SmartOS global zone firewall

#!/usr/bin/sh

## fix bash this should be somewhere else but later
touch /root/.vimrc

## setup accounting
acctadm -e extended -f /var/log/netacct.log net

## setup gw0
if [ `dladm show-vnic | grep gw0 | wc -l` -ne 1 ]; then
/usr/sbin/dladm create-vnic -m 2:8:20:bc:d5:5f -l switch0 gw0
/usr/sbin/ipadm create-addr -T static -a 172.16.0.1/24 gw0/v4
fi

## setup ip forwarding
/usr/sbin/routeadm -u -e ipv4-forwarding
/usr/sbin/routeadm -u -e ipv6-forwarding

## clear nat and firewall rules
[ -e /etc/ipf/ipnat.conf ] && rm /etc/ipf/ipnat.conf
[ -e /etc/ipf/ipf.conf ] && rm /etc/ipf/ipf.conf

## setup firewall
echo “# Computer King IPFilter rules vesion 1.0” >> /etc/ipf/ipf.conf
echo “# You can use this command to test active IP packet filtering:” >> /etc/ipf/ipf.conf
echo “# ipfstat -io” >> /etc/ipf/ipf.conf
echo “# You can use ipmon to write data to a logfile and then tail the logfile” >> /etc/ipf/ipf.conf
echo “# ipmon -aD /var/log/ipmon.log && tail -f /var/log/ipmon.log” >> /etc/ipf/ipf.conf

echo “# Default Policies” >> /etc/ipf/ipf.conf

echo “# Allow LOOPBACK in and out” >> /etc/ipf/ipf.conf
echo “pass in quick on lo0 all” >> /etc/ipf/ipf.conf
echo “pass out quick on lo0 all” >> /etc/ipf/ipf.conf

 

echo “# Allow OUT i might tighten this up” >> /etc/ipf/ipf.conf
echo “pass out all keep state” >> /etc/ipf/ipf.conf
# pass out as if we were a single internet client
#pass out quick on ep0 proto tcp from 204.244.122.132/27 to any keep state
#pass out quick on ep0 proto udp from 204.244.122.132/27 to any keep state
#pass out quick on ep0 proto icmp from 204.244.122.132/27 to any keep state

echo “# Allow nothing in” >> /etc/ipf/ipf.conf
echo “block in all” >> /etc/ipf/ipf.conf
echo “block return-rst in log first proto tcp all” >> /etc/ipf/ipf.conf
echo “block return-icmp(host-unr) in log proto udp all” >> /etc/ipf/ipf.conf

echo “# Allow ICMP in and out” >> /etc/ipf/ipf.conf
echo “pass out quick proto icmp all keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto icmp all keep state” >> /etc/ipf/ipf.conf

echo “# Allow DNS in” >> /etc/ipf/ipf.conf
#echo “pass in proto tcp from any to any port = 53 keep state” >> /etc/ipf/ipf.conf
#echo “pass in proto udp from any to any port = 53 keep state” >> /etc/ipf/ipf.conf
#echo “pass in proto tcp from 8.8.8.8 to any port = 53 keep state” >> /etc/ipf/ipf.conf
#echo “pass in proto udp from 8.8.4.4 to any port = 53 keep state” >> /etc/ipf/ipf.conf
#echo “pass in proto tcp from any to 172.16.0.5 port = 53 flags S keep state” >> /etc/ipf/ipf.conf
#echo “pass in proto udp from any to 172.16.0.5 port = 53 keep state” >> /etc/ipf/ipf.conf
echo “pass in proto tcp from any to 8.8.8.8 port = 53 flags S keep state” >> /etc/ipf/ipf.conf
echo “pass in proto udp from any to 8.8.8.8 port = 53 keep state” >> /etc/ipf/ipf.conf
echo “pass in proto tcp from any to 8.8.4.4 port = 53 flags S keep state” >> /etc/ipf/ipf.conf
echo “pass in proto udp from any to 8.8.4.4 port = 53 keep state” >> /etc/ipf/ipf.conf

echo “# Allow SSH in” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf

echo “# Allow HTTP & HTTPS in” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 443 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf

echo “# For FIFO” >> /etc/ipf/ipf.conf >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 8199 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 4210 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 8099 keep state” >> /etc/ipf/ipf.conf

echo “pass in quick proto tcp from any to any port = 4200 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 8499 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 4240 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 8081 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 8080 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto tcp from any to any port = 4369 keep state” >> /etc/ipf/ipf.conf
echo “pass in quick proto udp from any to any port = 5353 keep state” >> /etc/ipf/ipf.conf

