#!/bin/sh # # Latest Version # -------------- # http://www.Linux-Sec.net/Firewalls/Scripts/rc.simple2.firewall # # # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS # # # http://www.linuxheadquarters.com/howto/networking/ipchains.shtml # http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-7.html # http://www.linuxdoc.org/HOWTO/Firewall-HOWTO-8.html # http://www.linux-firewall-tools.com/ftp/firewall/rc.firewall.ipchains -- good example # # # To Save and Restore the ipchains rules # -------------------------------------- # ipchains.save > /etc/rc.d/rc.ipchains.txt # ipchains-restore < /etc/rc.d/rc.ipchains.txt # # # View the Rules: # -------------- # ipchains -n -L # # iptables -t nat -L -n # # # Flush/Clear the Rules # ---------------------- # ipchains --flush # ipchains -F # Remove all existing rules belonging to this filter # ipchains -X # Clearing all current rules and user defined chains # # ipchains Options # ---------------- # -N Create a new chain # -X Delete an empty chain # -P Change the policy for a built-in chain # -L List the rules in a chain # -F Flush the rules out of a chain # -Z Zero the packet and byte counters on all rules in a chain # # -A Append a new rule to a chain # -I Insert a new rule at some position in a chain # -R Replace a rule at some position in a chain # -D Delete a rule at some position in a chain # Delete the first rule that matches in a chain # # -M -L List the currently masqueraded connections # -M -S Set masquerading timeout values # # # chmod 700 /etc/rc.d/rc.firewall # 08-Mar-00 amo Copied from: http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-3.html#ss3.1 # 27-Feb-02 amo Modified for NATing # 27-Jun-04 amo Renamed rc.simple2.firewall to rc.ipchain.simple2.firewall # # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to play # Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following # option. This enables dynamic-ip address hacking in IP MASQ, making the life # with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # # Enable syn-cookies protection (syn-flooding attacks) # echo 1 > /proc/sys/net/ipv4/tcp_syncookies # # Defrag all packets # echo 1 > /proc/sys/net/ipv4/ip_always_defrag # # Turn off ping-responses to broadcasts ( prevent smurffing victims ) # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-7.html # # Since we don't have any asymmetric routing, we can simply turn on anti-spoofing for all interfaces. # Enable Egress filtering (anti-spoofing measure) # ( turn on Source Address Verification ) for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $f # echo 2 > $f done # # Disable ICMP Redirect Acceptance # for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects do echo 0 > $f done # # Drop all source-routed packets # for f in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $f done # # Log Spoofed Packets, Source Routed Packets, Redirect Packets # for f in /proc/sys/net/ipv4/conf/*/log_martians do echo 1 > $f done # # Set local port range for listeners (ftp ...) # echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range # # # ================ # Clear everything # ================ # # Remove all existing rules belonging to this filter ipchains -F # Clearing all current rules and user defined chains ipchains -X # # Interfaces # =========== # LOOPBACK="127.0.0.0/8" # EXTERNAL_INTERFACE="eth0" # LAN_INTERFACE_1="eth1" # LAN_1="192.168.1.0/24" # # # First Unconditionally Deny Everything # ====================================== # ipchains -A input -i -j DENY ipchains -A output -i -j DENY ipchains -A forward -j DENY # # Flush everything # ipchains -F input # ipchains -F output # ipchains -F forward # Set the default policy to deny # ipchains -P input DENY # ipchains -P output REJECT # ipchains -P forward REJECT # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # /sbin/ipchains -M -S 7200 10 160 # # Disallow Fragmented Packets # ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY # ---------------------------------------------------------------------------- # LOOPBACK # # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # # Unlimited traffic within the local network. # ipchains -A input -i $LAN_INTERFACE_1 -s $LAN_1 -j ACCEPT ipchains -A output -i $LAN_INTERFACE_1 -d $LAN_1 -j ACCEPT # # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced # the name of the link that the DHCP/BOOTP server will put an address on to? # This will be something like "eth0", "eth1", etc. # # This example is currently commented out. # # #/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp # # Refuse packets from the banned list # if [ -f /etc/rc.d/rc.firewall.blocked ]; then . /etc/rc.d/rc.firewall.blocked fi # ------------------------------------------------------------------------------------- # EXAMPLE 0. Allow everything out # -------------------------------- # # Define the timeouts # /sbin/ipchains -M -S 7200 10 60 # # # Enable simple IP forwarding and Masquerading /sbin/ipchains -P forward DENY # # # Deny Netbios chit-chat on ports 137 thru 139 # ipchains -A forward -i eth0 -p tcp -s 0/0 137:139 -j DENY # ipchains -A forward -i eth0 -p udp -s 0/0 137:139 -j DENY # # # Masquerade all outgoing traffic /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # # ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ # # ------------------------------------------------------------------------------------- # EXAMPLE 1. Create a New chain called "my-fw" # -------------------------------------------- # http://www.linuxdoc.org/HOWTO/Firewall-HOWTO-8.html # # ipchains -N my-fw # # Allow email to get to our smtp server # ipchains -A my-gw -s 0.0.0.0/0 smtp -d 192.168.1.smtp 1024:-j ACCEPT # # Allow email connections to outside email servers # ipchains -A my-gw -s 192.168.1.smtp -d 0.0.0.0/0 smtp -j ACCEPT # # Allow Web connections to our Web Server # ipchains -A my-fw -s 0.0.0.0/0 www -d 192.168.1.www 1024: -j ACCEPT # # Allow Web connections to outside Web Server # ipchains -A my-fw -s 192.168.1.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT # # Allow DNS traffic # ipchains -A my-fw -p UDP -s 0.0.0.0/0 dns -d 192.168.1.0/24 -j ACCEPT # # Masquerade all internal IP's going outside # ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ # # Deny everything else # ipchains -P my-chain input DENY # # # ------------------------------------------------------------------------------------- # EXAMPLE 2. Another way # ------------------------ # # Allow DNS to the DNS server # --------------------------- # ipchains -A input -p tcp -d 192.168.1.dns 53 -j ACCEPT # ipchains -A input -p udp -d 192.168.1.dns 53 -j ACCEPT # # # Allow http to the web server # ---------------------------- # ipchains -A input -p tcp -d 192.168.1.www 80 -j ACCEPT # ipchains -A input -p tcp -d 192.168.1.www 443 -j ACCEPT # # # Redirect for HTTP Transparent Proxy # -------- # ipchains -A input -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080 # # # Allow smtp to the mail server # ---------------------------- # ipchains -A input -p tcp -d 192.168.1.smtp 25 -j ACCEPT # # # Allow ssh to the ssh/gw server # ------------------------------- # ipchains -A input -p tcp -s 192.168.1.0/24 -d 192.168.1.ssh 22 -j ACCEPT # ipchains -A input -p udp -s 192.168.1.0/24 -d 192.168.1.ssh 22 -j ACCEPT # # # DENY more stuff ?? # # ipchains -A input -p tcp -d 192.168.1.30 -j DENY # ipchains -A input -p icmp --icmp 0 -j DENY # ipchains -A input -p icmp --icmp 8 -j DENY # # # -------------------------------------------------------------------- # # Now Log anything else # ---------------------- # ipchains -A input --log # # # end of file