#!/bin/bash # # Original Version # ---------------- # http://www.Linux-Sec.net/Firewalls/Scripts/rc.1nic.Sans.firewall.sh.txt # # # http://rr.sans.org/firewall/packet_filter.php # http://rr.sans.org/firewall/blocking_ipchains.php # # 2- Merged some stuff from # http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-7.html # http://www.linuxdoc.org/HOWTO/Firewall-HOWTO-8.html # # # 06-May-02 amo Date-of_Birth Simple Firewall # # NAM="rc.Sans.Firewall" # # echo "Starting $NAM....." # # # ================ # Clear everything # ================ # # 2- Remove all existing rules belonging to this filter ipchains -F # 2- Clearing all current rules and user defined chains ipchains -X # # Flush and set default policy of ACCEPT # # # Remove all existing rules belonging to this filter # ipchains -F input ipchains -F output ipchains -F forward # # Set the default rules belonging to this filter # ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT # # # Enable TCP SYN Cookie Protection # echo 1 > /proc/sys/net/ipv4/tcp_syncookies # # # 2- Defrag all packets # echo 1 > /proc/sys/net/ipv4/ip_always_defrag # # 2- Turn off ping-responses to broadcasts ( prevent smurffing victims ) # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # enable ip spoofing protection # # turn on source address verification # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # # # disable ICMP Redirect Acceptance # # for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do # echo > $f # done # # # 2- Disable ICMP Redirect Acceptance # for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects do echo 0 > $f done # # # disable source routed packets # for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # # # # 2- Log Spoofed Packets, Source Routed Packets, Redirect Packets # for f in /proc/sys/net/ipv4/conf/*/log_martians do echo 1 > $f done # # 2- Set local port range for listeners (ftp ...) # echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range # ---------------------------------------------------------------------- # # Set the kernel option: CONFIG_IP_NOSR=y # lsrr loose source routing # ssrr strict source routing # # echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route # # # ----------------------------------------------------------------------- # # rules for standard unroutables # ipchains -A input -i eth0 -s 255.255.255.255/32 -b -j DENY ipchains -A input -i eth0 -s 127.0.0.0/8 -b -j DENY # # # rules for private (RFC1918) addresses === Ingress Filters === # ipchains -A input -i eth0 -s 10.0.0.0/8 -b -j DENY ipchains -A input -i eth0 -s 172.16.0.0/12 -b -j DENY ipchains -A input -i eth0 -s 192.168.0.0/16 -b -j DENY # # # rule for reserved addresses # ipchains -A input -i eth0 -s 240.0.0.0/5 -b -j DENY # # # rule for protecting internal network from spoofing # ipchains -A input -i eth0 -s (insert internal network here) -j -l DENY # # # ------------------------------------------------------------------------- # Login Stuff # ----------- # # rule to block incoming and outgoing telnet connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 23 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 23 -l -j DENY # # rule to deny incoming telnet server requests # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 23 -l -j DENY # # # rule to block incoming and outgoing SSH connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 22 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 22 -l -j DENY # # # rule to block incoming and outgoing FTP connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 21 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 21 -l -j DENY # # # rule to block incoming and outgoing WinNT 4.0 NetBIOS connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 139 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -l -j DENY ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -l -j DENY # # # rule to block incoming and outgoing Win2000 NetBios connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -l -j DENY # # # rule to block incoming and outgoing rlogon connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 512:514 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 512:514 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 513 -l -j DENY ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 513 -l -j DENY # # # ------------------------------------------------------------------------- # NFS Stuff # ----------- # # rule to block incoming and outgoing connections for Portmap/rpcbind # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 111 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 111 -l -j DENY # # # rule to block incoming and outgoing connections for NFS (default port) # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -l -j DENY # # # rule to block incoming and outgoing lockd requests # ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 4045 -l -j DENY # # # ------------------------------------------------------------------------- # Disallow MicroSoft NetBios # -------------------------- # # rule for blocking inbound and outbound Windows NT 4.0 NetBIOS queries # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -l -j DENY ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -l -j DENY # # # rule for blocking inbound and outbound Windows 2000 NetBIOS queries # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -l -j DENY ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -l -j DENY ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -l -j DENY ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -l -j DENY # # # ------------------------------------------------------------------------- # Disallow X11 # ------------ # rule to block incoming and outgoing X session establishment # ipchains -A output -i eth0 -p tcp -s (insert internal network here) -d 0.0.0.0/0 6000:6255 -l -j REJECT ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 6000:6255 -l -j DENY # # # # ------------------------------------------------------------------------- # DNS # ------------ # # rule to block incoming dns queries to all but one internal master server (192.168.0.1) # ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d ! 192.168.0.1/32 53 -l -j DENY ipchains -A output -i eth0 -p udp -s ! 192.168.0.1/32 53 -d 0.0.0.0/0 -l -j DENY # # # rule to allow outgoing dns queries from our internal name server (192.168.0.1) # ipchains -A output -i eth0 -p udp -s 192.168.0.1/32 1024:65535 -d 0.0.0.0/0 53 -j ACCEPT ipchains -A input -i eth0 -p udp -s 0.0.0.0/32 53 -d 192.168.0.1/32 1024:65535 -j ACCEPT # # # rule to allow incoming zone transfer requests from our external slave server (192.168.1.1) # ipchains -A input -i eth0 -p tcp -s ! 192.168.1.1/32 -d ! 192.168.0.1/32 53 -l -j DENY ipchains -A output -i eth0 -p udp -s ! 192.168.0.1/32 53 -d ! 192.168.1.1/32 -l -j DENY # # # rule to block incoming and outgoing LDAP service requests # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 389 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 389 -l -j DENY # # # ------------------------------------------------------------------------- # MAIL # ------------ # # rule to block incoming SMTP traffic except to the # internal mail server 192.168.0.1 from the external mail relay 192.168.1.1 # ipchains -A input -i eth0 -p tcp -s ! 192.168.1.1/32 -d ! 192.168.0.1/32 25 -l -j DENY ipchains -A output -i eth0 -p tcp -s ! 192.168.0.1/32 25 -d ! 192.168.1.1/32 -l -j DENY # # # rule to block incoming POP and IMAP traffic # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0.0/0 109:110 -l -j DENY ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0.0/0 143 -l -j DENY # # # ------------------------------------------------------------------------- # Web # ------------ # # rule to block all incoming HTTP server requests # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 80 -l -j DENY ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 443 -l -j DENY # # # rule to block all other HTTP server request ports # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 8000 -l -j DENY ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 8080 -l -j DENY ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 8888 -l -j DENY ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d (insert internal network here) 81 -l -j DENY # # # # ------------------------------------------------------------------------- # Small Services # -------------- # # rules to block small services or those that run < port 20 # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 0:19 -l -j DENY ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 0:19 -d 0.0.0.0/0 -l -j DENY # # # ------------------------------------------------------------------------- # Misc Services # -------------- # # rule to block incoming and outgoing TFTP server requests # ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 69 -l -j DENY # # # rule to block incoming and outgoing finger requests # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 79 -l -j DENY # # # rule to block incoming and outgoing NNTP server requests # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 119 -l -j DENY # # # rule to block incoming and outgoing NTP server requests # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 123 -l -j DENY # # # rule to block incoming and outgoing LPD printer jobs # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 515 -l -j DENY # # # rule to block incoming and outgoing syslog messages # ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 514 -l -j DENY # # # rules to block incoming and outgoing SNMP polling requests ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 161:162 -l -j DENY ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 161:162 -l -j DENY # # # rule to block incoming and outgoing BGP route messages # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 179 -l -j DENY # # # rule to block incoming and outgoing SOCKS server connections # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1080 -l -j DENY # # # ------------------------------------------------------------------------- # ICMP/ping Services # ------------------ # # rule to block incoming ICMP echo requests # ipchains -A input -i eth0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 8 -l -j DENY # # rule to block outgoing ICMP echo replies # ipchains -A output -i eth0 -p icmp -s 0.0.0.0/0 0 -d 0.0.0.0/0 -l -j DENY # # # rule to block outgoing time exceeded and unreachable messages # ipchains -A output -i eth0 -p icmp -s (insert local network here) 11 -d 0.0.0.0/0 -l -j DENY ipchains -A output -i eth0 -p icmp -s (insert local network here) 3 -d 0.0.0.0/0 -l -j DENY # # # # end of file