#!/bin/sh # # Local Copy # ------------------- # http://www.Linux-Sec.net/Firewall/Scripts/rc.ipchain.zelow.txt # # # Original File # ------------- # http://www.hackinglinuxexposed.com/articles/20021015.html - /proc entries # # # 27-Jun-04 amo Date-of-Birth # # # Grabbing the config. # . /etc/config #Permanent Variables that don't need changed. ANYWHERE="any/0" EXTERNAL_INTERFACE="eth0" LOCAL_INTERFACE_1="eth1" LOOPBACK_INTERFACE="lo" LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" MULTICAST="240.0.0.0/3" BROADCAST_0="0.0.0.0" BROADCAST_1="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" RESTRICTED_PORTS="2049" # (TCP/UDP) NFS RESTRICTED_OPENWINDOWS="2000" # (TCP) openwindows RESTRICTED_XWINDOWS="6000:6001" # (TCP) X windows SSH_PORTS="1022:1023" # range for SSH privileged ports echo "Starting firewalling... " # Remove all existing rules belonging to this filter ipchains -F # Set the default policy of the filter to deny. ipchains -P input DENY ipchains -P output ACCEPT ipchains -P forward DENY # SPOOFING & BAD ADDRESSES # Refuse spoofed packets pretending to be to or from the external address. ipchains -A input -i $EXTERNAL_INTERFACE -s $OUTSIDE_IP -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -d $OUTSIDE_IP -l -j REJECT # Refuse packets claiming to be to or from a Class A private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT # Refuse packets claiming to be to or from a Class B private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT # Refuse packets claiming to be to or from a Class C private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT # Refuse packets claiming to be to or from the loopback interface ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j REJECT ipchains -A output -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j REJECT # Refuse broadcast address SOURCE packets ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_1 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_0 -l -j DENY # Refuse multicast/anycast/broadcast addresses (in.h) (NET-3-HOWTO) ipchains -A input -i $EXTERNAL_INTERFACE -s $MULTICAST -j DENY # ---------------------------------------------------------------------------- # ICMP ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 0 -d $OUTSIDE_IP -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 3 -d $OUTSIDE_IP -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 4 -d $OUTSIDE_IP -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 11 -d $OUTSIDE_IP -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 12 -d $OUTSIDE_IP -j ACCEPT # ---------------------------------------------------------------------------- # Disallow certain outgoing traffic to protect yourself from mistakes. # openwindows: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $OUTSIDE_IP -d $ANYWHERE $RESTRICTED_OPENWINDOWS -j REJECT # Xwindows: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $OUTSIDE_IP -d $ANYWHERE $RESTRICTED_XWINDOWS -j REJECT # SOCKS: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $OUTSIDE_IP -d $ANYWHERE 1080 -j REJECT # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT # Avoid ports subject to protocol & system administration problems. # Deny access to the NFS, openwindows and X windows unpriveleged ports ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $OUTSIDE_IP $RESTRICTED_PORTS -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $OUTSIDE_IP $RESTRICTED_OPENWINDOWS -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $OUTSIDE_IP $RESTRICTED_XWINDOWS -l -j DENY # SOCKS: incoming connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -s $ANYWHERE -d $OUTSIDE_IP 1080 -j DENY # ---------------------------------------------------------------------------- # UDP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $OUTSIDE_IP $RESTRICTED_PORTS -l -j DENY # UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 32769:65535 \ -d $OUTSIDE_IP 33434:33523 -l -j DENY # ---------------------------------------------------------------------------- # DNS: full server # server/client to server query or response ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS -d $OUTSIDE_IP 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS -d $OUTSIDE_IP 53 -j ACCEPT #zone transfers ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 53 -d $OUTSIDE_IP 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 53 -d $OUTSIDE_IP 53 -j ACCEPT # DNS client (53) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 53 -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 53 -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ---------------------------------------------------------------------------- # Backup server (308) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 308 -j ACCEPT # Backup Client (308) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 308 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ---------------------------------------------------------------------------- # TELNET server (23) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 23 -j ACCEPT # TELNET client (23) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 23 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP server (80) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 80 -j ACCEPT # HTTP client (80) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 80 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP server (443) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 443 -j ACCEPT # HTTPS client (443) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 443 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # POP server (110) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 110 -j ACCEPT # ------------------------------------------------------------------ # POP client (110) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 110 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # NNTP NEWS client (119) # ---------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 119 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # FINGER client (79) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 79 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # AUTH server (113) # ----------------- # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE \ -d $OUTSIDE_IP 113 -j REJECT # AUTH client (113) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 113 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # SMTP server (25) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 25 -j ACCEPT # SMTP client (25) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 25 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # IMAP server (143) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 143 -j ACCEPT # IMAP client (143) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 143 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # IRC client (6667) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 6667 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # AOL IM client (5190) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 5190 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # ICQ client (4000) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 2000:4000 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 4000 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # FTP server (20, 21) # ------------------- # incoming request ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 21 -j ACCEPT # PORT MODE data channel responses ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 20 -j ACCEPT # PASSIVE MODE data channel responses ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # FTP client (20, 21) # ------------------- # outgoing request ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 21 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # NORMAL mode data channel ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 20 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # PASSIVE mode data channel responses ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP $UNPIRVPORTS -j ACCEPT # ------------------------------------------------------------------ # RealAudio client # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 554 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 7070:7071 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 6970:7170 -j ACCEPT # ------------------------------------------------------------------ # WHOIS client (43) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 43 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # PCAnywhere Server (5631:5632) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 5631 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS \ -d $OUTSIDE_IP 5632 -j ACCEPT # PCAnywhere client (5631:5632) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 5631 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 5632 \ -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT # ---------------------------------------------------------------------------- # Unlimited traffic within the local network. # All internal machines have access to the fireall machine. ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT # ---------------------------------------------------------------------------- # Masquerade internal traffic. # All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ #Forward Services to Internal Server echo "Forwarding Needed Services" ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 21 -R $FTPSERVER 21 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 23 -R $TELNETSERVER 23 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 25 -R $MAILSERVER 25 ipmasqadm portfw -a -P udp -L $OUTSIDE_IP 53 -R $DNSSERVER 53 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 53 -R $DNSSERVER 53 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 80 -R $MAILSERVER 80 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 443 -R $MAILSERVER 443 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 110 -R $MAILSERVER 110 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 308 -R $BACKUPSERVER 308 ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 5631 -R $PCASERVER 5631 ipmasqadm portfw -a -P udp -L $OUTSIDE_IP 5632 -R $PCASERVER 5632 # ---------------------------------------------------------------------------- # Enable logging for selected denied packets # Basically anything that makes it through all the above rules without getting accepted # will be denied and logged by the rules below. echo "logging enabled" ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $OUTSIDE_IP -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $OUTSIDE_IP $PRIVPORTS -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $OUTSIDE_IP $UNPRIVPORTS -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 5 -d $OUTSIDE_IP -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 13:18 -d $OUTSIDE_IP -l -j DENY # ---------------------------------------------------------------------------- echo "forwarding enabled" echo 1 > /proc/sys/net/ipv4/ip_forward echo "Firewall Enabled!" # # End of file