From 2185ba2cf4e1eb8bdea5c8b865b014e5aa9c8091 Mon Sep 17 00:00:00 2001 From: jjako Date: Thu, 15 Jan 2004 17:39:10 +0000 Subject: [PATCH] Added firewall --- examples/firewall | 48 +++++++++++++++++++++++++++++++++++++++++++++++ openggsn.spec.in | 1 + 2 files changed, 49 insertions(+) create mode 100755 examples/firewall diff --git a/examples/firewall b/examples/firewall new file mode 100755 index 0000000..fce735a --- /dev/null +++ b/examples/firewall @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Firewall script for GGSN +# +# Uses $IFGN (eth0) as the Gn interface (Gn) and +# $IFGI (eth1) as the Gi interface. +# +# SUMMARY +# * All connections originating from GGSN are allowed. +# * Incoming ssh, GTPv0 and GTPv1 is allowed on the Gn interface. +# * Incoming ssh is allowed on the Gi interface. +# * Forwarding is allowed to and from the Gi interface, but disallowed +# to and from the Gn interface. +# * Masquerede on Gi interface. + +IPTABLES="/sbin/iptables" +IFGN="eth0" +IFGI="eth1" + +$IPTABLES -P INPUT DROP +$IPTABLES -P FORWARD ACCEPT +$IPTABLES -P OUTPUT ACCEPT + +#Allow related and established on all interfaces (input) +$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +#Allow releated, established, GTP and ssh on $IFGN. Reject everything else. +$IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT +$IPTABLES -A INPUT -i $IFGN -j REJECT + +#Allow related, established and ssh. Drop everything else. +$IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT +$IPTABLES -A INPUT -i $IFGI -j DROP + +# Masquerade everything going out on $IFGI +$IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE + +#Allow everything on loopback interface. +$IPTABLES -A INPUT -i lo -j ACCEPT + +# Drop everything to and from $IFGN (forward) +$IPTABLES -A FORWARD -i $IFGN -j DROP +$IPTABLES -A FORWARD -o $IFGN -j DROP + + diff --git a/openggsn.spec.in b/openggsn.spec.in index e8707e8..93934eb 100644 --- a/openggsn.spec.in +++ b/openggsn.spec.in @@ -67,6 +67,7 @@ make clean %doc examples/ggsn.conf %doc examples/sgsnemu.conf %doc examples/ggsn.init +%doc examples/firewall %doc /usr/man/man8/ggsn.8.gz %doc /usr/man/man8/sgsnemu.8.gz