##### Inbound NAT and port forwarding #####

echo “# 127.16.0.2 = Ubuntu-12.04-64-desktop” >> /etc/ipf/ipf.conf
echo “rdr igb0 from any to any port = 2002 -> 172.16.0.2 port 22 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 2002 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
echo “rdr igb0 from any to any port = 40002 -> 172.16.0.2 port 40002 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 40002 keep state” >> /etc/ipf/ipf.conf

echo “# 127.16.0.3 = test-3” >> /etc/ipf/ipf.conf
echo “rdr igb0 from any to any port = 2003 -> 172.16.0.3 port 22 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 2003 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf

echo “# 127.16.0.4 = mx2.computerking.ca on debian 7 Kolab” >> /etc/ipf/ipf.conf
# SSH
echo “rdr igb0 from any to any port = 2004 -> 172.16.0.4 port 22 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 2004 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# VNC
echo “rdr igb0 from any to any port = 40004 -> 172.16.0.4 port 40004 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 40004 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# HTTP Web Interface not going to be used until I figure out how to seperate it from hosting sites
#echo “# rdr igb0 from any to any port = 80 -> 172.16.0.4 port 80 tcp” >> /etc/ipf/ipnat.conf
#echo “# pass in quick proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# POP
echo “rdr igb0 from any to any port = 110 -> 172.16.0.4 port 110 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 110 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# IMAP
echo “rdr igb0 from any to any port = 143 -> 172.16.0.4 port 143 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 143 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# LDAP
echo “rdr igb0 from any to any port = 389 -> 172.16.0.4 port 389 tcp” >> /etc/ipf/ipnat.conf

# HTTPS
#echo “rdr igb0 from any to any port = 443 -> 172.16.0.4 port 443 tcp” >> /etc/ipf/ipnat.conf
#echo “pass in quick proto tcp from any to any port = 443 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# secure mail transmission
#echo “rdr igb0 from any to any port = 465 -> 172.16.0.4 port 465 tcp” >> /etc/ipf/ipnat.conf
#echo “pass in quick proto tcp from any to any port = 465 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# secure mail submission
echo “rdr igb0 from any to any port = 587 -> 172.16.0.4 port 587 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 587 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# secure LDAP directory services
echo “rdr igb0 from any to any port = 636 -> 172.16.0.4 port 636 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 636 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# IMAPS
echo “rdr igb0 from any to any port = 993 -> 172.16.0.4 port 993 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 993 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
# SPOP
echo “rdr igb0 from any to any port = 995 -> 172.16.0.4 port 995 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 995 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf

echo “# 127.16.0.5 = shinken-1” >> /etc/ipf/ipf.conf
echo “rdr igb0 from any to any port = 2005 -> 172.16.0.5 port 22 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 2005 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf
echo “rdr igb0 from any to any port = 10085 -> 172.16.0.5 port 80 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 10085 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf

echo “# 127.16.0.10 = fifo-1” >> /etc/ipf/ipnat.conf
echo “rdr igb0 from any to any port = 10090 -> 172.16.0.10 port 80 tcp” >> /etc/ipf/ipnat.conf
echo “pass in quick proto tcp from any to any port = 10090 flags S/FSRPAU keep state keep frags” >> /etc/ipf/ipf.conf

## setup outbound NAT
echo “# FTP proxy” >> /etc/ipf/ipf.conf
echo “map igb0 from 172.16.0.0/24 to any -> 0/32 proxy port ftp ftp/tcp” >> /etc/ipf/ipnat.conf
#echo “map igb0 0.0.0.0/0 -> 0/24 proxy port 21 ftp/tcp” >> /etc/ipf/ipnat.conf
echo “# NAT everything else” >> /etc/ipf/ipf.conf
echo “map igb0 from 172.16.0.0/24 to any -> 0/32 portmap tcp/udp auto” >> /etc/ipf/ipnat.conf
echo “map igb0 from 172.16.0.0/24 to any -> 0/32” >> /etc/ipf/ipnat.conf
## enable firewall / NET

/usr/sbin/ipf -E -Fa -v -f /etc/ipf/ipf.conf
/usr/sbin/ipnat -C -v -f /etc/ipf/ipnat.conf

## OVH/Kimsufi NTP fix
#/usr/sbin/svcadm disable ntp
#/usr/bin/grep -v server /etc/inet/ntp.conf > /tmp/ntp.conf
#echo “server 2.ca.pool.ntp.org” >> /tmp/ntp.conf
#/usr/bin/mv /tmp/ntp.conf /etc/inet/ntp.conf
#/usr/sbin/svcadm enable ntp

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.