#!

/bin/sh
################################################################################
################# This [<vannath.com.kh>] FireRules
## Author: Vannath KANN SNA211
C_032 ## Date:Thur
sday,February,10,2011 #
# Time:7:49:23 AM
#################################################################
################################
. /etc/rc.status
rc_reset
#Variable Interface and IP addresses
SERVER_IF=eth1
CLIENT_IF=eth2
EXT_IF=eth3
SERVER_IP=192.168.10.1
CLIENT_IP=192.168.20.1
EXT_IP=172.16.1.212
DHCP_IP=192.168.10.3
DHCP_CLIENT_IP=192.168.20.0/24
DNS_IP=192.168.10.2
CIST_DNS=192.168.2.2-192.168.2.3

case "$1" in
start|restart|reloard)
echo "Starting up Firewall"
#Flush the existing rules
iptables -F
iptables -X
iptables -t nat -F
#Policies to Drop any miss match rules
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Enable Routing
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Enable all Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Enable protoco ICMP (ping)
#_______________________________________________________________________________
_____________#
####< Allow LAN Server can ping Firewall >####
iptables -A INPUT -i $SERVER_IF -p icmp -d $SERVER_IP -j ACCEPT
iptables -A OUTPUT -o $SERVER_IF -p icmp -s $SERVER_IP -j ACCEPT
#_______________________________________________________________________________
_____________#
####< Allow LAN Client can ping Firewall >####
iptables -A INPUT -i $CLIENT_IF -p icmp -d $CLIENT_IP -j ACCEPT
iptables -A OUTPUT -o $CLIENT_IF -p icmp -s $CLIENT_IP -j ACCEPT
#_______________________________________________________________________________
_____________#
####< Allow LAN Client and LAN Server cam ping each other >####
iptables -A FORWARD -i $CLIENT_IF -o $SERVER_IF -p icmp -j ACCEPT
iptables -A FORWARD -i $SERVER_IF -o $CLIENT_IF -p icmp -j ACCEPT
#_______________________________________________________________________________
_____________#
####< Allow LAN Server can ping to Internet >####
iptables -A FORWARD -i $SERVER_IF -o $EXT_IF -p icmp -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o $SERVER_IF -p icmp -j ACCEPT
#_______________________________________________________________________________
____________#
####< Allow LAN Client can ping to Internet >####
iptables -A FORWARD -i $CLIENT_IF -o $EXT_IF -p icmp -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o $CLIENT_IF -p icmp -j ACCEPT
#_______________________________________________________________________________
____________#
#Enable Source NAT Routing
iptables -t nat -A POSTROUTING -o $SERVER_IF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
#Enable LAN Client use DHCP Server in LAN Server (DHCPT-Relay)#
#_______________________________________________________________________________
______________#
#####< Allow DHCP Relay connect to DHCP Server > ####
iptables -A OUTPUT -o $SERVER_IF -p udp --dport 67 -s $SERVER_IP -d $DHC
P_IP -j ACCEPT
iptables -A INPUT -i $SERVER_IF -p udp --sport 67 -d $SERVER_IP -s $DHC
P_IP -j ACCEPT
#####< Allow Client connect to DHCP Relay Server > ####
iptables -A INPUT -i $CLIENT_IF -p udp --dport 67 -d $CLIENT_IP -j ACC
EPT
iptables -A OUTPUT -o $CLIENT_IF -p udp --sport 67 -s $CLIENT_IP -j ACC
EPT
#_______________________________________________________________________________
______________#
#Enable Client remote SSH to Firewall Server
iptables -A INPUT -i $CLIENT_IF -p tcp --dport 22 -d $CLIENT_IP -s $DHC
P_CLIENT_IP -j ACCEPT
iptables -A OUTPUT -o $CLIENT_IF -p tcp --sport 22 -s $CLIENT_IP -d $DHC
P_CLIENT_IP -j ACCEPT
#Enable Client can join Domain with Active Directory
iptables -A FORWARD -i $CLIENT_IF -o $SERVER_IF -p tcp -m multiport --dp
orts 53,135,88,445,389,1025,1026 -j ACCEPT
iptables -A FORWARD -i $SERVER_IF -o $CLIENT_IF -p tcp -m multiport --sp
orts 53,135,88,445,389,1025,1026 -j ACCEPT
iptables -A FORWARD -i $CLIENT_IF -o $SERVER_IF -p udp -m multiport --dp
orts 53,135,88,445,389,1025,1026 -j ACCEPT
iptables -A FORWARD -i $SERVER_IF -o $CLIENT_IF -p udp -m multiport --sp
orts 53,135,88,445,389,1025,1026 -j ACCEPT
#Enable Samba File Sharing
iptables -A FORWARD -i $CLIENT_IF -o $SERVER_IF -p tcp -m multiport --dp
orts 135,137,138,139,445 -j ACCEPT
iptables -A FORWARD -i $SERVER_IF -o $CLIENT_IF -p tcp -m multiport --sp
orts 135,137,138,139,445 -j ACCEPT
#Enable Client can access to Internet
#_______________________________________________________________________________
____________#
####< Allow Local DNS Server forward request to CIST DNS >#####
# iptables -A FORWARD -i $SERVER_IF -o $EXT_IF -p udp --dport 53 -s $DNS_I
P -m iprange --dst-range $CIST_DNS -j ACCEPT
# iptables -A FORWARD -i $EXT_IF -o $SERVER_IF -p udp --sport 53 -d $DNS_I
P -m iprange --src-range $CIST_DNS -j ACCEPT
# iptables -A FORWARD -i $SERVER_IF -o $EXT_IF -p tcp --dport 53 -s $DNS_I
P -m iprange --dst-range $CIST_DNS -j ACCEPT
# iptables -A FORWARD -i $EXT_IF -o $SERVER_IF -p tcp --sport 53 -d $DNS_I
P -m iprange --src-range $CIST_DNS -j ACCEPT
#Enable Client can access to Internet
#_______________________________________________________________________________
____________#
###< Allow Local DNS Server forward request to Internet DNS >#####
iptables -A FORWARD -i $SERVER_IF -o $EXT_IF -p udp --dport 53 -s $DNS_I
P -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o $SERVER_IF -p udp --sport 53 -d $DNS_I
P -j ACCEPT
iptables -A FORWARD -i $SERVER_IF -o $EXT_IF -p tcp --dport 53 -s $DNS_I
P -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o $SERVER_IF -p tcp --sport 53 -d $DNS_I
P -j ACCEPT
#_______________________________________________________________________________
____________#
####< Allow client Access to Internet >####
iptables -A FORWARD -i $CLIENT_IF -o $EXT_IF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o $CLIENT_IF -p tcp --sport 80 -j ACCEPT
#_______________________________________________________________________________
____________#
rc_status -v
;;
stop)
echo "Shutting down Firewall"
iptables -F
iptables -X
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
rc_status -v
;;
status)
echo ""
echo "Corrent IPTable Rules in Filter Table"
echo "******************************************************************
*************"
echo "__________________________________________________________________
_____________"
iptables -vnL
echo ""
echo "__________________________________________________________________
_____________"
echo ""
echo "Corrent IPTable Rules in NAT Table"
echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++"
echo "__________________________________________________________________
_____________"
iptables -t nat -vnL
echo ""
echo "__________________________________________________________________
_____________"
rc_status -v
;;
*)
echo "Usage is only: $0 {start|restart|reload|stop|status} OK !"
exit 1
rc_status
;;
esac
rc_exit