#!/bin/bash ######################################################################### # Variables / Initialization # ######################################################################### TABLES="filter nat mangle" iptables=/sbin/iptables # create mac db if it does not exist touch /tmp/known_macs touch /tmp/blacklisted_macs KNOWN_MACS=`cat /tmp/known_macs | awk '{print $1}'` BLACKLISTED_MACS=`cat /tmp/blacklisted_macs | awk '{print $1}'` # flush everything for table in $TABLES do $iptables -t $table -F $iptables -t $table -X done # default policies for the main (filter) table $iptables -t filter -P INPUT DROP $iptables -t filter -P OUTPUT ACCEPT $iptables -t filter -P FORWARD DROP # default policies for the NAT table $iptables -t nat -P PREROUTING ACCEPT $iptables -t nat -P POSTROUTING ACCEPT $iptables -t nat -P OUTPUT ACCEPT # allow all traffic for existing connections $iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED \ -j ACCEPT $iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED \ -j ACCEPT ######################################################################### # Local Policies # ######################################################################### # allow local interface traffic $iptables -t filter -A INPUT -i lo -j ACCEPT # allow connections from hard-wired interface $iptables -t filter -A INPUT -m physdev --physdev-in eth0 \ -m state --state NEW -j ACCEPT # allow connections to httpd $iptables -t filter -A INPUT -p tcp --dport http \ -m state --state NEW -j ACCEPT $iptables -t filter -A INPUT -p tcp --dport https \ -m state --state NEW -j ACCEPT ######################################################################### # Forwarding Policies # ######################################################################### # allow DNS to pass through $iptables -t filter -A FORWARD -p tcp --dport domain -j ACCEPT $iptables -t filter -A FORWARD -p udp --dport domain -j ACCEPT # allow DHCP to pass through $iptables -t filter -A FORWARD -p udp --dport 67:68 -j ACCEPT ######################################################################### # NetGreg Magic # ######################################################################### # do not apply any rules to packets that have been marked (i.e. known MACs) $iptables -t nat -A PREROUTING -m mark --mark 0x42 -j ACCEPT # redirect HTTP requests from unknown MACs to local machine $iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 \ -p tcp --dport 80 -j REDIRECT # forward any packets thave have been marked (i.e. know MACs) $iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT # mark all the packets from the registered MACs for MAC in $KNOWN_MACS ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC \ -j MARK --set-mark 0x42 done # drop the packets from blacklisted hosts for MAC in $BLACKLISTED_MACS ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC \ -j DROP done ######################################################################### # Logging # ######################################################################### # log and drop other incoming traffic $iptables -t filter -A INPUT -m state --state NEW \ -j LOG --log-prefix "Input Denied: " --log-level info # if all else fails, log ... $iptables -t filter -A FORWARD \ -j LOG --log-prefix "Forwarding Denied: " --log-level info # ... and drop rejected packets $iptables -t filter -A FORWARD -j DROP # crash and burn! echo "1" > /proc/sys/net/ipv4/ip_forward