If you are unfamiliar with how TCP/IP packet filters work, the following should give you a decent start. Please understand that if you don't understand what is being described below, you should probably do a little research on how TCP/IP works.
Think of a IPCHAINS or IPFWADM rule set like the following:
DENY:
If you TELNET to a box that "denies" TELNET traffic, your TELNET client will just sit there and try for a period to connect to that remote host. Ultimately, the TELNET request will eventually timeout.
REJECT:
If you TELNET to a box that "rejects" TELNET traffic, your TELNET request traffic will be met with an ICMP message telling the originator that the traffic was rejected. This is the normal behavior for a machine that does not SUPPORT telnet server access in the first place (like stock versions of MS Windows9x, NT, etc.).
If someone connects to your server and you REJECT their traffic, it seems to them as if your computer cannot serve, say, TELNET connections. If you DENY the traffic, then their TELNET traffic just dies and their TELNET client eventually times out.
So? With REJECT, a hacker doesn't know if your machine CAN or CAN NOT run a TELNET server. With DENY, a hacker will always KNOW that you are filtering them. I feel that a firewall using REJECTs make your box look "simpler" and thus less interesting to attack.
So , lets explain how a packet firewall works with an example:
Say you have a TELNET packet (port 23) from the Internet that wants to reach your Linux box
FYI: Some ideas of possible packet firewall rules can include:
Then let the packet IN though the packet firewall. If not matched, the packet is either REJECTED or DENIED. You can also log the fact that this packet was killed.
Once the reply TELNET traffic is generated, the actual return traffic will be returned on a HIGH PORT ( port > 1024 ) and NOT on port 23.
If you don't understand this, please read up on TCP/IP fundamentals since this discussion is out of the scope of TrinityOS.
For this example, lets say the return TELNET traffic is on port 3200. Now, this return port 3200 traffic is then sent to the OUTPUT filter of the EXTERNAL NIC card.
NOTE: This is is what a "router" does on a basic level.
+-------------------------------+
| Linux TCP/IP stack |
|_______________________________|
| (3) Telnetd Server |
{PORT 23} |_______________________________| (Port 3200)
(2) +--->| Input: Forward: Output: |-------------+ (4)
| +-------------------------------+ |
| |
| |
+------------+ | +------------+ |
| Input | | | Output |<--+
| Rule | | | Rule | ^
{PORT 23} | | | | | |
(1) +-IN--->| P a s s ? |---+ +--------------| P a s s ? | |
| | or | | | or | |
^ |Deny/Reject?| | (5) |Deny/Reject?| |
--------- +------------+ | +------+-----+ |
*Send* | | | |
--------- v Check if packet v |
Remote Dump Packet No +---- needs to be Dump Packet |
Internet (possibly log it) | forwarded (possibly log it) |
site | | |
--------- | (6) | Yes |
*Received* | | |
--------- | v |
^ | +--------------+ +---------------^------+
| {PORT 3200} | | Forward | | Write the packet for |
(7) +-----------------------------+ | Rule | | the destination |
| | | network address |
| | | |
Dump Packet <------|Don't Forward?| | Possibly re-write the|
(possibly log it) | | |SRC addresses for MASQ|
| Forward? | +----------------------+
| or | ^
|FWD & MASQ it |-----------------------+
+--------------+
Basically, IP MASQ's main mechanism works when an INTERNAL machine initiates traffic to the outside world. External machines on the Internet CAN directly communicate to an internal machine(s) with the aid of PORTFWing but this is better explained in the IP Masquerade HOWTO. PORTFW support IS included in the TrinityOS firewall ruleset but for a full explination, again, please see the IP Masqerade HOWTO.
Anyway, when an internal machine (for now, in that diagram in the URL above, think of the "Remote Internet Site" on the left with your internal machine. If this diagram confuses you, just skip it and read through this example..
1. Say the internal machine trys to TELNET to some server out on the Internet.
For this explict example, this example is:
Source src IP: 192.160.0.10
src port: 3200
dst port: 23
Linux : src IP: 111.222.212.222
External src port: 64000
dst port: 23
Destination: dest IP: 222.020.222.111
dst port: 23
2. The MASQ server receives this request from the MASQed PC over the Internal
interface and it hits the Input firewall. Here, the input firewall can
either accept the packet or deny it. For this example, assume it will be
ACCEPTed.
3. Now, if the packet was also allowed through the OUTPUT firewall, the
TELNET would be finally forwarded through the MASQ server unchanged
except...
3M. Notice that src port IP address of the TELNET is a private RFC1918 address?
These addresses aren't routable on the Internet so it must be changed to
a public address. To be able to track this change, the SRC port address
will be changed as well.
The changes in IP address and port number is IP MASQ in action! What Masq
basically does is RECORDs the traffic type (for this example, 23, TELNET),
where the traffic is going (DST IP address, 222.020.222.111) and the
original SRC port (SRC port 3200) from the MASQed client. It takes all
this information and puts it into a MASQUERADE table.
It then will re-send this TELNET traffic out on its EXTERNAL NIC but it
will also alter the packet. It will both re-addresses the Source IP address
(SRC IP) with the MASQ server's own external IP address and change the
source port (SRC port) to something in the range of 61000-64096. So, the
packet would now look something like:
Source: SRC IP: 111.222.212.222
SRC port: 64000
Destination: DST IP: 222.020.222.111
DST port: 23
4. When the response comes back from that remote TELNET server, the Linux
MASQ server will recognise that this traffic as coming back from a server
that is in the MASQ table. It would then take the packet and first verify
that it should be allowed through the INPUT section of the firewall.
Next, it would then replace the destination IP address (DST IP) with the
correct FINAL IP address of original internal TELNET client and also change
the original SRC port address back to 3200.
The returning packet now looks like:
Source: DST IP: 222.020.222.111
DST port: 23
Destination: SRC IP: 192.160.0.10
SRC port 3200
Get it?
If you want another explination of how MASQ works, I wrote a semi-comprehensive
article about it in the August 1999 version of Linux Magazine. You can get an
online version of it at:
http://www.linux-mag.com/1999-08/guru_01.html
Now, I want to quickly comment on the use of HIGH TCP/IP ports and what is the difference between a PACKET firewall and a STATEFULLY INSPECTED firewall. Though you might let port 23 OUT of your Linux box (TELNET), if you don't also allow ports 1024-65535 back INTO your Linux box, TELNET won't work.
Now you might be thinking that letting in ALL high ports back into your Linux box is a BAD thing. You know what? YOU'RE RIGHT!
Realistically, it would be nice to only allow in only the return HIGH ports that you need. This is what the "-k" option in IPFWADM or "! -y" is for IPCHAINS. The problem is, IPFWADM and IPCHAINS aren't smart enough yet to understand all TCP/IP programs such like TELNET, WWW, SSH, etc. So, some programs you can lock down the high ports with the "-k" or "! -y" options while other programs will have to be configured to allow all 1024-65535 ports in.
Bummer huh? So your next question should be "Do others firewalls have this problem?" NO! Why? Because they use a technology called "Stateful Inspection".
Stateful firewalls actually listen to ALL network traffic step-by-step to make sure that everything is going 100% correctly.
Analogy:
Packet firewall: A packet firewall only checks for source and destination IP addresses and port numbers. Kinda like a strainer for different colored marbles (if one exists).
Stateful Firewall: A stateful firewall not only checks for source and destination IP addresses and port numbers, but it also LISTENS to all TCP/IP communications to make sure that all of the "communications" are following all procedures. Think of it as a realtime grammer and spell checker for "languages" like TELNET, WWW, etc. Hackers try to re-write the "language" to try to break into it, crash it, etc. A stateful firewall will see a given TCP/IP connection running a "language" like TELNET doing weird stuff that it shouldn't be doing and then it simply drops that weird packet. Much better huh?
So your next question should be: "I want a statefully inspected firewall for Linux and NOT a packet firewall. Where do I get one?!?!"
Well.. it now exists in IPTABLES under the 2.4.x kernels. This is a huge step for for Linux. Unfortunately, if you also need to use IP Masquerading (NAT), the MASQ support for some protocols under the 2.4.x kernel isn't on par with the 2.2.x kernel set. If you don't use IPMASQ, then then IPTABLES is a great solution. It should also be noted that non-IPMASQ users can still use their IPCHAINS rulesets under 2.4.x kernels with the aid of the ipchains.o kernel module.
For now, TrinityOS only covers IPCHAINS and an older IPFWADM ruleset. A IPTABLES ruleset is under developement but is a slow project as it is an entire rewrite and will offer far more features.
Once you setup one of the firewalls shown below, you might have some problems getting running or your might be getting strange new messages on the console. What do these messages mean?
In the below rule sets, any lines that either DENY or REJECT any traffic also have a "-o" to LOG this firewall hit to the SYSLOG messages file found either in:
Redhat: /var/log Slackware: /var/adm
If you look at one of these firewall logs, you would see something like:
The kernel logs this information looking like:
IPCHAINS:
Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23
L=44 S=0x00 I=54054 F=0x0040 T=254
IPFWADM:
Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633
100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254
There is a LOT of information in this just one line. Let break out this example so refer back to the original firewall hit as you read this. Please note that this example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users.
NOTE: To understand all the various port numbers, protocol numbers, etc., I recommend you to go to the TOP URL in Section 5 and get all of the various documents from the IANA and put them in /etc/iana.
- This firewall "hit" occurred on: "Feb 23 07:37:01"
- This hit was on the "RoadRunner" computer.
- This hit occurred on the "IP" or TCP/IP protocol
- This hit came IN to ("fw-in") the firewall
* Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD
- This hit was then "rejECTED".
* Other logs can say "deny" or "accept"
- This firewall hit was on the "eth0" interface (Internet link)
- This hit was a "TCP" packet
- This hit came from IP address "12.75.147.174" on return port "1633".
