Ext-FW.startup

# External Firewall responsible for SNAT as it is the last layer when packets
# are broadcasted out and DNAT towards DMZ servers as it is the first layer of
# defence for incoming packets.  Outsiders only know the eth0 public IP address
# of Warwick and nothing about the internals. DNATing is only done towards the
# DMZ and NEVER to the internal LAN unless it is an ESTABLISHED,RELATED stateful
# connection that was legitimately initiated from the inside.

ifconfig eth0 137.205.0.1/16
ifconfig eth1 172.16.0.1/30
ifconfig eth2 10.0.0.1/30
ifconfig eth3 192.168.0.1/30


# Adding networks that are accessible through
# directly connected gateways including the 
# Internet, DMZ-GW-VPN, DMZ-GW-Mail and Int-FW.
# Accessible components are the Ext-Hostile,
# Ext-Office, Ext-DNS, Ext-WWW, OpenVPN, Mail
# and GW-Staff. 

# OpenVPN Server accessible though the DMZ Gateway VPN.
route add -net 172.16.1.0/30 gw 172.16.0.2

# Mail Server accessible though the DMZ Gateway Mail.
route add -net 192.168.1.0/30 gw 192.168.0.2

# Dep-A LAN accessible through the Internal Firewall.
route add -net 10.0.5.0/24 gw 10.0.0.2

# Dep-B LAN accessible through the Internal Firewall.
route add -net 10.0.7.0/24 gw 10.0.0.2

# Public Internet is the Default route of the External Firewall.
route add default gw 137.205.0.2


# Firewall Rules for the External Firewall

# DISABLES IP6 Traffic which is accepted by default.

ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P OUTPUT DROP
ip6tables -t filter -P FORWARD DROP


# DEFAULT Policies are set to DROP towards whitelisting.

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP


# ESTABLISHED, RELATED are placed high in order inside chains to boost performance.

iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming VPN connection" -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing VPN connection" -j ACCEPT

iptables -A FORWARD -i eth0 -o eth3 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming Mail connection" -j ACCEPT

iptables -A FORWARD -i eth3 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing Mail connection" -j ACCEPT

iptables -A FORWARD -i eth0 -o eth2 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Incoming WWW Connection" -j ACCEPT

iptables -A FORWARD -i eth2 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Stateful Outgoing WWW Connection" -j ACCEPT


# LOGs of dropped packets matching XMAS scans and other malicious methodologies.

# The field "--log-prefix=iptables:" makes log inspection much easier using 
# cat /var/log/syslog | grep iptables

iptables -A INPUT -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -m comment --comment "Logs Nmap Scan Type 1" -j LOG --log-prefix=iptables:

iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "Logs Nmap Scan Type 2" -j LOG --log-prefix=iptables:

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "Logs Nmap Scan Type 3" -j LOG --log-prefix=iptables:


# RULE 1 -- SNAT for exiting packets.

# Source NATTing so that packets exiting the External Firewall will 
# inherit the public IP Address of our organisation and prevent the
# the disclosure of private IP addresses.

iptables -t nat -A POSTROUTING -o eth0 -m comment --comment "External Firewall's Public IP becomes exiting packets source address" -j SNAT --to-source 137.205.0.1


# RULE 2 -- DNAT for DMZ's OpenVPN Server alongside FORWARD chain stateful rules.

# Only accepts connections from the External Office IP range to follow the Least Privilege Principle.

iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --dport 1194 -m comment --comment "Routes incoming packets addressed to the VPN" -j DNAT --to-destination 172.16.1.2

iptables -A FORWARD -i eth0 -o eth1 -s 22.39.224.16/30 -p tcp --syn --dport 1194 -m conntrack --ctstate NEW -m comment --comment "Only accept VPN connection initiations from the Ext-Office range" -j ACCEPT


# RULE 3 -- DNAT for DMZ's Mail Server alongside FORWARD chain stateful rules.

iptables -t nat -A PREROUTING -i eth0 -p tcp --syn --match multiport --dports 25,587,993 -m comment --comment "Routes incoming packets addressed to the Mail Server" -j DNAT --to-destination 192.168.1.2

iptables -A FORWARD -i eth0 -o eth3 -p tcp --syn --match multiport --dports 25,587,993 -m conntrack --ctstate NEW -m comment --comment "Accept new Mail connection initiation from anywhere" -j ACCEPT


# RULE 4 -- Internal users should connect to websites residing in the public Internet (Ext-WWW).

# The following rules are directly related to Squid Proxy which runs in the internal firewall
# that after redirecting to the transparent proxy running on port 3128 and 3129 broadcasts packets
# to the external firewall.

iptables -A FORWARD -i eth2 -o eth0 -s 10.0.0.2 -p tcp --match multiport --dports 80,443 -j ACCEPT


# RULE 5 -- Internal users should connect to External DNS that resides in the public Internet (Ext-DNS).

iptables -A FORWARD -i eth2 -o eth0 -s 10.0.5.0/24 -d 8.8.8.8 -p udp --dport 53 -m comment --comment "External DNS Access from Dep-A LAN" -j ACCEPT

iptables -A FORWARD -i eth2 -o eth0 -s 10.0.7.0/24 -d 8.8.8.8 -p udp --dport 53 -m comment --comment "External DNS Access from Dep-B LAN" -j ACCEPT


# RULE 6 -- Allow Pings (and Replies) from outside to the external firewall.

iptables -A INPUT -p icmp --icmp-type echo-request -m comment --comment "Ping to Ext-FW" -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -m comment --comment "Pong from Ext-FW" -j ACCEPT