#!/bin/sh # # Local Copy # ------------- # http://www.Linux-Sec.net/Firewall/Scripts/rc.iptable.hut.firewall.txt # # Original File # ------------- # http://www.hut.fi/u/ttkorhon/trinet/firewall.txt # # # 27-Jun-04 amo Date-of-Birth # # # ############################################################# # # Example firewall script for Trinet: one computer ($INET_IP) # as firewall and any number of hosts (HOMENET) using shared # connections from the firewall computer. # # Usage: Change your host IP to INET_IP and check if you want # to make changes to the rule set. Copy this script on # your firewall host in directory /etc/init.d/ and add # execute permissions to this script. Try executing # this script and running some networking tests before # adding this script permanently to boot-up scripts # (/etc/rcX/Sxxx) in your firewall host. # # Network topology: # # +-----------+ +----------+ # | | HOMENET_IP| |INET_IP # | laptop in +-----------------+ Firewall +------------+ Internet # | HOMENET | HOMENET_IFACE| |INET_IFACE # | | | | # +-----------+ +----------+ # # Rules in a nutshell: # - deny all connections, unless otherwise stated # - allow all connections from HOMENET to outside world # - allow connection sharing from HOMENET # - allow connections to unprivileged ports (ports 1024->) # - allow some services (http, ntp, samba, talk) # - deny some unprivileged ports (XFree, NFS) and some # obvious spoofing attempts # # Notes: Do not use DNS-names, you may have trouble with booting! # There is no rule for "stopping" this firewall. # ############################################################# # Path for finding echo and iptables. # PATH=/sbin:/usr/sbin:/usr/local/sbin # The public Internet interface of you firewall: change this to your public # Trinet IP. # INET_IP="130.233.xx.xx" INET_NET="130.233.16.0/20" INET_IFACE="eth0" # Your other computer that use the connection provided by your firewall # machine should be in "HOMENET". If you have more than one machine plugged # into your firewall, use a hub or a switch in eth1 interface of you firewall. # HOMENET_IP="192.168.0.254" HOMENET="192.168.0.0/24" HOMENET_IFACE="eth1" # HUTNET is used e.g. for allowing ssh connections inclusively from hut campus # area only. # HUTNET="130.233.0.0/16" echo "Setting iptables rules..." ############################################################# # CLEAR ALL RULES ############################################################# iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD ############################################################# # DEFAULT POLICIES ############################################################# # # Deny everything except connections to _outside_ (connections # to inside are denied). # iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP ############################################################# # ANTI SPOOF RULES ############################################################# # outgoing to local net on remote interface, stuffed routing, drop iptables -A OUTPUT -o $INET_IFACE -d $HOMENET -j DROP # outgoing from local net on remote interface, stuffed masquerading, drop iptables -A OUTPUT -o $INET_IFACE -s $HOMENET -j DROP # some obviously spoofed ip-addresses iptables -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP # bad tcp packets iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP ############################################################# # LOCAL TRAFFIC ############################################################# # # No restriction for local traffic # iptables -A INPUT -i lo -j ACCEPT ############################################################# # ICMP SETTINGS ############################################################# # # Allow all ICMP messages except timestamp # (note: order is meaningful). # iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A INPUT -p icmp -j ACCEPT ############################################################# # X connections ############################################################# # # Drop all X connection attempts (this is not protected by # the unprivileged ports rules). # iptables -A INPUT -p tcp --destination-port 6000:6010 -j DROP iptables -A INPUT -p udp --destination-port 6000:6010 -j DROP iptables -A INPUT -p tcp --destination-port 7100 -j DROP iptables -A INPUT -p udp --destination-port 7100 -j DROP iptables -A INPUT -p tcp --destination-port 7101 -j DROP iptables -A INPUT -p udp --destination-port 7101 -j DROP iptables -A INPUT -p tcp --destination-port 177 -j DROP iptables -A INPUT -p udp --destination-port 177 -j DROP ############################################################ # ALLOW ACCESS TO SSH - use /etc/ssh/sshd_config ############################################################ # # Allow incoming connections to ssh only from hutnet. # iptables -A INPUT -p tcp -s $HUTNET --destination-port ssh -j ACCEPT ############################################################ # ALLOW ACCESS TO SENDMAIL - use /etc/mail/* ############################################################ # # Allow incoming connections to smtp (25) from everywhere # iptables -A INPUT -p tcp --destination-port smtp -j ACCEPT ############################################################ # ALLOW ACCESS TO HTTP ############################################################ # # Allow incoming connections to http/https from anywhere # iptables -A INPUT -p tcp --destination-port www -j ACCEPT iptables -A INPUT -p udp --destination-port www -j ACCEPT iptables -A INPUT -p tcp --destination-port https -j ACCEPT iptables -A INPUT -p udp --destination-port https -j ACCEPT ############################################################ # ALLOW TALK ############################################################ # # Allow talk from hutnet. # iptables -A INPUT -p udp -s $HUTNET --destination-port talk -j ACCEPT iptables -A INPUT -p udp -s $HUTNET --destination-port ntalk -j ACCEPT ############################################################ # ALLOW IDENT ############################################################ # # Allow ident from everywhere (ident is used by e.g. irc and # ssh daemons). # iptables -A INPUT -p tcp --destination-port ident -j ACCEPT ############################################################ # ALLOW NTP ############################################################ # # Allow NTP # ntp.hut.fi iptables -A INPUT -p udp --destination-port ntp -s 130.233.224.2 -d $INET_IP -j ACCEPT iptables -A INPUT -p tcp --destination-port ntp -s 130.233.224.2 -d $INET_IP -j ACCEPT # ntp1.funet.fi iptables -A INPUT -p udp --destination-port ntp -s 193.166.5.177 -d $INET_IP -j ACCEPT iptables -A INPUT -p tcp --destination-port ntp -s 193.166.5.177 -d $INET_IP -j ACCEPT # ntp2.funet.fi iptables -A INPUT -p udp --destination-port ntp -s 193.166.5.197 -d $INET_IP -j ACCEPT iptables -A INPUT -p tcp --destination-port ntp -s 193.166.5.197 -d $INET_IP -j ACCEPT ############################################################ # IP-MASQUERADING # # http://netfilter.samba.org/ # ############################################################ # # Simple network connection sharing. # iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP iptables -A FORWARD -i $HOMENET_IFACE -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Local interface, local machines, going anywhere is valid (nfs and samba # do not work without this rule). # iptables -A INPUT -i $HOMENET_IFACE -j ACCEPT ########################################################### # NFS ########################################################### # Drop anyone who is trying to use nfsd (this isn't protected by # the generic DROP 0-1024 rule). iptables -A INPUT -p tcp --destination-port 2049 -j DROP iptables -A INPUT -p udp --destination-port 2049 -j DROP ############################################################ # SAMBA ############################################################ # # Accept samba from Trinet. # iptables -A INPUT -p udp -s $INET_NET --destination-port 137:139 -j ACCEPT iptables -A INPUT -p tcp -s $INET_NET --destination-port 137:139 -j ACCEPT ############################################################ # ALLOW RETURNED CONNECTIONS ############################################################ # # Allow connections that have been established by clients # iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################ # ACCEPT NORMAL CONNECTIONS ############################################################ # # Accept everything unprivileged # iptables -A INPUT -p tcp --destination-port 1024: -j ACCEPT iptables -A INPUT -p udp --destination-port 1024: -j ACCEPT echo "Done." # # End of file