- This hit was addressed to "100.200.0.212" to port "23" or TELNET.
* If you don't know that port 23 is for TELNET, look at your
/etc/services file to see what other ports are used for.
- This packet was "44" bytes long
- This packet did NOT have any "Type of Service" (TOS) set
--Don't worry if you don't understand this; not required to know
* divide this by 4 to get the Type of Service for ipchains users
- This packet had the "IP ID" number of "18"
--Don't worry if you don't understand this; not required to know
- This packet had a 16bit fragment offset including any TCP/IP packet
flags of "0x0000"
--Don't worry if you don't understand this; not required to know
* A value that started with "0x2..." or "0x3..." means the "More
Fragments" bit was set so more fragmented packet will be coming in
to complete this one BIG packet.
* A value which started with "0x4..." or "0x5..." means that the
"Don't Fragment" bit is set.
* Any other values is the Fragment offset (divided by 8) to be later
used to recombinw into the original LARGE packet
- This packet had a TimeToLive (TTL) of 20.
* Every hop over the Internet will subtract (1) from this number. Usually,
packets will start with a number of (255) and if that number ever reaches
(0), it means that realistically the packet was lost and will be deleted.
So, with basic understanding now, lets get either your MASQing or NON-MASQing Network up!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ ++
++ NOTE: TrinityOS covers both IPCHAINS and IPFWADM firewall rule sets. ++
++ -------------------------------------------------------------- ++
++ ++
++ ** Please note that the IPCHAINS ruleset is VASTLY more secure and ++
++ and powerful when compared to the IPFWADM ruleset. Due to the ++
++ power and maintinance of IPCHAINS compared to IPFWADM, I recommend ++
++ that any user that MUST run a 2.0.x kernel, that they patch their ++
++ kernel to support IPCHAINS and use this newer ruleset ++
++ ++
++ In the future, I will be replacing ALL rule sets with a modular ++
++ system so all Secured IPs will be configured via a seperate file ++
++ This will let users update their main firewall rule sets to newer ++
++ verions without ANY manual customization for their environment. ++
++ ++
++ This new system is already designed but I need to finish it up. ++
++ ++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- First, you need to make sure you have either the "ipchains" or "ipfwadm" or firewall programs. To check, run the commmand "whereis ipfwadm" or "whereis ipchains". If its there, you're set. If not, download it from the URL in Section 5
* VERY IMPORTANT:
- Next, create the file /etc/rc.d/rc.firewall
Slackware Users: DELETE the module info in the following IPFWADM rule set and put it in the /etc/rc.d/rc.modules file instead
- NOTE: If you don't plan to use some of these modules, comment or un-comment the various lines (I've already commented out cuseeme, irc, quake, and vdolive).
Edit the following file to use the proper configuration below depending if you are running a 2.2.x+ kernel (IPCHAINS) or a <2.0.x kernel (IPFWADM).
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
The simple (WEAK) firewall rule set for IPCHAINS or IPFWADM :
--
#!/bin/sh
# Simple firewall rule set for both IPCHAINS and IPFWADM
# v3.00
echo "Enabling IP MASQ, MASQ timeouts, MASQ modules and simple firewalling"
#Load the MASQ modules
#BSDComp
/sbin/modprobe bsd_comp
#
echo Loading MASQ modules
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
# NOTE: Though Real Audio will work without this module, the data
# will be coming in TCP mode vs. UDP mode. With this
# module, you can enable UDP mode and possibly clean up
# any "glitches" in the sound stream
/sbin/modprobe ip_masq_raudio
# Finished with MASQ modules
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
echo "Enabling IP Masqurading.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#Note: Redhat users can enable this also by turning the
# flag forward flag on in /etc/sysconfig/network
#
# Change the forward line to
# FORWARD_IPV4=true
#--------------------------------------------------------------------------
# NOTE: The following simple IPFWADM and IPCHAINS rule set is purely to
# *test* IP MASQ functionality.
#
# Though this rule set will work for
# ALL users, it WILL NOT give you any good protection from lusers
# (security crackers, etc) out on the Internet. Trust me, now that
# you are using a UNIX box, you need all the protection you can get!
# Once you can confirm that is MASQ working properly, I *HIGHLY*
# recommend that you -delete- this simple rc.firewall script and
# replace it with the strong IPCHAINS or IPFWADM rule sets shown
# later in this section!
#---------------------------------------------------------------------
#2.2.x+ kernels with IPCHAINS ONLY
#
echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)"
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT
echo " - Flushing any old rule sets"
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# 2.0.x kernels and IPFWADM users ONLY
#
#echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)"
#/sbin/ipfwadm -I -p accept
#/sbin/ipfwadm -O -p accpet
#/sbin/ipfwadm -F -p reject
#echo " - Flushing any old rule sets"
#/sbin/ipfwadm -I -f
#/sbin/ipfwadm -O -f
#/sbin/ipfwadm -F -f
echo "Extending MASQ timeouts.."
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
# IPCHAINS
/sbin/ipchains -M -S 7200 10 60
#
# IPFWADM
#/sbin/ipfwadm -M -s 7200 10 60
echo "Enable IP Masq.."
#
#IPCHAINS
ipchains -A forward -s 192.168.0.0/24 -j MASQ
#
#IPFWADM
#/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 -W eth0
echo "rc.firewall done."
----
Next, append this to the end of the "/etc/rc.d/rc.local" file
All distributions:
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
- Finally, make the rc.firewall file ROOT executable ONLY
chmod 700 /etc/rc.d/rc.firewall
That's it. Go ahead and run the new ruleset by typing in /etc/rc.d/rc.firewall and make sure that the Linux box can still access the Internet both by IP address and DNS names. For Masquerade users, also make sure that INTERNAL masqed PCs can access the Internet by both methods. If things do NOT work for you, please see Section 5 of the IP Masquerade HOWTO at http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/. This document will help you troubleshoot any issues.
Once you confirm that IP-MASQ works ok, it is *HIGHLY* recommended to replace the above WEAK rule sets with one of the below STRONG rule sets.
############################################################################# # MASQ rc.firewall # # # # - There are -3- rule sets listed below: # # # # 1. Strong rc.firewall rule set for IPCHAINS w/ and w/o MASQ support # # for single, dual, and even three NIC configurations. # # # # ^^ This is current the ONLY rule set that is maintained ^^ # # # # 2. Strong rc.firewall rule set for IPFWADM w/ MASQ support # # # # 3. Strong rc.firewall rule set for IPFWADM w/o MASQ support for # # single NIC Linux boxes. # # # # - As mentioned above, once you have confirmed that the initial MASQ # # functionality, You *SHOULD* either create your own strong firewall # # rule set or use the following TrinityOS firewall rule set. # # # #############################################################################
*** If you aren't running MASQ, check out the other firewall rule set that follows after this one. ***
NOTE: You will have to edit this to allow machines you care about into your machine. All of this is well commented though.
NOTE #2: Even if you aren't running MASQ, you should modify these rule sets to suit your needs and APPLY them!!! You DO need some protection from the Internet!
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
or you can just get the file here: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/etc/rc.d/
It is HIGHLY recommended that you get the rc.firewall and the other TrinityOS scripts from the TrinityOS-Security archive (URL above) as it will help avoid typos, etc. *** Do NOT try to cut and paste the various scripts via a web browser into a text editor. If you do this, you will most likely find that the resulting scripts will have formatting errors (thus syntax errors) and also most likely every line will have ^M characters at the end of it which will abnormally terminate the script trying to be run. -----------------------------------------------------------------------------
+------------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPCHAINS RULE SET for | | 2.4.x, 2.2.x, and patched 2.0.x. kernels | +------------------------------------------------------------------+
CRITICAL NOTE:
/etc/rc.d/rc.firewall
<TrinityOS rule set START>
#!/bin/sh
# ------------------------------------------------------------------------------
FWVER="v4.21-123nic"
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# You may use this file for private or internal commercial use ONLY.
