#!/bin/tcsh # # Copied From: # =========== # http://uber.chorn.com/ipchains.txt # # #------------------------------------------------------------------------------ # $Id: ipchains.txt,v 1.3 1999/11/17 18:17:09 chorn Exp $ #------------------------------------------------------------------------------ #alias ipchains "echo \!*; /sbin/ipchains \!*" #------------------------------------------------------------------------------ # # Firewall has 3 nics: # eth0 (internet) (bad) A.B.C.D # eth1 (intranet) (good) 192.168.1.254 # eth2 (pubnet) (dmz) W.X.Y.Z # # # #------------------------------------------------------------------------------ # Kill all existing chains ipchains -F ipchains -X dmz-if ipchains -X good-if ipchains -X bad-if ipchains -X icmp-acc ipchains -X good-dmz ipchains -X bad-dmz ipchains -X good-bad ipchains -X dmz-good ipchains -X dmz-bad ipchains -X bad-good #------------------------------------------------------------------------------ # Block all traffic while we build the chains ipchains -A input -j DENY ipchains -A output -j DENY ipchains -A forward -j DENY #------------------------------------------------------------------------------ # Name the chains # eth0 ipchains -N bad-if # eth1 ipchains -N good-if # eth2 ipchains -N dmz-if ipchains -N icmp-acc ipchains -N good-dmz ipchains -N bad-dmz ipchains -N good-bad ipchains -N dmz-good ipchains -N dmz-bad ipchains -N bad-good #------------------------------------------------------------------------------ # Send the system chains into my defined ones # For me, Z = 129, so Z - 1 = 128 ipchains -A input -d A.B.C.D -j bad-if ipchains -A input -d 192.168.1.254 -j good-if ipchains -A input -d W.X.Y.Z -j dmz-if ipchains -A forward -s 192.168.1.0/24 -i eth2 -j good-dmz ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-bad ipchains -A forward -s W.X.Y.(Z - 1)/28 -i eth0 -j dmz-bad ipchains -A forward -s W.X.Y.(Z - 1)/28 -i eth1 -j dmz-good ipchains -A forward -i eth2 -j bad-dmz ipchains -A forward -i eth1 -j bad-good ipchains -A forward -j DENY -l #------------------------------------------------------------------------------ # bad-if # Allow ssh, www, auth, vnc & masq ipchains -A bad-if --dport 22 -p tcp -i eth0 -j ACCEPT ipchains -A bad-if --dport 80 -p tcp -i eth0 -j ACCEPT ipchains -A bad-if --dport 113 -p tcp -i eth0 -j ACCEPT ipchains -A bad-if --dport 1000:5000 -p tcp -i eth0 -j ACCEPT ipchains -A bad-if --dport 1000:5000 -p udp -i eth0 -j ACCEPT ipchains -A bad-if --dport 5900:5910 -p tcp -i eth0 -j ACCEPT ipchains -A bad-if --dport 61000:65096 -p tcp -i eth0 -j ACCEPT ipchains -A bad-if --dport 61000:65096 -p udp -i eth0 -j ACCEPT ipchains -A bad-if --dport 22 -p tcp -i eth1 -j ACCEPT ipchains -A bad-if --dport 80 -p tcp -i eth1 -j ACCEPT ipchains -A bad-if --dport 113 -p tcp -i eth1 -j ACCEPT ipchains -A bad-if --dport 1000:5000 -p tcp -i eth1 -j ACCEPT ipchains -A bad-if --dport 1000:5000 -p udp -i eth1 -j ACCEPT ipchains -A bad-if --dport 5900:5910 -p tcp -i eth1 -j ACCEPT ipchains -A bad-if --dport 61000:65096 -p tcp -i eth1 -j ACCEPT ipchains -A bad-if --dport 61000:65096 -p udp -i eth1 -j ACCEPT ipchains -A bad-if -i eth1 -j DENY -l ipchains -A bad-if -i eth2 -j DENY -l ipchains -A bad-if -i lo -j ACCEPT ipchains -A bad-if -j icmp-acc ipchains -A bad-if -j DENY -l #------------------------------------------------------------------------------ # dmz-if ipchains -A dmz-if -i eth0 -j DENY -l ipchains -A dmz-if -i eth1 -j DENY -l ipchains -A dmz-if -j ACCEPT #------------------------------------------------------------------------------ # good-if ipchains -A good-if -i eth0 -j DENY -l ipchains -A good-if -i eth2 -j DENY -l ipchains -A good-if -j ACCEPT #------------------------------------------------------------------------------ # good-dmz ipchains -A good-dmz -j ACCEPT #------------------------------------------------------------------------------ # dmz-good ipchains -A dmz-good -j ACCEPT #------------------------------------------------------------------------------ # bad-dmz #DNS ipchains -A bad-dmz -p tcp --dport 53 -j ACCEPT ipchains -A bad-dmz -p udp --dport 53 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 53 -j ACCEPT ipchains -A bad-dmz -p udp --sport 53 -j ACCEPT #FTP ipchains -A bad-dmz -p tcp --dport 20 -j ACCEPT ipchains -A bad-dmz -p udp --dport 20 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 20 -j ACCEPT ipchains -A bad-dmz -p udp --sport 20 -j ACCEPT ipchains -A bad-dmz -p tcp --dport 21 -j ACCEPT ipchains -A bad-dmz -p udp --dport 21 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 21 -j ACCEPT ipchains -A bad-dmz -p udp --sport 21 -j ACCEPT #SSH ipchains -A bad-dmz -p tcp --dport 22 -j ACCEPT ipchains -A bad-dmz -p udp --dport 22 -j ACCEPT ipchains -A bad-dmz -p tcp --dport 1000:2000 -j ACCEPT ipchains -A bad-dmz -p udp --dport 1000:2000 -j ACCEPT #SMTP ipchains -A bad-dmz -p tcp --dport 25 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 25 -j ACCEPT #HTTP ipchains -A bad-dmz -p tcp --dport 80 -j ACCEPT ipchains -A bad-dmz -p udp --dport 80 -j ACCEPT #HTTPS ipchains -A bad-dmz -p tcp --dport 443 -j ACCEPT ipchains -A bad-dmz -p udp --dport 443 -j ACCEPT #NTP ipchains -A bad-dmz -p tcp --dport 123 -j ACCEPT ipchains -A bad-dmz -p udp --dport 123 -j ACCEPT #POP ipchains -A bad-dmz -p tcp --dport 109 -j ACCEPT ipchains -A bad-dmz -p udp --dport 109 -j ACCEPT ipchains -A bad-dmz -p tcp --dport 110 -j ACCEPT ipchains -A bad-dmz -p udp --dport 110 -j ACCEPT ipchains -A bad-dmz -p tcp --dport 995 -j ACCEPT ipchains -A bad-dmz -p udp --dport 995 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 109 -j ACCEPT ipchains -A bad-dmz -p udp --sport 109 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 110 -j ACCEPT ipchains -A bad-dmz -p udp --sport 110 -j ACCEPT ipchains -A bad-dmz -p tcp --sport 995 -j ACCEPT ipchains -A bad-dmz -p udp --sport 995 -j ACCEPT #IMAP ipchains -A bad-dmz -p tcp --dport 143 -j ACCEPT ipchains -A bad-dmz -p udp --dport 143 -j ACCEPT ipchains -A bad-dmz -p tcp --dport 220 -j ACCEPT ipchains -A bad-dmz -p udp --dport 220 -j ACCEPT ipchains -A bad-dmz -p tcp --dport 993 -j ACCEPT ipchains -A bad-dmz -p udp --dport 993 -j ACCEPT ipchains -A bad-dmz -p icmp -j icmp-acc # network noise to ignore ipchains -A bad-dmz -p tcp --dport 137:139 -j DENY ipchains -A bad-dmz -p udp --dport 137:139 -j DENY ipchains -A bad-dmz -p tcp --dport 67:68 -j DENY ipchains -A bad-dmz -p udp --dport 67:68 -j DENY ipchains -A bad-dmz -p tcp --dport 7 -j DENY ipchains -A bad-dmz -p udp --dport 7 -j DENY ipchains -A bad-dmz -j DENY -l #------------------------------------------------------------------------------ # good-bad ipchains -A good-bad -j MASQ #------------------------------------------------------------------------------ # dmz-good ipchains -A dmz-good -j ACCEPT #------------------------------------------------------------------------------ # dmz-bad #DNS ipchains -A dmz-bad -p tcp --dport 53 -j ACCEPT ipchains -A dmz-bad -p udp --dport 53 