#!/bin/sh # # rc.firewall # Script version 1.01 - November 3, 1998 # ################################################################ # # Initialization script to set up tight rules-based firewalling and # masquerading for private LAN/internet gateways, via ipchains. # # Standard usage is to put this in rc.local after loading the ip masq # modules, but any changes can be immediately activated simply by running # this script., as it flushes the old ones and puts in the new ruleset. # # Requires Linux 2.1.102 and up or a 2.0.x kernel patched for ipchains, # as well as the ipchains program, available from the official website at: # [http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html] # # All logging goes to dmesg/klogd # # Recommended reading: # # RFC 1918, 'Address allocation for private internets' # Ethernet-HOWTO NET-3-HOWTO # PPP-HOWTO ipchains-HOWTO # The Jargon File Anything by Terry Pratchett # ################################################################ # Copyright info: # # ipchains (C) 1998 Paul Russell [Paul.Russell@rustcorp.com.au] # # script (C) 1998 Ian Hall-Beyer [manuka@nerdherd.net] # # Contributors: # Raymond Moyers [rmoyers@nop.org] - Original ipfwadm script # # You are free to distribute this script as you see fit. Any # modified script must list the authors and contributors above. # I would also appreciate an email letting me know what you've # done to improve on it. # ################################################################ # # set the following variables to match your network INTERNALIF="eth0" INTERNALNET="192.168.1.0/24" INTERNALIP="192.168.1.1" # EXTERNALIF="ppp0" EXTERNALNET="0.0.0.0/0" EXTERNALIP="0.0.0.0" # # This is the location of the ipchains command IPCHAINS="/sbin/ipchains" # ################################################################ # ## Flush everything, start from scratch # # Incoming packets from the outside network $IPCHAINS -F input # Outgoing packets from the internal network $IPCHAINS -F output # Forwarding/masquerading $IPCHAINS -F forward # ## Allow all connections on the internal interface # $IPCHAINS -A input -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT # # ## IP Masq # ## dont masq internal-internal traffic $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT # ## dont masq external interface direct $IPCHAINS -A forward -s $EXTERNALIP -d 0/0 -j ACCEPT # ## masquerade all internal IP's going outside $IPCHAINS -A forward -s $INTERNALNET -d 0/0 -j MASQ # # Type of Service (TOS) bits # This is a new feature of ipchains - check the ipchains HOWTO for # details on what this does # # Set telnet, www and FTP for minimum delay $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10 # # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 # # ################################################################ # Insert trusted networks here # (specific networks that can connect to your system) # #$IPCHAINS -A input -p [protocol] -s [TRUSTED NET] -d 0/0 [port range] -j ACCEPT ################################################################ # Insert banned networks here # (specific networks that are banned from your system) # This is good for blocking the script kiddies. # any packets meeting these rules are logged. # #$IPCHAINS -A input -p [protocol] -s [BANNED NET] -d 0/0 [port range] -l -j DENY ################################################################ # Insert prohibited sites here # (specific networks that your system is not allowed to connect to) # any packets meeting these rules are logged. # #$IPCHAINS -A output [-p [protocol]] -s $INTERNALNET -d [prohibited net] [port range] -l -j REJECT ################################################################ # # ## Specific port blocks on the external interface ## These ports have known vulnerabilities and should not be open ## to the outside world unless there is a really good reason for it. ## Since these are potentially vulnerable, packets are logged. # ## NetBEUI $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 139 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 139 -l -j DENY # ## MS-SQL $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 1433 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 1433 -l -j DENY # ## NFS #$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 2049 -l -j DENY #$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 2049 -l -j DENY # ## postgresSQL $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 5432 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 5432 -l -j DENY # ## X11disp:0-:2- $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 5999:6003 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 5999:6003 -l -j DENY # # ## High unpriv ports # $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s 0/0 -d 0/0 1023:65535 -j ACCEPT # # ## Basic Services # Note that unlike ipfw, ipchains cannot take more than one port per # command, unless it is a range of ports (e.g. 20:23). You can also # specify a service type (it must be defined in /etc/services) # instead of a port number. Comment any of these out to block the # service. # # ftp-data $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT # ftp $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT # ssh $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT # telnet $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 23 -j ACCEPT # smtp $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 25 -j ACCEPT # DNS $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT $IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT # http $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT # POP-3 $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 110 -j ACCEPT # indentd $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 113 -j ACCEPT # https $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 443 -j ACCEPT # ## ICMP # # Deny # Use this to deny ICMP attacks from specific addresses #$IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s
-d 0/0 -j DENY # # Allow incoming ICMP $IPCHAINS -A input -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A input -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT # Allow outgoing ICMP $IPCHAINS -A output -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT # # ## set default policies ## ipchains reverts to these if it hasn't matched any of the previous ## rules. # $IPCHAINS -A input -j DENY $IPCHAINS -A output -j ACCEPT $IPCHAINS -A forward -j DENY