#
# Any duplication and/or use of this file or its contents for direct
# commercial (commercial being for profit) applications and/or
# written publications (be it for profit OR free) must be granted
# by written permission from David Ranch. Basically, just ASK me..
# I'm a pretty easy going guy but DON'T assume anything. Ok?
#
# Sorry for the harsh language here but the TrinityOS ruleset has been
# taken advantage of recently.
#
# --
# Summary:
#
# The TrinityOS ruleset is a comprehensive IPCHAINS ruleset that
# supports filtering for 1, 2, and 3 network interfaces. This allows
# for strong filtering for simple one interface PPP users, two interface
# MASQ users, and even three interface MASQ users with a DMZ segment. In
# addition to all this, TrinityOS allows to explictly filter various types of
# traffic including ICMP, known trojan horse traffic, etc.
#
# NOTE: The current 4.00 firewall version requires that the INTIF
# (internal) interface be configured to then allow for the INT2IF
# (DMZ network) to function. If there is enough requests, I can
# rework the ruleset to let INTIF and INT2IF load independantly.
#
# ------------------------------------------------------------------------------
# You can get this file at:
#
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos
# ------------------------------------------------------------------------------
#
# Personal Changes:
#
# Put any of your own version notes HERE. Its a good idea to document
# what you've changed.
#
# ------------------------------------------------------------------------------
#
# TrinityOS Rule Set History:
#
# 04/16/05 - 4.21
# - Updated the bogon list to reflect changed bogon listing and
# added output Multicast and NFS traffic filters
# 01/29/03 - 4.20
# - The INT2BROAD variable was missing for the DMZ configuration
# but the proper setting was being automatically used regardless.
#
# 01/13/03 - 4.10
# - The latter half of the OUTPUT section was using $UNIVERSE/0
# instead of $UNIVERSE which was already set to 0.0.0.0/0.
# This was a harmless typo and didn't hurt anything but was
# incorrect
#
# 12/30/01 - 4.05
# - Somehow ip_forward was getting set to "0" instead of "1"
# - Added comments when a 2.4.x kernel is found that running
# IPCHAINS emulation is NOT recommended due to poor MASQ
# support. It is recommended to run a native IPTABLES ruleset
# under 2.4.x kernels.
#
# 12/01/01 - 4.03
# - Added an echo statement to let things run if you dont use
# DHCP
# - Added filters for the SubSeven trojan
# - Added comments to let peopel know that NOT having the
# ip_dynaddr or ip_defrag option is ok
#
# 11/09/01 - 4.02
# - Disabled external DNSd and SMTPd server options as per the
# default.
# - Added comments and #ed out DHCPd for eth1 (input and output)
# - split up the SSHd and DNSd enable/disable area for eth1
# - #ed out SSHd and DNSd access (output) per the correct default
#
# 10/04/01 - 4.01f
# - added ipchains check for 2.4.x kernels
# - make sure that dhcpc is really enabled by default
# - Added a logger line to send final result to SYSLOG
#
# 09/06/01 - v4.01
# - Fixed some syntax issues with left/right parens
# - replaced all the bash -n if..thens with string checks since
# it seems that bash doesnt know what to do with non-initialized
# vars
# - ** check for all foo entries
#
# 09/03/01 - v4.00
#
# - Changed the DMZ section to now allow full SSH connectivity between
# the DMZ and internal NICs.
# - Moved the INPUT DMZ-specific ALLOW/REJECT section to be below the
# input SECUREHOST section
# - Updated and rearranged the debug logging section
# - Added #ed out support for the H.323 IPMASQ module
# - Added PPTP support for MASQed clients
#
# 06/20/01 - v3.85
# - The IPCHAINS ruleset now can support single interface machines
# for those users who just want a firewall but aren't MASQing, etc.
# - To enable this new feature, the INTIF variable (internal interface)
# needs to be set but left EMPTY. With this set, the other INTIF
# sections will be disabled via IF..THEN checks.
#
# 03/20/01 - v3.83d-3NIC
#
# - Added 3rd NIC (eth2) for DMZ applications like 802.11b wireless networks
#
# eth0 = Internet [ public IP ]
# eth1 = internal trusted net [ 192.168.0.x ]
# eth2 = DMZ wireless network (not trusted) [ 192.168.10.x ]
#
# This DMZ interface can ONLY do the following globally
# - DHCP, DNS, internet WWW, internet FTP
# - SSH (to the internet and devices on the INT interface
# (eth1)
# - ping machines on the Internet AND devices on eth1
#
# This interface CANNOT
# - accept FTP
# - SSH any hosts on eth1
#
# The reason that I implimented this DMZ setup is for wireless networks.
# Ultimately, the 802.11b WEP encryption spec is flawed and can be completely
# sniffed within a matter of hours. Because of this, you should ONLY allow
# encrypted streams: SSH, IPSEC, and maybe PPTP.
#
# v3.83d - 03/06/01
# - Fixed a typo (stray #) where the RFC1918 10.x.x.x network was
# NOT being filtered in the OUTPUT section
#
# v3.83c - 01/27/01
# - Fixed a wrong output netmask for NET-TEST-B being a /12 instead
# of a /16. But, this really doesn't matter as I have disabled
# the filtering of reserved IP space as ARIN constantly is releasing
# this address space to the public without any form of notification.
# See the update for v3.83a
#
# v3.83b - 01/06/01
# - Fixed a missing ".0" in the Reserved-7 filters for the 72.0.0
# networks
#
# v3.83a - 11/09/00
# - Deleted all non RFC1918 address filtering. It seems that many of the
# addresses that the IANA reports as "reserved" are actually in use.
#
# - Removed all rc.firewall history motes from v3.60 and older to
# the TrinityOS-old-updates.wri (URL is above)
#
# v3.82 - 10/28/00
# - Updated the port range for Xwindows filtering
#
# v3.81 - 10/15/00
# - Crap! Last subnet error in the Reserved-8 IANA section. Please
# change the subnet mask on 68.0.0.0 to a /6!
#
# v3.80 - 10/13/00
# - Updated the version since this really is a big update
#
# -----------------------------------------------------------------------------
# All changes older than version 3.80 have been moved to the archives available
# at:
#
# <"http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri">
#------------------------------------------------------------------------------
#--------------------------------------------------------------------
# This configuration assumes the following (DSL / Cablemodem setup):
#
# 1) The external interface is running on "eth0"
# 2) The external IP address is dynamically or statically assigned
# 3) The optional internal interface is "eth1"
# 4) The internal network is addressed within the private
# 192.168.0.x TCP/IP addressing scheme per RFC1918A
# 5) The optional DMZ network is on eth2
#
# ****
# NOTE: All 2.2.x Linux kernels prior to 2.2.16 have TCP exploit that
# **** that when combined with tools like Sendmail can leed to a ROOT
# compromise. In addition to this, all kernels less than 2.2.11 have
# a fragmentation bug that renders all strong IPCHAINS rule sets void.
# It is CRITICAL that users upgrade the Linux kernel to at least a
# 2.2.16+ kernel for proper firewall and system security.
#
#--------------------------------------------------------------------
#********************************************************************
# Initializing
#********************************************************************
echo -e "\n\nLoading TrinityOS IPCHAINS Firewall $FWVER"
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Variables
#--------------------------------------------------------------------
# The loopback interface and address
#
LOOPBACKIF="lo"
LOOPBACKIP="127.0.0.1"
# External interface device.
#
# NOTE: PPP and SLIP users will want to replace this interface
# with the correct modem interface such as "ppp0" or "sl0"
#
# For users that might have multiple PPP interfaces, you can
# try the following code. You will need to call the firewall
# from /etc/ppp/ip-up script with a "$1" appended at the end.
#
#if [ "x$1" != "x" ]; then
# EXTIF=$1
#else
# EXTIF="ippp0"
#fi
#
EXTIF="eth0"
# Make sure the external interface is up
if ! /sbin/ifconfig | grep $EXTIF > /dev/null; then
echo -e "\n\nExternal interface is DOWN. Aborting."
exit 1;
fi
echo External Interface: $EXTIF
# IP address of the external interface
#
# *
# * If you get a DYNAMIC IP address (regardless if you use PPP
# * with a modem or DHCP with Ethernet), you *MUST* make this firewall
# * rule set understand your new IP address everytime you get a new
# * IP address. To do this, enable the following one-line script.
# *
#
# (Please note that the different single and double quote characters MATTER).
#
# NOTE: Red Hat v6.0 users who run DHCP to get TCP/IP addresses
# (Cablemodems, DSL, etc) will need to install and use a different
# DHCP client than the stock client called "pump". Redhat 6.2+
# comes with a newer version of "pump" that CAN run scripts upon
# lease bringup, renew, etc. but older versions are broken.
#
# The reason for this whole issue is the old "pump" doesn't support the
# ability to run scripts run when DHCP gets an IP address.
# Specifically, DHCP doles out IP addresses to its clients for
# limited amounts of time; this is called a "lease".
# When a DHCP "lease" expires, the client will query the DHCP
# server for a "lease renewal". Though the DHCP client will
# usually get back its original IP address in the renewal, this
# is NOT always guaranteed. With this understood, if your DHCP
# client receives a different IP address than the IPCHAINS
# firewall was configured for, the firewall will block ALL
# network access in and out of the Linux server because that
# is what it was configured to do.
#
# As mentioned above, the key to solve this problem is to use a
# DHCP client program, such like DHCPcd found in Section 5, that
# can re-run the /etc/rc.d/rc.firewall rule set once a new TCP/IP
# address is set. The new rule set will then make the required
# changes to the rule sets to allow network traffic from and to
# your new TCP/IP address.
#
# With the dhcpcd program, it will need to be executed with a
# specific command line option to have the firewall rule set
# re-run upon every DHCP lease renew (please note the -c syntax
# is depreciated in newer DHCPcd clients). Please see the
# DHCPcd section in TrinityOS for full details on how to edit
# the /sbin/ifup file.
#
#
# Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace
# the pipelines with your correct TCP/IP address, broadcast address, and
# external gateway, respectively.
#
# e.g.: EXTIP="100.200.0.212"
#
EXTIP=`/sbin/ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP of $EXTIF ... DHCP or PPP problem?"
exit 1
fi
echo External IP: $EXTIP
# Broadcast address of the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP netmask enclosed in double
# quotes.
#
# e.g.: EXTBROAD="100.200.0.255"
#
EXTBROAD=`/sbin/ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3 }'`
echo External broadcast: $EXTBROAD
# Gateway for the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP default gateway or "next hop
# address".
#
# e.g.: DGW="100.200.0.1"
#
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
# Internal interface device.
#
# ** READ ME:
#
# If you don't have any other interfaces than say eth0, delete the
# word "eth1" below. i.e. make it read:
#
# INTIF=""
#
INTIF=""
if [ "$INTIF" != "" ]; then
echo "Internal Interface: $INTIF"
else
echo -e "Internal Interface: None\n** MASQ and DMZ support disabled**"
fi
if [ "$INTIF" != "" ]; then
# IP address on the internal interface
#
# ** READ ME:
#
# If you don't have any other interfaces, delete the address
# "192.168.0.1" but leave the rest. i.e. INTIP=""
#
INTIP=""
echo Internal IP: $INTIP
fi
if [ "$INTIF" != "" ]; then
# IP network address of the internal network
#
# ** READ ME:
#
# If you don't have any other interfaces, delete the address
# "192.168.0.0/24" but leave the rest. i.e. INTLAN=""
#
INTLAN=""
echo Internal LAN: $INTLAN
fi
echo " --- "
#Do not remove this check as the ruleset currently requires the INTIF
#interface to exist for the INT2IF interface to properly function.
