specify restrictions in $4
  # (add rejecting rules *before*)
  local INPORT=$1 TRUESERVER=$2 TRUEPORT=${3:-$1} GOODSRC=${4:-0/0}
  PRENAText -p tcp -s ${GOODSRC} --dport ${INPORT} \
	-j DNAT --to ${TRUESERVER}:${TRUEPORT}
  FORWARD -p tcp -s ${GOODSRC} -d ${TRUESERVER} --dport ${TRUEPORT} -j ACCEPT
}

redirected_services () {

#  # SEND -> LimboEND (Genera Converse)
#  PRENAT -p tcp -d $PPPIP --dport 262 -j DNAT --to 10.31.0.13
#  FORWARD -p tcp -d 10.31.0.13 --dport 262 -j ACCEPT
#  # 24 -> KadathSH
#  REDIRext 24  10.31.0.3  22

}

allow_loopback () {
  ## LOOPBACK
  # Allow unlimited traffic on the loopback interface.
  ipt -A INPUT -i lo -j ACCEPT
  ipt -A OUTPUT -o lo -j ACCEPT
}

allow_LAN () {
  ## LOCAL NET
  # Allow unlimited traffic on the local network.
  INPUT -i $LANDEV -j ACCEPT
  OUTPUT -o $LANDEV -j ACCEPT

## wifi
  if [ -n "$WIFIIP" ]; then 
  # Allow unlimited traffic on the Wifi network.
    INPUT  -i $WIFIDEV  -j ACCEPT
    OUTPUT -o $WIFIDEV  -j ACCEPT
  else
    echo wifi not connected
    logger firewall_iptable_hector sans wifi
  fi

# ## Modem
# INPUT -i $ADSLDEV -j ACCEPT
# OUTPUT -o $ADSLDEV -j ACCEPT
}

masquerade () { ## MASQUERADING (NAT)
  #POSTNAText -j MASQUERADE
  POSTNAText -j SNAT --to-source $PPPIP || echo echec to source
  ### Don't forward from some hosts:
  ### FORWARD -i $LANDEV -s 10.31.0.3 -j DROP
  FORWARD -i $LANDEV -j ACCEPT
  FORWARD -i $WIFIDEV -j ACCEPT
  FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  redirected_services

  FORWARD -m limit --limit 3/minute --limit-burst 3 $log "IPTABLES DROP FORWARD: "
  FORWARD -j DROP
}

filter_crap () { ## FILTER CRAP
  # IGMP
  PRENAText -p 2 -j DROP
  # Multicast addresses, reserved IP addresses.
  PRENAText -s 224.0.0.0/4 -j DROP
  PRENAText -s 240.0.0.0/5 -j DROP
}

filter_spoofing () { ## SPOOFING
  # Most of this anti-spoofing stuff is theoretically not really necessary
  # with the flags we have set in the kernel above... but you never know
  # there isn't a bug somewhere in your IP stack.
  ipt -N spoof -t nat
  ipt -A spoof -t nat -m limit --limit 1/s --limit-burst 4 $log "IPTABLES DROP SPOOF: "
  ipt -A spoof -t nat -j DROP
  # Local IP address.
  ### PRENAText -s $IPADDR -j spoof
  # Private networks.
  PRENAText -s 192.168.0.0/16 -j spoof
  PRENAText -s 172.16.0.0/12 -j spoof
  PRENAText -s 10.0.0.0/8 -j spoof
  # To loopback
  PRENAText -d 127.0.0.0/8 -j spoof
}

filter_state () {
  ## Make sure NEW tcp connections are SYN packets. IMPORTANT!
  INPUText -p tcp ! --syn -m state --state NEW -j DROP

  ## RELATED connections are ok for tcp, udp and icmp
  # this covers ftp, dns, ntp, ping, traceroute, etc.
  # (given suitable ip_conntrack modules)
  INPUText -p tcp  -m state --state ESTABLISHED,RELATED -j ACCEPT
  INPUText -p udp  -m state --state ESTABLISHED,RELATED -j ACCEPT
  INPUText -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
}

filter_attacks () {
  # Removed commented code from CVS release 1.25,
  # Re: SYN-Flooding Protection, PortScanner Protection,
  # Ping of Death attempts and Fragments.
}

define_TCP_in () {
  ipt -N tcpinok
  ipt -A tcpinok -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  ipt -A tcpinok $log "IPTABLES DROP TCPINOK: "
  ipt -A tcpinok -j DROP
}

