#!/bin/sh # -------------------------------------------------------------------- # (c) ipchains rc.firewall for an Individual System or Home LAN from Chapter 3 # # Chapter 3 covers the application protocols and firewall rules for the types of # services most likely to be used on an individual, standalone Linux box. If a # small LAN of personal, client computers were attached to an internal LAN, the # firewall forwards and masquerades all traffic between the LAN and the # Internet. As an example, Chapter 3 demonstrates numerous safeguards and # logging events that aren't strictly necessary in a fully functional firewall. # Additionally, both client and server rules are presented for services not # everyone will use. The complete firewall script, as it would appear in # /etc/rc.d/rc.firewall, and built upon ipchains, follows: # -------------------------------------------------------------------- # # Some modifications made by Andy Stewart, 28-jan-2001 # # - Put in STATE_FILE and code to parse the file's contents. # (I hate hard coded stuff...it always comes back to bite you). # # - Put in derivation of IPADDR from grepped ifconfig output # # - Put in other derivations to avoid hard coding some values. # # -------------------------------------------------------------------- echo "Starting firewalling... " # Some definitions for easy maintenance: # -------------------------------------------------------------------- # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # Internet connected interface LOOPBACK_INTERFACE="lo" # or your local naming convention LAN_INTERFACE_1="eth1" # internal LAN interface # # Make a link for this file in the /var/state/dhcp directory. # This will cause the firewall script to get executed # every time the IP address changes. # AMS 28-jan-2001 # if [ ! -x /var/state/dhcp/dhcpcd-$EXTERNAL_INTERFACE.exe ]; then ln -s /sbin/init.d/firewall /var/state/dhcp/dhcpcd-$EXTERNAL_INTERFACE.exe fi # # If EXTERNAL_INTERFACE is running, then this file # contains info about the connection state. # STATE_FILE="/var/state/dhcp/dhcpcd-${EXTERNAL_INTERFACE}.info" echo " - STATE_FILE = $STATE_FILE" IPADDR="`/sbin/ifconfig | grep inet | grep -v 192.168 | grep -v 127.0 | awk -F: '{print $2}' | awk '{print $1}'`" echo " - IPADDR = $IPADDR" LAN_1="192.168.0.0/24" # whatever (private) range you use LAN_IPADDR_1="`/sbin/ifconfig | grep inet | grep 192.168.0 | awk -F: '{print $2}' | awk '{print $1}'`" echo " - LAN_IPADDR_1 = $LAN_IPADDR_1" ANYWHERE="any/0" # match any IP address DHCP_SERVER="`grep DHCPSID $STATE_FILE | awk -F= '{print $2}'`" echo " - DHCP_SERVER = $DHCP_SERVER" #DHCP_SERVER="24.128.1.34" # hard coded - no guarantee that this won't change!! # # So far, I have only seen these addresses from mediaone.net # 24.91.x.x, 24.128.x.x, and 24.147.x.x # I think that maps to 24.219.0.0/16 - AMS 28-jan-2001 # MY_ISP="24.219.0.0/16" # ISP & NOC address range - hard coded - no guarantees! echo " - MY_ISP = $MY_ISP" NAMESERVER_1="`grep DNS $STATE_FILE | awk -F, '{print $1}' | awk -F= '{print $2}'`" echo " - NAMESERVER_1 = $NAMESERVER_1" #NAMESERVER_1="24.91.0.66" # hard coded - no guarantee that this won't change!! SMTP_SERVER="any/0" # external mail server SMTP_GATEWAY="smtp.ne.mediaone.net" # external mail relay POP_SERVER="pop.ne.mediaone.net" # external pop server, if any #IMAP_SERVER="my.isp.imap.server" # external imap server, if any NEWS_SERVER="news.ne.mediaone.net" # external news server, if any #WEB_PROXY_SERVER="my.www.proxy" # ISP web proxy server, if any #WEB_PROXY_PORT="www.proxy.port" # ISP web proxy port, if any # # typically 8008 or 8080 LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # .................................................................... # If your IP address is dynamically assigned by a DHCP server, then # nameservers are found in /etc/dhcpc/resolv.conf. If used, the # example ifdhcpc-done script updates these automatically and # appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or # /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info. # If using the example ifdhcpc-done script, the following NAMESERVER # definitions (one per server, up to 3) will be overridden correctly # here. # The IP address, $IPADDR, is defined by dhcp # Otherwise, if you have a static IP address, then define both # your static IP address and the IP address of your external name # server(s). if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then . /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then . /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info elif [ -f /etc/dhcpc/pump.info ]; then . /etc/dhcpc/pump.info # need this for SuSE Linux 6.4 - AMS 28-jan-2001 elif [ -f $STATE_FILE ]; then . $STATE_FILE else echo "rc.firewall: dhcp is not configured." ipchains -F ipchains -P input DENY ipchains -P output DENY ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A input -i $LAN_INTERFACE_1 -j ACCEPT ipchains -A output -i $LAN_INTERFACE_1 -j ACCEPT exit 1 fi # If using the example ifdhcpc-done script, any previous definitions of # IPADDR and NAMESERVER will be overridden correctly here. DHCP_SERVER=$DHCPSIADDR # .................................................................... # EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS # YOU SUPPORT. # X Windows port allocation begins at 6000 and increments # for each additional server running from 6000 to 6063. XWINDOW_PORTS="6000:6063" # (TCP) X windows # SSH starts at 1023 and works down to 513 for # each additional simultaneous incoming connection. SSH_PORTS="1020:1023" # simultaneous connections # -------------------------------------------------------------------- SOCKS_PORT="1080" # (TCP) socks OPENWINDOWS_PORT="2000" # (TCP) openwindows NFS_PORT="2049" # (TCP/UDP) NFS # -------------------------------------------------------------------- # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # Enable IP forwarding - AMS 11-mar-2001 echo 1 > /proc/sys/net/ipv4/ip_forward # These are now necessary for masquerading the services /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio #/sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_vdolive #/sbin/modprobe ip_masq_cuseeme #/sbin/modprobe ip_masq_quake # -------------------------------------------------------------------- # Flush any existing rules from all chains ipchains -F # Set the default policy to deny ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT # Set masquerade timeout to 10 hours for TCP connections. ipchains -M -S 36000 0 0 # Disallow Fragmented Packets ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY # -------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # -------------------------------------------------------------------- # Unlimited traffic within the local network. # All internal machines have access to the fireall machine. ipchains -A input -i $LAN_INTERFACE_1 \ -s $LAN_1 -j ACCEPT ipchains -A output -i $LAN_INTERFACE_1 \ -d $LAN_1 -j ACCEPT # -------------------------------------------------------------------- # Masquerade internal traffic. # All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ # -------------------------------------------------------------------- # Refuse any connections from problem sites # /sbin/init.d/firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s