#
if [ "$INTIF" != "" ]; then
# DMZ interface device.
#
# ** READ ME:
#
# If you don't have any other interfaces than say eth0, delete the
# word "eth2" below. i.e. make it read:
#
# INT2IF=""
#
#INT2IF="eth2"
INT2IF=""
if [ "$INT2IF" != "" ]; then
echo "DMZ network interface: $INT2IF"
else
echo -e "DMZ Interface: None\n **DMZ support disabled**"
fi
if [ "$INT2IF" != "" ]; then
# IP address on the DMZ interface
#
# If you don't have any other interfaces, delete the address
# "192.168.10.1" but leave the rest. i.e. INT2IP=""
#
INT2IP=""
echo "DMZ interface IP: $INT2IP"
fi
if [ "$INT2IF" != "" ]; then
# IP network address of the DMZ network
#
# If you don't have any other interfaces, delete the address
# "192.168.10.0/24" but leave the rest. i.e. INT2LAN=""
#
INT2LAN=""
echo DMZ network subnet: $INT2LAN
fi
if [ "$INT2IF" != "" ]; then
# IP network broadcast of the DMZ network
#
# If you don't have any other interfaces, delete the address
# "192.168.10.255" but leave the rest. i.e. INT2BROAD=""
#
INT2BROAD=""
echo DMZ network broadcast: $INT2BROAD
fi
fi
echo " --- "
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# IP Mask for broadcast transmissions
BROADCAST="255.255.255.255"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINDOWS_PORTS="6000:6063"
# The TCP/IP addresses of a specifically allowed EXTERNAL hosts
#
# NOTE: If you want to allow in an ENTIRE NETWORK, let the
# last octet of the network be a .0 and add the netmask.
# e.g.:
# SECUREHOST="200.244.0.0/26"
#
# Disabled by default.
#
#SECUREHOST="200.211.0.40"
#echo Secure Host1 IP: $SECUREHOST
#SECUREHOST2="200.211.0.41"
#echo Secure Host2 IP: $SECUREHOST2
#SECUREHOST3="200.244.0.42"
#echo Secure Host3 IP: $SECUREHOST3
#SECUREHOST4="200.244.0.43"
#echo Secure Host4 IP: $SECUREHOST4
#SECUREHOST5="200.244.0.44"
#echo Secure Host4 IP: $SECUREHOST5
# The TCP/IP addresses of a specifically allowed DMZ hosts
#
# NOTE: If you want to allow in an ENTIRE NETWORK, let the
# last octet of the network be a .0 and add the netmask.
# e.g.:
# DMZHOST1="192.168.10.10"
#
# Disabled by default.
#
#DMZHOST1="192.168.10.10"
#echo DMZ Secure Host1 IP: $DMZHOST1
#DMZHOST2="192.168.10.20"
#echo DMZ Secure Host2 IP: $DMZHOST2
# IP Port Forwarded Addresses
#
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# To enable portfw, you need to un-# out and edit the lines above for one or
# more SECUREHOSTs. You then need to un-# out the PORTFW in the FORWARD
# sections of later in the rule set.
#
# If you want to simply portfw one explicit host, it should be configured via a
# SECUREHOST option above. If this PORTFW'ed port should be available for ALL
# hosts on the Inet, it should be opened up in the INPUT section much like for
# HTTP, Sendmail, etc.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation.
#
# Disabled by default.
#
#PORTFWIP1="192.168.0.20"
#echo PortFW1 IP: $PORTFWIP1
#PORTFWIP2="192.168.0.20"
#echo PortFW2 IP: $PORTFWIP2
#PORTFWIP3="192.168.0.20"
#echo PortFW3 IP: $PORTFWIP3
# TCP/IP addresses of INTENRAL hosts network allowed to directly
# connect to the Linux server. All internal hosts are allowed
# per default.
#
# Disabled by default
#HOST1IP="192.168.0.10"
#echo Internal Host 1 IP: $HOST1IP
#HOST2IP="192.168.0.11"
#echo Internal Host 2 IP: $HOST2IP
# Logging state.
#
# Uncomment the " " line and comment the "-l" (please note is this a
# lower case "L" and NOT a numerial one) line if you want to
# disable logging of some of more important the IPCHAINS rule sets.
#
# The output of this logging can be found in the /var/log/messages
# file. It is recommended that you leave this setting enabled.
# If you need to reduce some of the logging, edit the rule sets and
# delete the "$LOGGING" syntax from the rule set that you aren't
# interested in.
#
# LOGGING=" "
echo "Logging is: ENABLED"
LOGGING="-l"
echo " --- "
#Verify that IPCHAINS is loaded for 2.4.x kernels
#
if [ -n "`/bin/uname -a | awk {'print $3'} | grep 2.4`" ]; then
echo "Running 2.4.x kernel"
echo " - Please note that running IPCHAINS emulation under a 2.4.x"
echo " is NOT recommended as various MASQ modules such as FTP, etc"
echo " will no longer function. To regain this functionality, you"
echo -e " MUST run a native IPTABLES ruleset.\n"
if [ -z "`/sbin/lsmod | grep ipchains`" ]; then
echo "loading ipchains.o"
/sbin/insmod ipchains
else
echo " ipchains.o already loaded."
fi
fi
echo " --- "
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Debugging Section
#--------------------------------------------------------------------
# If you are having problems with the firewall, uncomment the lines
# below and then re-run the firewall to make sure that the firewall
# is not giving any errors, etc. The output of this debugging
# script will be in a file called /tmp/rc.firewall.dump
#--------------------------------------------------------------------
#
#echo " - Debugging."
#echo Loopback IP: $LOOPBACKIP > /tmp/rc.firewall.dump
#echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $EXTIF >> /tmp/rc.firewall.dump
#echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump
#echo External interface default gateway: $EXTGW >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump
#echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump
#echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo DMZ interface name: $INT2IF >> /tmp/rc.firewall.dump
#echo DMZ interface IP: $INT2IP >> /tmp/rc.firewall.dump
#echo DMZ LAN address: $INT2LAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secured host: $SECUREHOST >> /tmp/rc.firewall.dump
#echo External secured host #2: $SECUREHOST2 >> /tmp/rc.firewall.dump
#echo External secured host #3: $SECUREHOST3 >> /tmp/rc.firewall.dump
#echo External secured host #4: $SECUREHOST4 >> /tmp/rc.firewall.dump
#echo External secured host #4: $SECUREHOST5 >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo DMZ secured host #1: $DMZHOST1 >> /tmp/rc.firewall.dump >> /tmp/rc.firewall.dump
#echo DMZ secured host #2: $DMZHOST2 >> /tmp/rc.firewall.dump >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#--------------------------------------------------------------------
# General
#--------------------------------------------------------------------
# Performs general processing such as setting the multicast route
# and DHCP address hacking.
#
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable multicast
# on their networks, it will be very common in a few more years. Check out
# www.mbone.com for more detail.
#
# Adding this feature is OPTIONAL.
#
# Disabled by default.
#echo " - Adding multicast route."
#/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $EXTIF
# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
echo " - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "2" > $file
done
# Comment the following out of you are not using a dynamic address
#
# Please note that some kernels dont have this enabled.
# If this option gives an error, you can safely ignore it.
#
echo " - Enabling dynamic TCP/IP address hacking."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable TCP SYN Cookie protection:
#
echo " - Enable TCP SYN Cookie protection"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Ensure that various ICMP sanity settings are there
#
echo " - Enable ICMP sanity settings"
# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ICMP Re-directs
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $file
done
#
# Ensure that source-routed packets are dropped
# - If you are running IPROUTE2, this will need to be DISABLED
#
echo " - Ensure that source-routed packets are dropped "
for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $file
done
# Log spoofed, source-routed, and redirect packets
#
echo " - Log spoofed, source-routed, and redirect packets "
for file in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $file
done
#--------------------------------------------------------------------
# Type of Service (TOS) Settings
#--------------------------------------------------------------------
# Though very FEW ISPs do anything with the TOS bits, I thought you'd
# like to see it. In theory, you can tell the Internet how to handle
# your traffic, be it sensitive to delay, throughput, etc.
#
# -t 0x01 0x10 = Minimum Delay
# -t 0x01 0x08 = Maximum Throughput
# -t 0x01 0x04 = Maximum Reliability
# -t 0x01 0x02 = Minimum Cost
#
# Example:
#
# Settings for FTP, SSH, and TELNET
# /sbin/ipchains -A output -p tcp -d 0/0 21:23 -t 0x01 0x10
#
# Settings for WWW
# /sbin/ipchains -A output -p tcp -d 0/0 80 -t 0x01 0x10
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ] && [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Masquerading Timeouts
#--------------------------------------------------------------------
# Set timeout values for masq sessions (seconds).
#
# Item #1 - 2 hrs timeout for TCP session timeouts
# Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# Item #3 - 60 sec timeout for UDP traffic
#
# Note to ICQ users: You might want to set the UDP timeout to something
# like 160.
#
echo " - Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 10 60
fi
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ]; then
#--------------------------------------------------------------------
# Masq Modules
#--------------------------------------------------------------------
# Most TCP/IP-enabled applications work fine behind a Linux IP
# Masquerade server. But, some applications need a special
# module to get their traffic in and out properly.
#
# Note: Some applications do NOT work well though a IP Masquerade server
# without special helper modules such as H.323-based programs.
# Please the IP-MASQ HOWTO for more details.
#
# Note #2: Only uncomment the modules that you REQUIRE to be loaded.
# The FTP module is loaded by default.
#--------------------------------------------------------------------
echo " - Loading masquerading modules."