## ---------- Allowed ports ----------

allowed_ports () {
  NETBIOS="137:139"
  ICQTCP=4090:4092
  OPEN_SERVICES=(
    20:22       # FTP & SSH
    25 993      # SMTP IMAP-ssl
    79:80 443   # finger & WWW
    113 9999    # auth identtest
    3136 # grubclient distributed web crawler
  )
  for port in $OPEN_SERVICES ; do
    INPUText -p tcp --dport $port -j tcpinok
  done

  ### INPUText -p tcp --dport 113 -j REJECT --reject-with tcp-reset

  ## IRC probe
  INPUText -p tcp --dport 1080 $log "IPTABLES REJECT TCP-1080: "
  INPUText -p tcp --dport 1080 -j REJECT --reject-with tcp-reset

  ## ICQ direct transfers
  ### INPUText -p tcp --dport $ICQTCP -j tcpinok

  ## Realplayer (udp 7170-7179)
  ### INPUText -p udp --dport 7170:7179 -j ACCEPT

  ## NETBIOS don't even log
  INPUText -p tcp --dport $NETBIOS -j DROP
  INPUText -p udp --dport $NETBIOS -j DROP

  ## NETBIOS block outgoing
  OUTPUText -p tcp --dport $NETBIOS -j DROP
  OUTPUText -p udp --dport $NETBIOS -j DROP

  ## block vega's drug chat rooms.
  TCP_OUTGOING_BLOCKED=(
#    ## chat.yahoo.com
#    204.71.200.89
#    204.71.200.95
  )
  for i in $TCP_OUTGOING_BLOCKED ; do
    OUTPUText -p tcp -d $i -j DROP
  done
}

logging () { ## ---------- Logging ----------
  # tcp
  INPUText -p tcp $log "IPTABLES DROP TCP-IN: "
  INPUText -p tcp -j DROP
  # OUTPUText -p tcp $log "IPTABLES DROP TCP-OUT: "
  OUTPUText -p tcp -j ACCEPT

  # udp
  INPUText -p udp $log "IPTABLES DROP UDP-IN: "
  INPUText -p udp -j DROP
  # OUTPUText -p udp $log "IPTABLES DROP UDP-OUT: "
  OUTPUText -p udp -j ACCEPT

  # Limit pings to prevent pingfloods
  # rule made by tril
  INPUText -p icmp -m limit --limit 10/second -j ACCEPT
  INPUText -p icmp -m limit --limit 3/minute -j LOG --log-prefix 'pingflood: '
  INPUText -p icmp -j DROP
  OUTPUText -p icmp -j ACCEPT

  # other
  INPUText $log "IPTABLES DROP IN: "
  INPUText -j DROP
  OUTPUText $log "IPTABLES DROP OUT: "
  OUTPUText -j DROP
}

install_firewall () {
  environment
  load_modules
  drop_packets
  clear_tables
  configure_kernel
  debug_rules
  allow_loopback
  allow_LAN
  masquerade
  filter_crap
  filter_spoofing
  filter_state
  filter_attacks
  define_TCP_in
  allowed_ports
  logging
}

# See how we were called.
logger -t firewall "$*" '(prcs $ProjectHeader: Scripts 0.104 Fri, 11 Feb 2005 07:13:35 +0100 basile $ $Id: firewall_iptable_hector 1.14 Thu, 02 Sep 2004 18:59:05 +0200 basile $)'
case "$1" in
  start|)
	echo -n "Installing firewall: ..."
	install_firewall
	echo " done."
	;;
  stop)
	echo -n "Closing down firewall: "
	echo NOT IMPLEMENTED YET
	;;
  status)
	echo -n "IP forwarding is: "
	cat /proc/sys/net/ipv4/ip_forward
	echo "IP tables configuration:"
	if [ -f /proc/net/ip_fwchains ]; then
		iptables -L -n
	fi
	;;
  nop)
	;;
  test)
	environment
	ifcfg2IP $PPPDEV inet.addr
	;;
  restart)
	$0 start
	;;
  *)
	echo "Usage: firewall {start|stop|status|restart}"
	exit 1
esac

: exit 0
#eof $Id: firewall_iptable_hector 1.14 Thu, 02 Sep 2004 18:59:05 +0200 basile $

 echo "1" > /proc/sys/net/ipv4/ip_forward

Citation
Tchesmeli Serge
Bonjour,

apparement il doit juste te manquer le forwarding
:

echo "1" > /proc/sys/net/ipv4/ip_forward

Et ca devrait marcher

Tchesmeli Serge
Portail francophone slackware ->

Which is worse: ignorance or apathy? Don't know.
Don't care.

(ex président fondateur de lea-linux)