#------------------------------------------------------------------------------
# Configuration IPTABLES pour: Linux suse 10.0
# Iptables: comment laisser passer une connexion accès distant vers un serveur 
# d'accès distant Win 2003 server.
# Reseau local All out!!!
# Accés https
# Accés SSH et SFTP sur ce serveur!!! Biensure configuré avec certificats
#------------------------------------------------------------------------------
#
# Un firewall qui a deux cartes réseaux:
#Declaration Variable:
#
INT_WAN=eth1
INT_LAN=eth0
#
ETH0=192.168.1.1
ETH1=192.168.0.12
#
INT_WAN_IP=$ETH1
INT_LAN_IP=$ETH0
#
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#
SRV=192.168.1.10
ROUTEUR_DIST=$ETH1
#
echo -en "   loading modules: "
#
# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a
echo "----------------------------------------------------------------------"
#
#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the stateful connection tracking framework - "ip_conntrack"
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the general IPTABLES NAT code - "iptable_nat"
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
echo -e " Done loading modules.\n"
echo "----------------------------------------------------------------------"
#CRITICAL:  Enable IP forwarding since it is disabled by default since
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "----------------------------------------------------------------------"
# Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP!!!
#    
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
#===============================================================================
# Remise en place de tables propres
#===============================================================================
#
echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# A partir d'ici, iptables laisse de nouveau tout passer.
# Fin remise en place de tables propres
#------------------------------------------------------------------------
#
$IPTABLES -t filter -N LOG_DROP_INPUT
$IPTABLES -t filter -N LOG_DROP_FORWARD
#
$IPTABLES -t filter -A LOG_DROP_INPUT -j LOG --log-prefix '[iptables drop input ]:'
$IPTABLES -t filter -A LOG_DROP_INPUT -j DROP
#
$IPTABLES -t filter -A LOG_DROP_FORWARD -j LOG --log-prefix '[iptables drop forward ]:'
$IPTABLES -t filter -A LOG_DROP_FORWARD -j DROP
#
#------------------------------------------------------------------------
# On quitte la policy (comportement ACCEPT et on passe en policy DROP) 
# 
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT   DROP
iptables -t filter -P OUTPUT  DROP
iptables -t filter -P FORWARD DROP
#
# Initialisation de la table NAT
iptables -t nat -F
iptables -t nat -X 
iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT      ACCEPT
#
# Initialisation de la table MANGLE
iptables -t mangle -F
iptables -t mangle -X 
iptables -t mangle -P PREROUTING  ACCEPT
iptables -t mangle -P INPUT       ACCEPT
iptables -t mangle -P OUTPUT      ACCEPT
iptables -t mangle -P FORWARD     ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
#
# On va ouvrir le strict nécessaire à nos besoins.
#------------------------------------------------------------------------
#
# Authorisé la loopback!!!
#
echo "   Enabling COM sur lo et configuration Netfilter pour Firewall"
$IPTABLES -t filter -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -t filter -A INPUT  -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#ALL ping interne authorisé et communication interne authorisé!!!
$IPTABLES -t filter -A OUTPUT -o $INT_LAN -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
$IPTABLES -t filter -A INPUT  -i $INT_LAN -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#
# Config netfilter:
#
$IPTABLES -A OUTPUT -o $INT_WAN -s $ETH1 -d 0.0.0.0/0 -p all -m state --state ! INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_WAN -s $ETH1 -d 0.0.0.0/0 -p all -j LOG --log-prefix '[CONNECTION OUTPUT]:'
$IPTABLES -A INPUT  -i $INT_WAN -s 0.0.0.0/0 -d $ETH1 -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT  -i $INT_WAN -s 0.0.0.0/0 -d $ETH1 -p all -j LOG --log-prefix '[CONNECTION INPUT]:'
#
# Port ouvert en entrée internet(SSH)!!!
#
$IPTABLES -t filter -A OUTPUT -o $INT_WAN -s 192.168.0.12 -d 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -t filter -A INPUT  -i $INT_WAN -s 0.0.0.0/0 -d 192.168.0.12 -p tcp --sport 22 -j ACCEPT
#
# Communication entre eth1 et eth0!!!
# Partage Web:
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s 192.168.1.0/24 -d 0.0.0.0/0 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "   Enabling SNAT (MASQUERADE) functionality on $INT_WAN"
$IPTABLES -t nat -A POSTROUTING -o $INT_WAN -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQUERADE
#
# Redirection accès distant via IP distante!!!
$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p tcp --dport 443 -j DNAT --to-destination $SRV:443
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p tcp --dport 22 -j SNAT --to-destination 192.168.0.12:22
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p tcp --dport 1723 -j DNAT --to-destination $SRV:1723
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p tcp --dport 1701 -j DNAT --to-destination $SRV:1701
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p udp --dport 1701 -j DNAT --to-destination $SRV:1701
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p udp --dport 4500 -j DNAT --to-destination $SRV:4500
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p udp --dport 500 -j DNAT --to-destination $SRV:500
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p 47 -j DNAT --to-destination $SRV
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p 50 -j DNAT --to-destination $SRV
#$IPTABLES -t nat -A PREROUTING -i $INT_WAN -p 51 -j DNAT --to-destination $SRV
#
#
# Franchissement du FireWall pour accès distant (entrée et sortie).
#https:
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d $SRV -p tcp --dport 443 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -d 0.0.0.0/0 -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
#VPN PPTP: TCP 1723
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d $SRV -p tcp --dport 1723 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -d 0.0.0.0/0 -p tcp --sport 1723 -m state --state RELATED,ESTABLISHED -j ACCEPT
#GRE: Protocol:47
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -p 47 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -d $SRV -p 47 -m state --state ! INVALID -j ACCEPT
#L2TP:TCP 1701:
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d $SRV -p tcp --dport 1701 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -d 0.0.0.0/0 -p tcp --sport 1701 -m state --state RELATED,ESTABLISHED -j ACCEPT
#ESP:
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -p 50 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -d $SRV -p 50 -m state --state ! INVALID -j ACCEPT
#L2TP:
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d $SRV -p udp --dport 1701 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -d 0.0.0.0/0 -p udp --sport 1701 -m state --state RELATED,ESTABLISHED -j ACCEPT
#AH Protocol 51
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -p 51 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -d $SRV -p 51 -m state --state ! INVALID -j ACCEPT
#L2TP:
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d $SRV -p udp --dport 4500 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -d 0.0.0.0/0 -p udp --sport 4500 -m state --state RELATED,ESTABLISHED -j ACCEPT
#IKE:
$IPTABLES -t filter -A FORWARD -i $INT_WAN -o $INT_LAN -s 0.0.0.0/0 -d $SRV -p udp --dport 500 -m state --state ! INVALID -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INT_LAN -o $INT_WAN -s $SRV -d 0.0.0.0/0 -p udp --sport 500 -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Log des connections:
$IPTABLES -t filter -A INPUT -s $ETH1 -j LOG --log-prefix="AttackPirate"
$IPTABLES -t filter -A INPUT -s $ETH1 -j LOG --log-prefix="AttackWeb"
$IPTABLES -t filter -A FORWARD -i $INT_WAN -j LOG --log-prefix="FORWARD"