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_vdolive
# If you downloaded and compiled the ICQ module from Section 5, use it
#/sbin/modprobe ip_masq_icq
# If you downloaded and compiled the H.323 module from Section 5, use it
#/sbin/modprobe ip_masq_h323
# If you downloaded and compiled the PPTP module from Section 5, use it
#/sbin/insmod ip_masq_pptp
fi
#--------------------------------------------------------------------
# Default Policies
#--------------------------------------------------------------------
# Set all default policies to REJECT and flush all old rules.
#--------------------------------------------------------------------
# Change default policies to REJECT.
#
# We want to only EXPLICTITLY allow what traffic is allowed IN and OUT of the
# firewall. All other traffic will be implicitly blocked.
#
echo " - Set default policies to REJECT"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
echo " - Flushing all old rules and setting all default policies to REJECT "
# Flush all old rule sets
#
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#********************************************************************
# Input Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Input Rules:"
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Incoming Traffic on the Internal LAN
#--------------------------------------------------------------------
# This section controls the INPUT traffic allowed to flow within the internal
# LAN. This means that all input traffic on the local network is valid. If
# you want to change this default setting and only allow certain types of
# traffic within your internal network, you will need to comment this following
# line and configure individual ACCEPT lines for each TCP/IP address you want
# to let through. A few example ACCEPT lines are provided below for
# demonstration purposes.
#
# Sometimes it is useful to allow TCP connections in one direction but not the
# other. For example, you might want to allow connections to an external HTTP
# server but not connections from that server. The naive approach would be to
# block TCP packets coming from the server. However, the better approach is to
# use the -y flag which will block only the packets used to request a
# connection.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic on the internal LAN."
# DHCP Server.
#
# If you have configured a DHCP server on the Linux machine to serve IP
# addresses to the internal network, you will need to enable this section.
#
# This is an example of how to let input traffic flow through the local
# LAN if we have rejected all prior requests above.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Disabled by default
#echo " Optional parameter: DHCPd server"
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# DMZ DHCPd - If we don't have a DMZ interface, dont do things for it
# #
# if [ "$INT2IF" != "" ]; then
# #DMZ network
# echo " Optional parameter: Second INT2IF DHCPd server"
# /sbin/ipchains -A input -j ACCEPT -i $INT2IF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# /sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# fi
#--------------------------------------------------------------------
# Explicit Access from Internal LAN Hosts
#--------------------------------------------------------------------
# This section is provided as an example of how to allow only SPECIFIC
# hosts on the internal LAN to access services on the firewall server.
# Many people might feel that this is extreme but many system attacks
# occur from the INTERNAL networks.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this rule set to work, you must first comment out the
# generic allow lines just above the final ALLOW HIGH PORTS at the END
# of this section. That one line provides full access to the internal
# LAN by all internal hosts. You will then need to enable the lines
# below to allow any access at all.
#--------------------------------------------------------------------
#echo " - Setting input filters for specific internal hosts."
# First allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
# This allows the ruleset to run if you use STATIC IPs and dont
# enable DHCP
echo "." > /dev/null
# End of the INTIF loop
fi
#--------------------------------------------------------------------
# Incoming Traffic from the External Interface
#--------------------------------------------------------------------
# This rule set will control specific traffic that is allowed in from
# the external interface.
#--------------------------------------------------------------------
#
echo " - Setting input filters for traffic from the external interface."
# DHCP Clients.
#
# If you get a dynamic IP address for your ADSL or Cablemodem connection, you
# will need to enable these lines.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
# FTP: Allow external users to connect to the Linux server ITSELF for
# PORT-style FTP services. This will NOT work for PASV FTP transfers.
#
# Disabled by default.
# echo " Optional parameter: FTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data
# IRCd: Allow external users to connect to the Linux server ITSELF for
# IRC services.
#
# Make sure ircd is defined in /etc/services
#
# Disabled by default.
# echo " Optional parameter: IRC server"
# /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ircd
# HTTP: Allow external users to connect to the Linux server ITSELF for HTTP services.
#
# Disabled by default.
# echo " Optional parameter: HTTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http
# HTTPS: Allow external users to connect to the Linux server ITSELF for HTTPS services.
#
# Disabled by default.
# echo " Optional parameter: HTTPS server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP https
# Advanced ICMP: Some users prefer that their UNIX box NOT ping, etc.
# This is easy enough to do but be sure you know what you
# are doing.
#
# There is an EXCELLENT paper on ICMP filtereing available at:
#
# http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
#
#
# NOTE: When setting a FIREWALL to REJECT ICMP traffic, the resulting
# reply traffic is automatically discarded per the RFCs
#
# NOTE2: For a full list of all supported major and minor ICMP codes, run:
# /sbin/ipchains -h icmp
#
# MOST are Disabled by default.
#
#
# Do NOT reply to ECHO REPLYs (type 0) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP ECHO-REPLY inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type echo-reply $LOGGING
#
# Do NOT reply to TCP/UDP TRACEROUTE requests from the Internet (some find
# this useful)
#
# echo " Optional parameter: TCP/UDP TRACEROUTE inbound filtered"
#
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 33434 $LOGGING
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 33434 $LOGGING
#
# Do NOT reply to TRACEROUTE requests from the Internet (MS clients use
# ICMP ECHO and not TCP/UDP - some find this useful )
#
# echo " Optional parameter: ICMP TRACEROUTE [for MS] inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to DESTINATION-UNREACHABLE (type 3) from the Internet (this
# is NOT a good idea - if you must do this then filter out the specific
# SUB-options such as PROTOCOL-UNREACHABLE in the OUTBOUND direction)
#
# echo " Optional parameter: ICMP DESTINATION-UNREACHABLE inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to SOURCEQUENCH (type 4) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP SOURCEQUENCH inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type source-quench $LOGGING
#
# Do NOT reply to ANY form of REDIRECT packets (type 5) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP REDIRECT inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type redirect $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP REDIRECT inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type redirect $LOGGING
fi
# Do NOT allow PING requests (type 8) from the Internet (some find this
# useful)
#
# echo " Optional parameter: ICMP ECHO inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type echo-request $LOGGING
#
# Do NOT reply to TTL-EXPIRED packets (type 11) from the Internet (this is
# NOT a good idea - do it OUTBOUND)
#
# echo " Optional parameter: ICMP TTL-EXPIRED inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type time-exceeded $LOGGING
#
# Do NOT reply to PARAMETER-PROBLEM packets (type 12) (this is NOT a good
# idea - filter this on OUTBOUND)
#
# echo " Optional parameter: ICMP PARAMETER-PROBLEM inbound filtered"
# /sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type parameter-problem $LOGGING
#
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP TIMESTAMP inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type timestamp-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP TIMESTAMP inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type timestamp-reply $LOGGING
fi
# ICMP INFORMATION (type 15 and 16) packet filtering is NOT supported by
# either LINUX or IPCHAINS (no big deal)
#
# Do NOT reply to ICMP ADDRESS MASK packets (type 17 and 18) (this can
# help stop OS fingerprinting)
#
echo " Optional parameter: ICMP ADDRESS-MASK inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type address-mask-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP ADDRESS-MASK inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type address-mask-reply $LOGGING
fi
# General ICMP: Allow ICMP packets from all external TCP/IP addresses.
#
# NOTE: Disabling ICMP packets via the firewall rule set can do far more
# than just stop people from pinging your machine. Many aspects of
# TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal
# Masq'ed computers might not work.
#
# If you feel compelled to do ICMP filtering, do it by uncommenting your
# desired traffic types from the section ABOVE and NOT here.
#
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP
# DMZ ICMP - If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p icmp -s $INT2LAN -d $INTLAN
fi
# NNTP: Allow external computers to connect to the Linux server ITSELF
# for NNTP (news) services.
#
# Disabled by default.
# echo " Optional parameter: NNTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP nntp
# NTP: Allow external computers to connect to the Linux server ITSELF for
# NTP (time) updates
#
# NOTE: Some NTP clients require TCP traffic. Others require UDP.
# Your pick!
#
# Disabled by default.
# echo " Optional parameter: NTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP ntp
# TELNET: Allow external computers to connect to the Linux server ITSELF for
# TELNET access.
#
# Disabled by default.
# echo " Optional parameter: TELNET server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet
# SSH server: Allow external computers to connect to the Linux server ITSELF
# for SSH access.
#
# Disabled by default.
echo " Optional parameter: SSH server"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh
#--------------------------------------------------------------------
# Specific Input Rejections on the EXTERNAL interface
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want into
# the system.
#--------------------------------------------------------------------
echo " - Reject specific inputs."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# RFC1918 and IANA Reserved Address space Bogon filtering