-j DENY # rules to block all access. # Refuse packets claiming to be from the banned list if [ -f /sbin/init.d/firewall.blocked ]; then . /sbin/init.d/firewall.blocked fi # -------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from # the external interface's IP address ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l # Refuse packets claiming to be to or from a Class A private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l # Refuse packets claiming to be to or from a Class B private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l # Refuse packets claiming to be to or from a Class C private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l # Refuse packets claiming to be to the loopback interface ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l # block directed broadcasts: # Network base address # Network broadcast address # SUBNET_BROADCAST="you.you.you.255" # SUBNET_BASE="you.you.you.0" # ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BASE -j DENY -l # ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BROADCAST -j DENY -l # Refuse malformed broadcast packets ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses # Multicast is only illegal as a source address. # Multicast uses UDP ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \ -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \ -j REJECT -l # Refuse Class E reserved IP addresses # incoming blocked below ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \ -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \ -j REJECT # Refuse addresses defined as reserved by the IANA. # Note: The reserved addresses are allocated periodically. # Filtering them requires checking the IANA address lists, # preferably monthly. # The following matches the IANA list on October 14, 2000. # 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.* # 49-50.*.*.*, 58-60.*.*.* # 67-127.*.*.* # 169.254.0.0/16 - Link Local Networks # 192.0.2.0/24 - TEST-NET # 197.*.*.*, 218-255.*.*.* # 0.*.*.* - Can't be blocked for DHCP users. # ipchains -A input -i $EXTERNAL_INTERFACE -s 0.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 36.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 49.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 50.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/6 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/5 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l # 96-126 ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/3 -j DENY -l # Link local networks ipchains -A input -i $EXTERNAL_INTERFACE -s 169.254.0.0/16 -j DENY -l # Test NET ipchains -A input -i $EXTERNAL_INTERFACE -s 192.0.2.0/24 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 197.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/7 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l # includes multicast, reserved and unallocated addresses ipchains -A input -i $EXTERNAL_INTERFACE -s 224.0.0.0/3 -j DENY -l # -------------------------------------------------------------------- # UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. # Open Windows: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $IPADDR \ -d $ANYWHERE $OPENWINDOWS_PORT -j REJECT # Open Windows incoming connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $OPENWINDOWS_PORT -j DENY # X Windows: establishing a remote connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $IPADDR \ -d $ANYWHERE $XWINDOW_PORTS -j REJECT # X Windows: incoming connection attempt ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $XWINDOW_PORTS -j DENY -l # SOCKS: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $IPADDR \ -d $ANYWHERE $SOCKS_PORT -j REJECT -l # SOCKS incoming connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $SOCKS_PORT -j DENY # NFS: TCP connections ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $NFS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -d $ANYWHERE $NFS_PORT -j REJECT -l # NFS: UDP connections ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $NFS_PORT -j DENY -l # NFS incoming request (normal UDP mode) ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -d $ANYWHERE $NFS_PORT -j REJECT -l # -------------------------------------------------------------------- # NOTE: # The symbolic names used in /etc/services for the port numbers # vary by supplier. Using them is less error prone and more # meaningful. # -------------------------------------------------------------------- # Required Services # DNS client modes (53) # --------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # TCP client to server requests are allowed by the protocol # if UDP requests fail. This is rarely seen. Usually, clients # use TCP as a secondary nameserver for zone transfers from # their primary nameservers, and as hackers. ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # DNS server modes (53) # --------------------- # # Added by AMS 28-jan-2001 # # There is a local nameserver on the linux.bogus network. For things # that it can't handle, it sends it up the pipe to ns1.mediaone.net. # Make sure it can get there! Keep in mind that masquerading is # enabled!!! # # this section intentionally left blank # # DNS caching & forwarding nameserver # ----------------------------------- # server to server query or response # Caching only name server uses UDP, not TCP #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR 53 \ # -d $NAMESERVER_1 53 -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s $NAMESERVER_1 53 \ # -d $IPADDR 53 -j ACCEPT # DNS full nameserver # ------------------- # client to server DNS transaction #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s $LAN_1 $UNPRIVPORTS \ # -d $IPADDR 53 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR 53 \ # -d $LAN_1 $UNPRIVPORTS -j ACCEPT # # peer-to-peer server DNS transaction #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s 53 \ # -d $IPADDR 53 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR 53 \ # -d 53 -j ACCEPT # Zone Transfers # due to the potential danger of zone transfers, # only allow TCP traffic to specific secondaries. #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 53 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 53 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client # ------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 113 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 113 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # AUTH server (113) # ----------------- # Accepting Incoming AUTH Requests #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 113 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 113 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # OR # Rejecting Incoming AUTH Requests ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 113 -j REJECT # -------------------------------------------------------------------- # TCP services on selected ports # Sending Mail through a remote SMTP gateway (25) # ----------------------------------------------- # SMTP client to an ISP account without a local server ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $SMTP_GATEWAY 25 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $SMTP_GATEWAY 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # OR # Sending Mail through a local SMTP server #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 25 -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 25 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # Receiving Mail as a Local SMTP server (25) # ------------------------------------------ #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 25 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 25 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # POP (110) - Retrieving Mail as a POP Client # ------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $POP_SERVER 110 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $POP_SERVER 110 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # POP (110) - Hosting a POP Server for Remote Clients # --------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 110 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 110 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # IMAP (143) - Retrieving Mail as an IMAP Client # ---------------------------------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d 143 -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s 143 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # IMAP (143) - Hosting an IMAP Server for Remote Clients # ------------------------------------------------------ #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 143 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 143 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # NNTP (119) - Reading and Posting News as a Usenet Client # -------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 119 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 119 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # NNTP (119) - Hosting a Usenet News Server for Remote Clients # ------------------------------------------------------------ #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 119 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 119 \ # -d $UNPRIVPORTS -j ACCEPT # NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server # --------------------------------------------------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d 119 -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s 119 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # TELNET (23) - Allowing Outgoing Client Access to Remote Sites # ------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 23 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 23 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # Real Audio (554) - Allow me to look at streaming content # AMS 28-jan-2001 # ----------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 554 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 554 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # Real Audio seems to do some sort of compression on port 6970 # and also on port 3 # AMS 28-jan-2001 # ----------------------------------------------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 6970 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 3 \ -d $ANYWHERE 3 -j ACCEPT # TELNET (23) - Allowing Incoming Access to Your Local Server # ----------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 23 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 23 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # SSH client (22) - Allowing Client Access to Remote SSH Servers # -------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_PORTS \ -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 \ -d $IPADDR $SSH_PORTS -j ACCEPT # SSH (22) - Allowing Remote Client Access to Your Local SSH Server # ----------------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 22 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 22 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $SSH_PORTS \ # -d $IPADDR 22 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 22 \ # -d $ANYWHERE $SSH_PORTS -j ACCEPT # -------------------------------------------------------------------- # FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers # -------------------------------------------------------------------- # outgoing request ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 21 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # Normal Port Mode FTP Data Channels ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 20 -j ACCEPT # Passive Mode FTP Data Channels ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server # ---------------------------------------------------------------- # incoming request #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 21 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 21 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # ## Normal Port Mode FTP Data