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 53 -j ACCEPT ipchains -A dmz-bad -p udp --sport 53 -j ACCEPT #FTP ipchains -A dmz-bad -p tcp --dport 20 -j ACCEPT ipchains -A dmz-bad -p udp --dport 20 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 20 -j ACCEPT ipchains -A dmz-bad -p udp --sport 20 -j ACCEPT ipchains -A dmz-bad -p tcp --dport 21 -j ACCEPT ipchains -A dmz-bad -p udp --dport 21 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 21 -j ACCEPT ipchains -A dmz-bad -p udp --sport 21 -j ACCEPT #SSH ipchains -A dmz-bad -p tcp --dport 22 -j ACCEPT ipchains -A dmz-bad -p udp --dport 22 -j ACCEPT ipchains -A dmz-bad -p tcp --dport 1000:2000 -j ACCEPT ipchains -A dmz-bad -p udp --dport 1000:2000 -j ACCEPT #SMTP ipchains -A dmz-bad -p tcp --dport 25 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 25 -j ACCEPT #HTTP ipchains -A dmz-bad -p tcp --dport 80 -j ACCEPT ipchains -A dmz-bad -p udp --dport 80 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 80 -j ACCEPT ipchains -A dmz-bad -p udp --sport 80 -j ACCEPT #HTTPS ipchains -A dmz-bad -p tcp --dport 443 -j ACCEPT ipchains -A dmz-bad -p udp --dport 443 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 443 -j ACCEPT ipchains -A dmz-bad -p udp --sport 443 -j ACCEPT #NTP ipchains -A dmz-bad -p tcp --dport 123 -j ACCEPT ipchains -A dmz-bad -p udp --dport 123 -j ACCEPT #AUTH ipchains -A dmz-bad -p tcp --dport 113 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 113 -j ACCEPT #AUTH ipchains -A dmz-bad -p tcp --dport 113 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 113 -j ACCEPT #POP ipchains -A dmz-bad -p tcp --dport 109 -j ACCEPT ipchains -A dmz-bad -p udp --dport 109 -j ACCEPT ipchains -A dmz-bad -p tcp --dport 110 -j ACCEPT ipchains -A dmz-bad -p udp --dport 110 -j ACCEPT ipchains -A dmz-bad -p tcp --dport 995 -j ACCEPT ipchains -A dmz-bad -p udp --dport 995 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 109 -j ACCEPT ipchains -A dmz-bad -p udp --sport 109 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 110 -j ACCEPT ipchains -A dmz-bad -p udp --sport 110 -j ACCEPT ipchains -A dmz-bad -p tcp --sport 995 -j ACCEPT ipchains -A dmz-bad -p udp --sport 995 -j ACCEPT #IMAP ipchains -A dmz-bad -p tcp --dport 143 -j ACCEPT ipchains -A dmz-bad -p udp --dport 143 -j ACCEPT ipchains -A dmz-bad -p tcp --dport 220 -j ACCEPT ipchains -A dmz-bad -p udp --dport 220 -j ACCEPT ipchains -A dmz-bad -p tcp --dport 993 -j ACCEPT ipchains -A dmz-bad -p udp --dport 993 -j ACCEPT # network noise to ignore ipchains -A dmz-bad -p tcp --dport 137:139 -j DENY ipchains -A dmz-bad -p udp --dport 137:139 -j DENY ipchains -A dmz-bad -p tcp --dport 67:68 -j DENY ipchains -A dmz-bad -p udp --dport 67:68 -j DENY ipchains -A dmz-bad -p tcp --dport 7 -j DENY ipchains -A dmz-bad -p udp --dport 7 -j DENY ipchains -A dmz-bad -p icmp -j icmp-acc ipchains -A dmz-bad -j DENY -l #------------------------------------------------------------------------------ # bad-good ipchains -A bad-good -j REJECT #------------------------------------------------------------------------------ # ICMP chain # Allow certain ICMP types ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type ping -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A icmp-acc -p icmp -j DENY -l #------------------------------------------------------------------------------ # Removing the blocking rules ipchains -D input 1 ipchains -D output 1 ipchains -D forward 1 #------------------------------------------------------------------------------