bfw

simple Bridge FireWall
git clone git://r-36.net/bfw
Log | Files | Refs | README | LICENSE

bfw (2477B)

      1 #!/bin/sh
      2 #
      3 # Bridge Firewall to restrict a malicious device.
      4 #
      5 
      6 PATH=/sbin:/bin
      7 
      8 # Interfacd to the malicious device.
      9 INIF="in0"
     10 # Interface to the outside network.
     11 OUTIF="out0"
     12 
     13 BRIF="br0"
     14 ALLOWEDHOSTS="/etc/bfw.allowed.conf"
     15 BLOCKEDHOSTS="/etc/bfw.blocked.conf"
     16 
     17 do_start() {
     18 	iptables -F FORWARD
     19 	iptables -P FORWARD DROP
     20 
     21 	# enable connection tracking
     22 	iptables -I FORWARD -s 0.0.0.0/0.0.0.0 \
     23 		-d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
     24 	iptables -I FORWARD -m state --state RELATED,ESTABLISHED \
     25 		-j ACCEPT
     26 
     27 	# fun
     28 	# iptables -A FORWARD -p icmp -m limit --limt 4/s -j ACCEPT
     29 	# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 \
     30 	#	-m string --string "cmd.exe"
     31 
     32 	# allow ICMP
     33 	iptables -A FORWARD -p icmp -j ACCEPT
     34 
     35 	# allow DNS
     36 	iptables -A FORWARD -p udp --dport 53 -j ACCEPT
     37 
     38 	# allow local network
     39 	iptables -A FORWARD -s 192.168.0.0/255.255.0.0 \
     40 		-d 192.168.0.0/255.255.0.0 -j ACCEPT
     41 	
     42 	# blocked hosts
     43 	[ -e "$BLOCKEDHOSTS" ] && {
     44 		cat "$BLOCKEDHOSTS" \
     45 		| while read -r line;
     46 		do 
     47 			[ -z "$line" ] && continue
     48 
     49 			case "$line" in
     50 			\#*)
     51 				;;
     52 			*)
     53 				iptables -A FORWARD \
     54 					-s 192.168.0.0/255.255.0.0 \
     55 					-d $line \
     56 					-j LOG \
     57 					--log-prefix \
     58 					"FORWARD(${INIF}) rule blocked:"
     59 				iptables -A FORWARD \
     60 					-s 192.168.0.0/255.255.0.0 \
     61 					-d $line \
     62 					-j DROP 
     63 
     64 				iptables -A FORWARD \
     65 					-d 192.168.0.0/255.255.0.0 \
     66 					-s $line \
     67 					-j LOG \
     68 					--log-prefix \
     69 					"FORWARD(${INIF}) rule blocked:"
     70 				iptables -A FORWARD \
     71 					-d 192.168.0.0/255.255.0.0 \
     72 					-s $line \
     73 					-j DROP
     74 				;;
     75 			esac
     76 		done
     77 	}
     78 
     79 	# allowed hosts
     80 	[ -e "$ALLOWEDHOSTS" ] && {
     81 		cat "$ALLOWEDHOSTS" \
     82 		| while read -r line;
     83 		do 
     84 			[ -z "$line" ] && continue
     85 
     86 			case "$line" in
     87 			\#*)
     88 				;;
     89 			*)
     90 				iptables -A FORWARD \
     91 					-s 192.168.0.0/255.255.0.0 \
     92 					-d $line \
     93 					-j ACCEPT
     94 				iptables -A FORWARD \
     95 					-d 192.168.0.0/255.255.0.0 \
     96 					-s $line \
     97 					-j ACCEPT
     98 				;;
     99 			esac
    100 		done
    101 	}
    102 
    103 	# log all remaining rejects
    104 	iptables -A FORWARD -j LOG \
    105 		--log-prefix "FORWARD(${INIF}) blocked:"
    106 	# reject everything else coming from the malicious device
    107 	iptables -A FORWARD -j REJECT
    108 }
    109 
    110 do_unload() {
    111 	iptables -F FORWARD
    112 	iptables -P FORWARD ACCEPT
    113 }
    114 
    115 usage() {
    116 	printf "usage: %s [start|stop|reload]\n" "$(basename "$1")" >&2
    117 	exit 1
    118 }
    119 
    120 if [ $# -lt 1 ];
    121 then
    122 	usage $0
    123 fi
    124 
    125 cmd="$1"
    126 case "$cmd" in
    127 start)
    128 	do_start
    129 	;;
    130 reload|restart)
    131 	do_unload
    132 	do_start
    133 	;;
    134 stop)
    135 	do_unload
    136 	;;
    137 *)
    138 	usage $0
    139 	;;
    140 esac
    141 
    142