Simple internet firewall was created by impulse and for my need. Maybe I'll continue working on this project.
1. IDEA
Main idea was to create as simple as posible script to work on any Linux system with iptables, and integrate iptables rules created by script with squid acl's.
2. FILES
SIF files are located here
3. Examples
Here is example of base configuration file called firewall.cfg
#########################################
# network configuration
#########################################
# DEBUG - set it to have debug information what happens
DEBUG=0
# IN_IF - internal interface
IN_IF=eth1
# OUT_IF - external interface to internet
OUT_IF=eth0
# information about local net
LOCAL_NET="192.168.250.0/24"
IN_IP=192.168.250.1
# information about external IP
OUT_IP=192.168.180.1
# dns servers to comunicate with - to function properly in /etc/resolv.conf should be identical
DNS1=192.168.1.1
DNS2=192.168.1.2
##########################################
# squid variables
##########################################
# SQUID_ACL_NAME - prefix to acl name in squid.conf
SQUID_ACL_NAME="auto_fw"
# SQUID_ACL_COUNT - name to start squid.acl
SQUID_ACL_COUNT=1
# SQUID_STRIP_COMMENTS - strip comments from squid.cfg file
SQUID_STRIP_COMMENTS=1
# SQUID_RESTART - restart squid when is running
SQUID_RESTART=1
#########################################
# files to deal with
#########################################
# RULES_FILE - filename or path/filename to local access rules
LOCAL_RULES_FILE=access_rules
# SQUID_TEMPLATE - filename or path/filename to squid.conf template file
SQUID_TEMPLATE=squid.conf.tmpl
# SQUID_DEST - filename or path/filename to squid.conf generated by this script
SQUID_DEST=/srv/cache/etc/squid.conf
When we have basic net configuration and squid configuration, we build file access_rules where are rules about access from local lan
access_rules file consists of host statements like:
# host statement build as ip mac and { access description }
192.168.250.2 00:11:22:33:44:55 {
# here will be statements about host how can access local or internet
}
Statements described between compounds can be one of:
- local
- forward
- squid
Statements are builded like:
start access_type
# access rules
end access_type
Example of local access type
start local
# access rule is builded like:
# proto port1 port2 port3 port4
tcp 22 53 80 443
udp 53
Example of forward access type
# access rule is builded like:
# proto host port
#
# can be also statement dns which means automatic access to DNS servers from firewall.cfg file
start forward
dns
tcp www.onet.pl 80
tcp www.wp.pl 80
tcp www.google.pl http
tcp any 22
tcp www.kernel.org any
udp 150.254.5.4 53
end forward
# this means access to http on www.onet.pl www.wp.pl and www.google.pl, also access DNS on 150.254.5.4
# and access two DNS1 and DNS2 servers described in firewal.cfg file
# also gives access to ssh on any ip and access any port on www.kernel.org
# NOTE: giving hostnames instead of ip to iptables is not good idea, but somtimes we need to do it
Example of squid access type
# access rules are
# site sitename - host can access any web page on sitename
# url url_regex - host can access any web page that matches url_regex
# anysite - adds to squid.conf file acl that gives access to any site
start squid
site www.kernel.org
url http://*/*.gif
# anysite
end squid
# gives access to www.kernel.org, any gif on any site
# anysite is commented out because we don't want to give full access
Here is example how to configure access from two host from local network
192.168.250.2 00:11:22:33:44:55 {
start local
tcp 22
# we give only local acceto ss ssh
}
192.168.250.3 66:55:44:33:22:11 {
start local
tcp 22
udp 53
end local
start forward
tcp shell.sourceforge.net 22
udp any 53
end forward
start squid
url *.sf.net
url *.sourceforge.net
site www.kernel.org
end squid
4. TODO
Cleanup code and learn more about bash, remove some little stupid bugs, maybe set case ignore in access_rules file
5. CONTACT
Mail to me nedyarrd@irc.pl