#
# Filter all external traffic coming from either RESERVED or non-routed
# address space.
#
# See ftp://ftp.iana.org/assignments/ipv4-address-space for up to date
# results.
#
# Please run "whois IANA*@arin.net" and with a careful eye
# "whois RESERVED*@arin.net" for more info.
#
# -------------------------------------------------------------------
# NOTE *1*: Please notice that ALL IANA Reserved Address filters
# (except for the Class-D and Class-E networks) have
# been disabled as is seems that the IANA is releasing IP
# address space without updating their tables. There is
# the email list called "bogon-announce" which you can
# subscribe to here:
# http://www.cymru.com/Bogons/
#
# Note2: The bogon list changes ALL the time. Unless you subscribe
# to the above bogon list AND update your firewall when things
# change, you will be blackholing traffic.
#
# Note3: that the address schemes from whois are silently using CLASSFULL
# masks
#
# Note4: Some ISPs use RFC1918 addresses for internal addressing of
# customers and keeping status on equipment. Some customers of
# General Instruments SURFboard cable modems might have similar
# issues.
#
# -------------------------------------------------------------------
# Reserved-1
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 0.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-9
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 1.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-2
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 2.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 5.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-7
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 7.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-10 and RFC1918 (10.x.x.x)
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
fi
# Reserved-23
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 23.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-27
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 27.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-31
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 31.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-36
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 36.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-37
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 37.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-39
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 39.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-42
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 42.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-74 and 75
# 74.0.0.0 - 75.55.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 74.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-76 though 79
# 76.0.0.0 - 79.55.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 76.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 89
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 89.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 90
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 90.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 91
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 91.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 92 though 95
# 92.0.0.0 - 95.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 92.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 96 though 111
# 96.0.0.0 - 111.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 96.0.0.0/4 -d $UNIVERSE $LOGGING
# Reserved 112 though 119
# 112.0.0.0 - 119.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 112.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved 120 though 123
# 120.0.0.0 - 123.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 120.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-127 127.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 127.0.0.0/8 -d $UNIVERSE $LOGGING
# BLACKHOLE3
#
# Disabled due to the fact that ALL reverse DNS functions (regardless of the
# address) will stop working properly. If you have a good explination of
# why this is, I would love to hear it.
#
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 128.9.64.26/32 -d $UNIVERSE $LOGGING
# Includes NET-TEST-B
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 128.66.0.0/16 -d $UNIVERSE $LOGGING
# IANA-BBLK-RESERVED and RFC1918 (172.16-31.0.0)
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
fi
# Reserved-173
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 173.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-174 through 175
# 174.0.0.0 - 175.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 174.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-176 through 183
# 176.0.0.0 - 183.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 176.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved-184 through 187
# 184.0.0.0 - 187.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 184.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-189
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 189.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-190
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 190.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-4
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 191.255.0.0/16 -d $UNIVERSE $LOGGING
# ROOT-NS-LAB - 192.0.0.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.0.0/24 -d $UNIVERSE $LOGGING
# NET-ROOTS-NS-LIVE - 192.0.1.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.1.0/24 -d $UNIVERSE $LOGGING
# NET-TEST - 192.0.2.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.2.0/24 -d $UNIVERSE $LOGGING
# RFC1918
#foo
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE $LOGGING
# RESERVED-13
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 197.0.0.0/16 -d $UNIVERSE $LOGGING
# Reserved-197
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 197.0.0.0/8 -d $UNIVERSE $LOGGING
# RESERVED-14
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 201.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 223.255.255.0/24 -d $UNIVERSE $LOGGING
# Reserved-223
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 223.0.0.0/24 -d $UNIVERSE $LOGGING
#Future use for Class-E:
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
#Future use for Class-F:
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
fi
# -----------------
# Special Filtering
# -----------------
# Multicast: Silently drop all multicast traffic for those users who
# find this traffic filling up their logs.
#
# Disabled by default.
# echo " Optional parameter: Ignore MULTICAST"
# /sbin/ipchains -A input -j REJECT -i $EXTIF -s $UNIVERSE -d 224.0.0.0/4
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 2049
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 2049 -d $INT2IP
fi
# SMB and CIFS: Reject SMB and CIFS traffic FROM and TO external machines.
#
# NOTE: SMB (Win 3.x, 9x, NT) and CIFS (Win2k) is one of the biggest
# security issues an administrator will face. Do NOT enable SMB/CIFS
# traffic to flow over the Internet or any non-trusted networks
# unless you know exactly what you are doing. If you NEED this
# functionality, please use a IPSEC or PPTP VPN
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
# Ports: 137 TCP/UDP (NetBIOS name service)
# 138 UDP (NetBIOS datagram service) - TCP filtered just in case
# 139 TCP (NetBIOS session service) - UDP filtered just in case
# 445 TCP/UDP (MS CIFS in Win2k)
echo " - Silently rejecting SMB and CIFS traffic on the external interface."
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 139 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 445 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 445 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 137 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 137 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 138 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 138 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 139 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 139 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 445 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 445 -d $INT2IP
fi
#--------------------------------------------------------------------
# Incoming Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control input traffic for all interfaces. This is
# usually used for what could be considered as public services.
#--------------------------------------------------------------------
echo " - Setting input filters for public services [all interfaces]."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
# Traffic TO your machine and FROM your machine
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
# BOOTP/DHCP: Reject all stray bootp traffic.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc
# DNS: If you are running an authoritative DNS server, you must open
# up the DNS ports on all interfaces to allow lookups. If you are
# running a caching DNS server, you will need to at least open the DNS
# ports to internal interfaces.
#
# It is recommend to secure DNS by restricting zone transfers and split
# DNS servers as documented in Step 4.
#
# Disabled by default.
#echo " Optional parameter: DNS server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain
#/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain
# RIP: Reject all stray RIP traffic. Many improperly configured
# networks propagate network routing protocols to the edge of the
# network. The follow line will allow you explicitly filter it here
# without logging to SYSLOG.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route
# SMTP: If this server is an authoritative SMTP email server, you must
# allow SMTP traffic to all interfaces.
#
# Disabled by default.
#echo " Optional parameter: SMTP server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE smtp
# SQUID Proxy w/ JunkBuster
#
# If you are using Squid w/ Junkbuster enabled [Banner filtering], you will
# need to enable the following lines to do the IPCHAINS port redirection to
# port 3128. This also assumes that you have Squid properly configured and
# running.
#
# Disabled by default.
#echo " Optional parameter: SQUID transparent proxy"
#/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -p tcp -d $LOOPBACKIP/32 www
#
# If we don't have an internal interface, dont do things for it
#
#if [ "$INTIF" != "" ]; then
# /sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $INTLAN -d $INTIP/32 www
# /sbin/ipchains -A input -j REDIRECT 3128 -i $INTIF -p tcp -s $INTLAN -d $INTLAN www $LOGGING
#fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
# DMZ network - Enable this section if you have a wireless segment
#
# Enabled by default if INT2IF is valid
echo " Optional parameter: DMZ segment - SSH"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $INT2LAN ssh -d $UNIVERSE
# Enabled by default if INT2IF is valid
echo " Optional parameter: DMZ segment - DNS"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $INT2LAN -d $UNIVERSE domain
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p udp -s $INT2LAN -d $UNIVERSE domain
#Enable this option if you want ALL DMZ machines to access all network services
# on all interfaces. The alternative is allow host by host access in the
# DMZ SecureHOST section below
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INT2IF -s $INT2LAN -d $UNIVERSE
fi
#--------------------------------------------------------------------
# Specific Input Rejections from ANY interface
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
#echo " - Reject traffic for specific domains."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#Do not allow ANY internal hosts to be able to reach the following sites:
#
#Disabled by default.
#The Doubleclick example will filter ALL types of traffic to the given
# class-C networks including WWW, SMTP(email, etc traffic. If you
# want a slightly less restrictive example, see the AOL example.
#
#Doubleclick.net and .com is renowned for their WWW ad banners
#
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 63.160.54.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 128.11.92.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.206.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.207.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.208.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.210.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.178.112.160/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.253.104.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.10.202.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.203.243.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.211.225.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.228.86.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 209.67.38.0/24
#This is required to complete the if..then loop
echo "." > /dev/null
fi
#AOL.com is renowned for their users sending SPAM to millions of people on
# the Inet. Though you might want to filter email from them, you
# might want to still be able to go look at some of their their
# WWW pages. This example ONLY filters EMAIL and nothing else.
#
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE 25 -d 152.163.159.0/24
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE 25 -d 205.188.157.0/24
#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# This controls external access from specific external hosts (secure hosts).
# This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a
# secure host INTO the firewall. In addition to these input rules, we must also
# explicitly allow the traffic from the remote host to get out. See the rules
# in the output section for more details
#
# Disabled as default.
#--------------------------------------------------------------------
echo " - SECUREHOST: Setting input filters for explicit hosts."
# The secure host section
if [ "$SECUREHOST" != "" ]; then
echo " * Allowing $SECUREHOST INPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh
fi
if [ "$SECUREHOST2" != "" ]; then
echo " * Allowing $SECUREHOST2 INPUT for ftp, ftp-data, ssh, www, telnet, imap"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP telnet
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP www
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP imap
fi
if [ "$SECUREHOST3" != "" ]; then
echo " * Allowing $SECUREHOST3 INPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP www
fi
if [ "$SECUREHOST4" != "" ]; then
echo " * Allowing $SECUREHOST4 INPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP www
fi
if [ "$SECUREHOST5" != "" ]; then
echo " * Allowing $SECUREHOST5 INPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP www
fi
if [ "$SECUREHOST6" != "" ]; then
echo " * Allowing $SECUREHOST6 INPUT for ftp, ftp-data, ssh, pop-3, and telnet"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP pop-3
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP telnet
fi
echo " - DMZ-SECUREHOST: Setting input filters for explicit hosts."
# If we don't have a DMZ interface, dont do things for it
#
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST1" != "" ] ); then
#DMZ SecureHost
#
echo " * Allowing $DMZHOST1 INPUT for ssh to the Linux server and the INET"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $INT2IP ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $INTLAN ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $UNIVERSE
fi
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST2" != "" ] ); then
echo " * Allowing $DMZHOST2 INPUT for ssh to the Linux server and the INET"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $INT2IP ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $INTLAN ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $UNIVERSE
fi
if [ "$INT2IF" != "" ]; then
#DMZ network - this is where most of the wireless filtering occurs
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INT2LAN -d $INTLAN $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INT2LAN -d $INT2LAN $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Allow ALL internal interfaces to access the Inet
# ------------------------------------------------
# Local interface, local machines, going anywhere is valid.
#
# The main reason why this is at the BOTTOM of the INPUT section is to
# make sure that all required DENY/REJECT firewall lines are hit before
# allowing all internal traffic. If you DON'T want to allow ALL internal
# traffic to get out to the Internet, put a "#" in the
# front of the line below and un-#ed out the lines at the top of this
# section to allow only specific internal HOSTS to get out.
#
# Comment this line out if you want to only allow specific traffic on the
# internal network.
/sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
fi
# Loopback interface is valid.
#
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# HIGH PORTS:
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
# SYN bit set. In other words, this means that any traffic that is
# trying to initiate traffic to your server on a HIGH port will be
# rejected.
#
# The only HIGH port traffic that will be accepted is either return
# traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
# SYN filtering. Because of this, we must specifically allow it in.
#
echo " - Enabling all input REPLY [TCP/UDP] traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
#DMZ network and removed FTP as it is insecure
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $INT2IP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $INT2IP $UNPRIVPORTS
fi
#--------------------------------------------------------------------
# Catch All INPUT Rule
#--------------------------------------------------------------------
#
echo " - Final input catch all rule."
