#!/bin/sh # # # Example IPChains rules posted... # # # Date: Wed, 25 Apr 2001 14:29:48 +0500 (PKT) # From: mirza sahib # cc: firewalls@Lists.GNAC.NET # # DISCLAIMER: Comments stated herein may have no basis. # # a) read the IPCHAINS-HOWTO # b) get bastille or some other automated script # c) follow the KISS principle # d) figure out what you want to allow, and what you want to deny # # # stop IP spoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # default DENY ALL policy /sbin/ipchains -P input DENY /sbin/ipchains -P forward DENY /sbin/ipchains -P output DENY # Flush and remove any existing chains /sbin/ipchains -F /sbin/ipchains -X # Insert blocks to protect while the chains are implemented /sbin/ipchains -I input -i ! lo -j DENY /sbin/ipchains -I forward -i ! lo -j DENY /sbin/ipchains -I output -i ! lo -j DENY # Accept local packets /sbin/ipchains -A input -i lo -j ACCEPT # Redirect transparent proxy for squid (optional) /sbin/ipchains -A input -p tcp -i eth0 -s 10.0.0.0/24 -d ! 10.0.0.0/24 80 - -j REDIRECT 3128 # Accept traffic from eth0 /sbin/ipchains -A input -i eth0 -s 10.0.0.0/24 -d 0/0 -j ACCEPT # ICMP rules /sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 destination-unreachable -j ACCEPT /sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 source-quench -j ACCEPT /sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 time-exceeded -j ACCEPT /sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 parameter-problem - -j ACCEPT # DNS rules (allow both tcp AND udp) /sbin/ipchains -A input -i ppp+ -p udp -s ! 10.0.0.0/24 53 -j ACCEPT /sbin/ipchains -A input -i ppp+ -p tcp -s ! 10.0.0.0/24 53 -j ACCEPT # Allows traffic for inititated connections /sbin/ipchains -A input -i ppp+ -p tcp ! -y -s ! 10.0.0.0/24 -j ACCEPT # NAT /sbin/ipchains -A forward -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j MASQ # Allow all out /sbin/ipchains -P output ACCEPT # remove the blocks put in earlier /sbin/ipchains -D input 1 /sbin/ipchains -D forward 1 /sbin/ipchains -D output 1 # modules for masq /sbin/modprobe ip_masq_autofw /sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_irc /sbin/modprobe ip_masq_mfw /sbin/modprobe ip_masq_portfw /sbin/modprobe ip_masq_quake /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_user /sbin/modprobe ip_masq_vdolive # # end of file