Channel Responses # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR 20 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 20 -j ACCEPT # ## Passive Mode FTP Data Channel Responses # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # HTTP (80) - Accessing Remote Web Sites as a Client # -------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 80 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # HTTP (80) - Allowing Remote Access to a Local Web Server # -------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 80 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 80 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client # ------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 443 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # HTTPS (443) - Allowing Remote Access to a Local SSL Web Server # -------------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 443 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 443 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # HTTP Proxy client (8008/8080) # ----------------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT # #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $WEB_PROXY_SERVER $WEB_PROXY_PORT \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # FINGER (79) - Accessing Remote finger Servers as a Client # --------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 79 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 79 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # FINGER (79) - Allowing Remote Client Access to a Local finger Server # -------------------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 79 -j ACCEPT # #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 79 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # WHOIS client (43) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 43 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 43 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # Gopher client (70) # ------------------ ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 70 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 70 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # WAIS client (210) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 210 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 210 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # UDP accept only on selected ports # TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 # ----------------------------------------------------- # Enabling Outgoing traceroute Requests # ------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT # incoming query from the ISP. # All others are denied by default. # --------------------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $MY_ISP 32769:65535 \ -d $IPADDR 33434:33523 -j ACCEPT # -------------------------------------------------------------------- # DHCP client (67, 68) # -------------------- # INIT or REBINDING: No lease or Lease time expired. ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_SRC 68 \ -d $BROADCAST_DEST 67 -j ACCEPT # Getting renumbered ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_SRC 67 \ -d $BROADCAST_DEST 68 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 \ -d $BROADCAST_DEST 68 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_SRC 68 \ -d $DHCP_SERVER 67 -j ACCEPT # As a result of the above, we're supposed to change our IP # address with this message, which is addressed to our new # address before the dhcp client has received the update. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 \ -d $MY_ISP 68 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 \ -d $IPADDR 68 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 68 \ -d $DHCP_SERVER 67 -j ACCEPT # -------------------------------------------------------------------- # NTP (123) - Accessing Remote Network Time Servers # ------------------------------------------------- NTP_SERVERS="\ 24.147.1.16 \ 128.105.39.11 \ 63.192.96.2 \ " for i in $NTP_SERVERS; do ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $i 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $i 123 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 123 \ -d $i 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $i 123 \ -d $IPADDR 123 -j ACCEPT done # -------------------------------------------------------------------- # ICMP # (4) Source_Quench # incoming & outgoing requests to slow down (flow control) ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 4 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 4 -d $ANYWHERE -j ACCEPT # (12) Parameter_Problem # incoming & outgoing error messages ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 12 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 12 -d $ANYWHERE -j ACCEPT # (3) Dest_Unreachable, Service_Unavailable # incoming & outgoing size negotiation, service or # destination unavailability, final traceroute response ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 3 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 3 -d $MY_ISP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT # (11) Time_Exceeded # incoming & outgoing time out conditions, # also intermediate TTL response to traceroutes ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 11 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 11 -d $MY_ISP -j ACCEPT # allow outgoing pings to anywhere ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 8 -d $ANYWHERE -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 0 -d $IPADDR -j ACCEPT # allow incoming pings from trusted hosts ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $MY_ISP 8 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 0 -d $MY_ISP -j ACCEPT # ---------------------------------------------------------------------------- # Enable logging for selected denied packets # Note that these ports are blocked by default. # The following rules merely enable logging for blocked packets. # TCP ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l # Useful for debugging ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -j REJECT -l # UDP ipchains -A input -i $EXTERNAL_INTERFACE -p udp -j DENY -l # Useful for debugging ipchains -A output -i $EXTERNAL_INTERFACE -p udp -j REJECT -l # ICMP ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l # -------------------------------------------------------------------- echo "Starting firewalling...done." exit 0