#!/bin/bash
clear
echo "############################## Firewall Rules ###################################"
# Enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Initializing rules"
# Clear all rules
iptables -F
iptables -t nat -F
# Apply basic policies
# Allow internal traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Block all entry and exit
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
# Internal traffic allowed
echo "Internal traffic"
iptables -t nat -I POSTROUTING -o lo -j ACCEPT
iptables -t nat -I PREROUTING -i lo -j ACCEPT
# Network card definitions
WEB="ppp0"
DMZ="eth2"
COM="eth1"
STA="eth0"
PPP="ppp0"
# IP network definitions
NET_COM="10.0.0.0/8"
NET_STA="192.168.2.0/24"
NET_DMZ="172.16.1.0/24"
# Server definitions for external connection to servers
REMOTE="192.168.2.8:81"
FICS="172.16.1.6/32"
EXC="172.16.1.3/32"
DC="172.16.1.1/32"
MAIL="172.16.1.3:25"
HTTP="172.16.1.4:80"
EMULE="172.16.1.4:5555"
RDP="172.16.1.4:3389"
PPTP="172.16.1.1"
VUE="192.168.2.8/32"
MAILWEB="172.16.1.3/32"
LINUX2="172.16.1.7/32"
LINUX="192.168.2.5/32"
YONI="192.168.2.62/32"
WIFI="192.168.2.7/32"
# Common Rules
# ====================== >>>> Masquerade all networks to the internet
echo "Applying common rules"
# All outgoing traffic to Internet is masqueraded
iptables -t nat -I POSTROUTING -s $NET_STA -d $NET_DMZ -j MASQUERADE
# Squid must always go out to internal clients
iptables -t nat -I POSTROUTING -p tcp --sport 3128 -d $NET_STA -j ACCEPT
iptables -t nat -I POSTROUTING -o $WEB -j MASQUERADE
iptables -t nat -I POSTROUTING -o $COM -j MASQUERADE
iptables -t nat -A POSTROUTING -s $NET_STA -o $COM -j DROP
iptables -t nat -A POSTROUTING -s $NET_DMZ -o $COM -j DROP
iptables -I INPUT -i $WEB -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i $COM -m state --state ESTABLISHED -j ACCEPT
# Allow standard internal routing
# ====================== >>>> DHCP
echo "Allowing DHCP traffic"
iptables -t nat -A PREROUTING -p udp --dport 67:68 -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --sport 67:68 -j ACCEPT
echo "Local DNS to SRV-DC"
iptables -t nat -A PREROUTING -p udp --sport 53 -i $DMZ -s "172.16.1.1/32" -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --dport 53 -o $DMZ -d "172.16.1.1/32" -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 53 -i $DMZ -s "172.16.1.1/32" -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 53 -o $DMZ -d "172.16.1.1/32" -j ACCEPT
# Network access rules
# 1 --> DMZ
echo "====================== >>>> Rules for commercial machines"
echo "Daytime rules"
echo "Access based on time"
iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 08:45 --timestop 17:45 \
--days Mon,Tue,Wed,Thu,Fri -p tcp -m multiport --ports 20,21,80,3128,1863,110,119,25,8080,9000 -j ACCEPT
echo "Nighttime rules"
iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 17:46 --timestop 23:59 \
--days Mon,Tue,Wed,Thu -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 00:00 --timestop 08:44 \
--days Mon,Tue,Wed,Thu,Fri -p tcp -j ACCEPT
# No limits on weekends
echo "No limits on weekends"
iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 17:46 --timestop 23:59 \
--days Fri -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -i $DMZ -m time --timestart 00:00 --timestop 23:59 \
--days Sat,Sun -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -i $DMZ -p udp --dport 53 -j ACCEPT
#====>>>>> Transparent proxy for commercial users
iptables -t nat -I PREROUTING -p tcp -i $DMZ --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -i $DMZ --dport 443 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp -i $DMZ --dport 443 -j REDIRECT --to-port 3128
echo "====================== >>>> Rules for classrooms"
# 2 --> Classroom <-> DMZ
# A - FICS2
echo " Classroom -> SRV-FICS2"
iptables -t nat -A PREROUTING -p tcp -d $FICS -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -d $MAILWEB -j ACCEPT
iptables -t nat -A POSTROUTING -s $NET_DMZ -d $NET_STA -j ACCEPT
# 3 --> Classroom <-> Internet
# A - HTTP
echo " Classroom -> Internet with Squid"
iptables -t nat -A PREROUTING -p tcp -i $STA --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -i $STA --dport 443 -j ACCEPT
# C - DNS
iptables -t nat -A PREROUTING -p udp -i $STA --dport 53 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp -i $STA --dport 53 -j ACCEPT
echo "====================== >>>> Rules for Internet to internal network"
# 5 --> Internet <--> DMZ
# A - SMTP
echo " SMTP"
iptables -t nat -I PREROUTING -i $WEB -p tcp --dport 25 -j DNAT --to-destination $MAIL
iptables -t nat -I POSTROUTING -o $DMZ -d $EXC -p tcp --dport 25 -j ACCEPT
# B - WEB
echo " WEB"
iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 80 -j DNAT --to-destination $HTTP
iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 80 -j MASQUERADE
# B' - EMULE
iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 5555 -j DNAT --to-destination $EMULE
iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 5555 -j MASQUERADE
iptables -t nat -A PREROUTING -i $WEB -p udp --dport 5555 -j DNAT --to-destination $HTTP
iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p udp --dport 5555 -j MASQUERADE
# C - PPTP
echo " PPTP"
iptables -t nat -A PREROUTING -i $WEB -p 47 -j DNAT --to-destination $PPTP
iptables -t nat -A POSTROUTING -o $DMZ -p 47 -j MASQUERADE
iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 1723 -j DNAT --to-destination $PPTP
iptables -t nat -A POSTROUTING -o $DMZ -p tcp --dport 1723 -j MASQUERADE
# D - SSH from outside or only for authorized internal machines
echo " SSH from Internet"
iptables -t nat -A PREROUTING -s 172.16.1.0/24 -p tcp --dport 22 -j ACCEPT
# E - FTP
echo " FTP IS DISABLED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
#iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 20 -j DNAT --to-destination "172.16.1.4:20"
#iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 21 -j DNAT --to-destination "172.16.1.4:21"
#iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 20 -j MASQUERADE
# F - RDP
echo " RDP"
iptables -t nat -A PREROUTING -i $WEB -p tcp --dport 3389 -j DNAT --to-destination $RDP
iptables -t nat -A POSTROUTING -o $DMZ -d "172.16.1.4/32" -p tcp --dport 3389 -j MASQUERADE
# G - SNMP
echo " SNMP"
iptables -t nat -A POSTROUTING -p tcp --dport 161 -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --dport 161 -j ACCEPT
iptables -t nat -A POSTROUTING -p udp --dport 162 -j ACCEPT
# 6 --> Access by MAC address
echo "====================== >>>> Special rules for internal users"
echo " Yoni"
# A - Yoni
iptables -t nat -I PREROUTING -m mac --mac-source '00:00:F0:82:58:AF' -j ACCEPT
iptables -t nat -I PREROUTING -m mac --mac-source '00:04:23:76:63:10' -j ACCEPT
# A' - OlivierG
iptables -t nat -I PREROUTING -s 192.168.2.69/32 -m mac --mac-source '00:0d:60:75:b8:75' -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.39/32 -m mac --mac-source '00:0C:F1:43:14:05' -j ACCEPT
# B - Olivier all
echo " OlivierC"
iptables -t nat -I PREROUTING -s 192.168.2.63/32 -m mac --mac-source '00:90:F5:1E:51:A1' -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.63/32 -m mac --mac-source '00:90:F5:1E:51:A1' -j ACCEPT
# Wifi Olivier
iptables -t nat -I PREROUTING -m mac --mac-source '00:A0:C5:B1:DD:15' -j ACCEPT
# C - Steeve all
echo " Steeve"
iptables -t nat -I PREROUTING -s 192.168.2.64/32 -m mac --mac-source '00:08:02:04:fa:d7' -j ACCEPT
iptables -t nat -I PREROUTING -m mac --mac-source '00:08:02:04:fa:d7' -j ACCEPT
# D - Portable Compaq
echo " Portable Compaq"
iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:50:8B:FA:B9:5B' \
-p tcp -m multiport --ports 443,110,25,119 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:50:8B:FA:B9:5B' \
-p udp --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:50:8B:FA:B9:5B' \
-d $NET_DMZ -j ACCEPT
# D' Portable Toshiba
echo " Portable Toshiba"
iptables -t nat -I PREROUTING -s 192.168.2.67/32 -m mac --mac-source '00:01:02:E7:36:E3' \
-p tcp -m multiport --ports 443,110,25,119 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.67/32 -m mac --mac-source '00:01:02:E7:36:E3' \
-p udp --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.67/32 -m mac --mac-source '00:01:02:E7:36:E3' \
-d $NET_DMZ -j ACCEPT
# E - VUE Server
echo " VUE Server"
iptables -t nat -I PREROUTING -s $VUE -m mac --mac-source '00:0c:6e:c5:42:6c' -j ACCEPT
iptables -t nat -I PREROUTING -i $DMZ -d $VUE -j ACCEPT
# F- Linux Server Ground Floor
echo " Linux Server"
iptables -t nat -I PREROUTING -i $DMZ -d $LINUX -j ACCEPT
# F - Quentin Laptop
echo " Quentin"
iptables -t nat -I PREROUTING -s 172.16.1.65/32 -m mac --mac-source '00:0b:db:a1:c2:a5' -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:0b:db:a1:c2:a5' -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.65/32 -m mac --mac-source '00:a0:c5:b1:da:f8' -j ACCEPT
# F - Eva Laptop
echo " Eva is grounded"
#iptables -t nat -I PREROUTING -m mac --mac-source '00:02:3f:13:bb:21' -j ACCEPT
# G - Lionel Laptop
echo " Lionel"
iptables -t nat -I PREROUTING \
-m mac --mac-source '00:0D:60:2C:12:95' -j ACCEPT
# H - WIFI ROUTER
echo " WIFI ROUTER"
iptables -t nat -I PREROUTING \
-m mac --mac-source '00:0F:66:33:20:12' -j ACCEPT
echo "############################## END ===> Firewall Rules ###################################"
iptables -t nat -I PREROUTING -s $LINUX -j ACCEPT
iptables -t nat -I PREROUTING -s $LINUX2 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.1/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.2/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.3/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.4/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 172.16.1.5/32 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.2.95/32 -j ACCEPT