# All other incoming is denied and logged.
/sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Output Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Output Rules:"
#--------------------------------------------------------------------
# Outgoing Traffic on the Internal LAN
#--------------------------------------------------------------------
# This rule set provides policies for traffic that is going out on the internal
# LAN.
#
# In this example, all traffic is allowed out. Therefore there is no
# requirement to implement individual filters. However, as with the input
# section above, examples are given for demonstrative purposes. It is also
# noted that the same rules, outlined above, apply regarding the order of the
# filtering rules.
#--------------------------------------------------------------------
echo " - Setting output filters for traffic on the internal LAN."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Local interface, any source going to local net is valid.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
fi
# Loopback interface is valid.
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# DHCP: If you have configured a DHCP server on this Linux machine, you
# will need to enable the following rule set.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
echo " Optional parameter: DHCPd server"
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
#If you DISABLE the lines above, you need this following line to
#let the if..then statement run without failing out
echo "." > /dev/null
fi
# DMZ DHCP server - If we don't have a DMZ interface, dont do things for it
#
# Disabled by default
#
# if [ "$INT2IF" != "" ]; then
# /sbin/ipchains -A output -j ACCEPT -i $INT2IF -p udp -s $INT2IP/32 bootps -d $BROADCAST/0 bootpc
# /sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP/32 bootps -d $BROADCAST/0 bootpc
# fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# HTTP: The following is an example of how to allow HTTP traffic to an
# intranet WWW server without allowing access from the external
# network.
#
# Disabled by default.
# echo " Optional parameter: WWW server"
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN
# APC PowerChute for Linux: The following is needed for APCs PowerChute
# software for Linux. The way it works is that it broadcasts the
# private network looking for the upsd daemon.
#
# Disabled by default.
#echo " Optional parameter: UPSd server"
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 -d $BROADCAST 5456
#This is required to complete the if..then loop if it is empty
echo "." > /dev/null
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Explicit Output from Internal LAN Hosts
#--------------------------------------------------------------------
# The following rule sets only allow SPECIFIC hosts on the internal LAN to
# access services on this firewall server itself. Many people might feel that
# this is extreme but many system attacks occur from the INTERNAL network as
# well.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this rule set to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " - Setting output filters for specific internal hosts."
# First host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
#This is required to complete the if..then loop if it is empty
echo "." > /dev/null
fi
#--------------------------------------------------------------------
# Outgoing Traffic on the External Interface
#--------------------------------------------------------------------
# This rule set will control what traffic can go out on the external interface.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic to the external interface."
# DHCP Client: If your Linux server is connected via DSL or a Cablemodem
# connection and you get dynamic DHCP addresses, you will need to
# enable the following rule sets.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps
# FTP: Allow FTP traffic (the Linux server is a FTP server)
#
# Disabled by default.
# echo " Optional parameter: FTP server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE
# IRCd: Allow IRC traffic (the Linux server is a IRC server)
#
# Make sure ircd is defined in /etc/services
#
# Disabled by default
# echo " Optional parameter: IRC server"
# /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ircd -d $UNIVERSE
# HTTP: Allow HTTP traffic (the Linux server is a WWW server)
#
# Disabled by default
# echo " Optional parameter: WWW server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE
# HTTPS: Allow HTTPS traffic (the Linux server is a WWW server)
#
# Disabled by default
# echo " Optional parameter: HTTPS server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP https -d $UNIVERSE
# NTP: Allow NTP updates (the Linux server is a NTP server)
#
# NOTE: Some NTP clients require TCP traffic. Others require UDP.
# Your pick!
#
# Disabled by default
# echo " Optional parameter: NTP server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP ntp -d $UNIVERSE
# TELNET: Allow telnet traffic (the Linux server is a TELNET server)
#
# Disabled by default
# echo " Optional parameter: TELNET server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE
# SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server)
#
# Disabled by default
#
# echo " Optional parameter: SSH server"
# /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE
#--------------------------------------------------------------------
# Outgoing Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control output traffic for all interfaces. This is
# usually used for what could be considered as public services. It
# is noted that we provide a few rejection rule sets as examples but
# these are not required due to the overall REJECT statement above.
#--------------------------------------------------------------------
echo " - Setting output filters for public services on all interfaces."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
# Traffic TO your machine and FROM your machine
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
# DNS: If you your Linux server is an authoritative DNS server, you must
# enable this rule set
#
# Disabled by default
#echo " Optional parameter: DNS server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE
# Advanced ICMP: Some users prefer that their UNIX box NOT ping, etc.
# This is easy enough to do but be sure you know what you
# are doing.
#
# There is an EXCELLENT paper on ICMP filtereing available at:
#
# http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
#
#
# NOTE: When setting a FIREWALL to REJECT ICMP traffic, the resulting
# reply traffic is automatically discarded per the RFCs
#
# NOTE2: For a full list of all supported major and minor ICMP codes, run:
# /sbin/ipchains -h icmp
#
# MOST are Disabled by default.
#
#
# Do NOT reply to ICMP ECHO REPLYs (type 0) requests from the Internet
# (some find this useful)
#
# echo " Optional parameter: ICMP ECHO REPLY outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-reply
#
# Do NOT reply to TCP/UDP TRACEROUTE requests from the Internet (some find
# this useful)
#
# echo " Optional parameter: TCP/UDP TRACEROUTE outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 33434 $LOGGING
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 33434 $LOGGING
#
# Do NOT reply to TRACEROUTE requests from the Internet (MS clients use
# ICMP ECHOs instead of TCP/UDP - some find this useful )
#
# echo " Optional parameter: ICMP TRACEROUTE [MS] outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-request $LOGGING
#
# Do NOT reply to DESTINATION-UNREACHABLE (type 3) from the Internet (this
# is NOT a good idea - if you must do this then filter out the specific
# SUB-options such as PROTOCOL-UNREACHABLE in the OUTBOUND direction)
#
# echo " Optional parameter: ICMP DESTINATION-UNREACHABLE output filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to SOURCEQUENCH (type 4) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP SOURCEQUENCH outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type source-quench $LOGGING
#
# Do NOT reply to ANY form of ICMP REDIRECT packets (type 5) (this can
# help stop OS fingerprinting)
#
echo " Optional parameter: ICMP REDIRECT outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type redirect $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type redirect $LOGGING
fi
# Do NOT allow PING requests (type 8) from the Internet (some find this
# useful)
#
# echo " Optional parameter: ICMP ECHO outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-request $LOGGING
#
# Do NOT reply to TTL-EXPIRED packets (type 11) from the Internet (this
# is NOT a good idea - do it OUTBOUND)
#
echo " Optional parameter: ICMP TTL-EXPIRED outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type ttl-zero-during-reassembly $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type ttl-zero-during-reassembly $LOGGING
fi
# Do NOT reply to PARAMETER-PROBLEM packets (type 12) (this is NOT a good
# idea - filter this on OUTBOUND)
#
echo " Optional parameter: ICMP PARAMETER-PROBLEM outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type parameter-problem $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type parameter-problem $LOGGING
fi
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP TIMESTAMP outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type timestamp-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type timestamp-reply $LOGGING
fi
# ICMP INFORMATION (type 15 and 16) packet filtering is NOT supported by
# either LINUX or IPCHAINS (no big deal)
#
# Do NOT reply to ICMP ADDRESS MASK packets (type 17 and 18) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP ADDRESS-MASK outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type address-mask-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type address-mask-reply $LOGGING
fi
# General ICMP: Allow ICMP traffic out
#
# NOTE: Disabling ICMP packets via the firewall rule set can do far
# more than just stop people from pinging your machine. Many aspects
# of TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal Masq'ed
# computers might not work.
#
# If you feel compelled to do ICMP filtering, do it by uncommenting your
# desired traffic types from the section ABOVE and NOT here.
#
/sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE
# NNTP: This allows NNTP-based news out.
#
# Disabled by default
# echo " Optional parameter: NNTP server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE
# SMTP: If the Linux servers is either an authoritative SMTP server or
# relay, you must allow this rule set.
#
# Disabled by default
#echo " Optional parameter: SMTP server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE
#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
# This controls output to specific external hosts [secure hosts]. This example
# implementation allows ssh and pop-3 protocols out to the secure host. In
# addition to these rules, we must also explicitly allow the traffic in from
# the remote host. See the input rules above to see this take place.
#
# Disabled by default.
#--------------------------------------------------------------------
echo " - SECUREHOST: Setting output filters for explicit hosts."
# The secure host
#
if [ "$SECUREHOST" != "" ]; then
echo " * Allowing $SECUREHOST OUTPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST $UNPRIVPORTS
fi
if [ "$SECUREHOST2" != "" ]; then
echo " * Allowing $SECUREHOST2 OUTPUT for ftp, ftp-data, ssh, telnet, imap, and www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST2 $UNPRIVPORT
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST2 $UNPRIVPORT
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP imap -d $SECUREHOST2 $UNPRIVPORT
fi
if [ "$SECUREHOST3" != "" ]; then
echo " * Allowing $SECUREHOST3 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST3 $UNPRIVPORTS
fi
if [ "$SECUREHOST4" != "" ]; then
echo " * Allowing $SECUREHOST4 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST4 $UNPRIVPORTS
fi
if [ "$SECUREHOST5" != "" ]; then
echo " * Allowing $SECUREHOST5 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST5 $UNPRIVPORTS
fi
echo " - DMZ-SECUREHOST: Setting output filters for explicit hosts."
# If we don't have a DMZ interface, dont do things for it
#
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST1" != "" ] ); then
echo " * Allowing $DMZHOST1 OUTPUT for ssh, ftp"
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP ftp -d $DMZHOST1 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN ssh -d $DMZHOST1 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN $UNPRIVPORTS -d $DMZHOST1 ssh
fi
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST2" != "" ] ); then
echo " * Allowing $DMZHOST2 OUTPUT for ssh, ftp"
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP ftp -d $DMZHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN $UNPRIVPORTS -d $DMZHOST2 ssh
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN ssh -d $DMZHOST2 $UNPRIVPORTS
fi
#--------------------------------------------------------------------
# Specific Output Rejections
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
echo " - Reject specific outputs."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Reject outgoing traffic to the local net from the remote interface,
# stuffed routing; deny & log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $UNIVERSE -d $INTLAN $LOGGING
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Reject outgoing traffic from the local net from the external interface,
# stuffed masquerading, deny and log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
#DMZ network - block all outgoing DMZ traffic unless allowed somewhere above
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# RFC1918 and IANA Reserved Address space Bogon filtering
#
# Filter all external traffic coming from either RESERVED or non-routed
# address space.
#
# See ftp://ftp.iana.org/assignments/ipv4-address-space for up to date
# results.
#
# Please run "whois IANA*@arin.net" and with a careful eye
# "whois RESERVED*@arin.net" for more info.
#
# -------------------------------------------------------------------
# NOTE *1*: Please notice that ALL IANA Reserved Address filters
# (except for the Class-D and Class-E networks) have
# been disabled as is seems that the IANA is releasing IP
# address space without updating their tables. There is
# the email list called "bogon-announce" which you can
# subscribe to here:
# http://www.cymru.com/Bogons/
#
# Note2: The bogon list changes ALL the time. Unless you subscribe
# to the above bogon list AND update your firewall when things
# change, you will be blackholing traffic.
#
# Note3: that the address schemes from whois are silently using CLASSFULL
# masks
#
# Note4: Some ISPs use RFC1918 addresses for internal addressing of
# customers and keeping status on equipment. Some customers of
# General Instruments SURFboard cable modems might have similar
# issues.
#
# -------------------------------------------------------------------
# Reserved-1
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 0.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-9
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 1.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-2
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 2.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 5.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-7
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 7.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-10 and RFC1918 (10.x.x.x)
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
fi
# Reserved-23
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 23.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-27
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 27.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-31
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 31.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-36
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 36.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-37
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 37.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-39
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 39.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-42
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 42.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-74 and 75
# 74.0.0.0 - 75.55.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 74.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-76 though 79
# 76.0.0.0 - 79.55.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 76.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 89
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 89.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 90
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 90.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 91
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 91.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 92 though 95
# 92.0.0.0 - 95.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 92.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 96 though 111
# 96.0.0.0 - 111.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 96.0.0.0/4 -d $UNIVERSE $LOGGING
# Reserved 112 though 119
# 112.0.0.0 - 119.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 112.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved 120 though 123
# 120.0.0.0 - 123.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 120.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-127 127.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 127.0.0.0/8 -d $UNIVERSE $LOGGING
# BLACKHOLE3
#
# Disabled due to the fact that ALL reverse DNS functions (regardless of the
# address) will stop working properly. If you have a good explination of
# why this is, I would love to hear it.
#
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 128.9.64.26/32 -d $UNIVERSE $LOGGING
# Includes NET-TEST-B
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 128.66.0.0/16 -d $UNIVERSE $LOGGING
# IANA-BBLK-RESERVED and RFC1918 (172.16-31.0.0)
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
fi
# Reserved-173
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 173.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-174 through 175
# 174.0.0.0 - 175.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 174.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-176 through 183
# 176.0.0.0 - 183.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 176.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved-184 through 187
# 184.0.0.0 - 187.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 184.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-189
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 189.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-190
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 190.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-4
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 191.255.0.0/16 -d $UNIVERSE $LOGGING
# ROOT-NS-LAB - 192.0.0.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.0.0/24 -d $UNIVERSE $LOGGING
# NET-ROOTS-NS-LIVE - 192.0.1.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.1.0/24 -d $UNIVERSE $LOGGING
# NET-TEST - 192.0.2.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.2.0/24 -d $UNIVERSE $LOGGING
# RFC1918
#foo
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -s $UNIVERSE -d $INT2LAN
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $UNIVERSE -d 192.168.0.0/16 $LOGGING
fi
# RESERVED-13
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 197.0.0.0/16 -d $UNIVERSE $LOGGING
# Reserved-197
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 197.0.0.0/8 -d $UNIVERSE $LOGGING
# RESERVED-14
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 201.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 223.255.255.0/24 -d $UNIVERSE $LOGGING
# Reserved-223
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 223.0.0.0/24 -d $UNIVERSE $LOGGING
#Future use for Class-E:
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
#Future use for Class-F:
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
fi
# -----------------
# Special Filtering
# -----------------
# Multicast: Silently drop all multicast traffic for those users who
# find this traffic filling up their logs.
#
# Disabled by default.
# echo " Optional parameter: Ignore MULTICAST"
# /sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d 224.0.0.0/4
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 2049
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 2049 -d $INT2IP
fi
# SMB and CIFS: Reject SMB and CIFS traffic FROM external machines.
#
# NOTE: SMB (Win 3.x, 9x, NT) and CIFS (Win2k) is one of the biggest
# security issues an administrator will face. Do NOT enable SMB/CIFS
# traffic to flow over the Internet or any non-trusted networks
# unless you know exactly what you are doing. If you NEED this
# functionality, please use a IPSEC or PPTP VPN
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
# Ports: 137 TCP/UDP (NetBIOS name service)
# 138 UDP (NetBIOS datagram service) - TCP filtered just in case
# 139 TCP (NetBIOS session service) - UDP filtered just in case
# 445 TCP/UDP (MS CIFS in Win2k)
echo " - Rejecting TCP/UDP SMB traffic on the external interface."
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 445 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 445 -d $UNIVERSE
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 445 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 445 -d $UNIVERSE
fi
# Explictly filter out any OUTGOING traffic that is either known to be INSECURE or from a
# possible INTERNAL machine infected with a Trojan.
#
# RPC - Used for NFS and other insecure mechanisms
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP sunrpc -d $UNIVERSE $LOGGING
fi
# Mountd - Used for NFS
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 635 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 635 -d $UNIVERSE $LOGGING
fi
# PPTP - Block unauthorized outgoing VPNs
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 1723 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 1723 $LOGGING
fi
# Remote Winsock - Block internal Windows machines doing weird stuff.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 1745 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 1745 $LOGGING
fi
# NFS - Block NFS due to security issues
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 2049 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 2049 -d $UNIVERSE $LOGGING
fi
# PcAnywhere - Block unauthorized outgoing remote control sessions
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 5632 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 5632 $LOGGING
fi
# Xwindows - Block unauthorized and non-secured Xwindows
#
# NOTE: See variable section above for the example range (6000:6007 by default)
# Xwindows can use far more than just ports 6000-6007.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
fi
# IPSec VPNs - Block unauthorized VPNs
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 500 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 500 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 500 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 500 $LOGGING
fi
# MySQL - Block unauthorized SQL sessions
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 3306 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 3306 -d $UNIVERSE $LOGGING
fi
# EggDrop IRC bot - Block unauthorized bots
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 3456 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 3456 -d $UNIVERSE $LOGGING
fi
# Block the following known Trojan network ports.
#
# Please note that TCP/IP, by nature uses RANDOM high ports. So just because you get a firewall hit on
# a known trojan port doesn't always mean you have an infected internal machine. Please also note that
# since the port in question is blocked, the local or internal IP stack will eventually use a different
# high port before giving up so things SHOULD work ok anyway.
#
# By NO means is this a complete list but I try to get the common ones.
# If I filtered out ALL the various known trojan ports, there wouldn't be many VALID high ports left! :-(
#
# Please see http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html for a more complete list.
#
# NetBus.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 12345 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 12346 $LOGGING
fi
# NetBus Pro.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 20034 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 20034 $LOGGING
fi
# BackOrofice
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 31337 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 31338 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 31337 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 31338 $LOGGING
fi
# Win Crash Trojan.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5742 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 5742 $LOGGING
fi
# Socket De Troye.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 30303 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 30303 $LOGGING
fi
# Unknown Trojan Horse (Master's Paradise [CHR])
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 40421 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 40421 $LOGGING
fi
# Trinoo UDP flooder - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27665 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27444 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 31335 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 27665 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 27444 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 31335 -d $UNIVERSE $LOGGING
fi
# Shaft distributed flooder - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 20432 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 18753 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 20433 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 20432 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 18753 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 20433 -d $UNIVERSE $LOGGING
fi
# SubSeven Trojan - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 1243 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 1243 -d $UNIVERSE $LOGGING
fi
#--------------------------------------------------------------------
# Allow all High Ports for return traffic.
#
# Some day this rule set will be stateful and we won't have to do this
#
echo " - Enabling all output REPLY [TCP/UDP] traffic on high ports."
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j ACCEPT -p tcp -s $INT2IP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $INT2IP $UNPRIVPORTS -d $UNIVERSE
fi
#--------------------------------------------------------------------
# Catch All Rule
#--------------------------------------------------------------------
echo " - Final output catch all rule."
# All other outgoing is denied and logged. This rule set should catch
# everything (including samba) that hasn't already been blocked.
#
/sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Forwarding Rules
#********************************************************************
#
echo "----------------------------------------------------------------------"
echo "Forwarding Rules:"
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ] && [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Diald Users:
#
# You need this rule to allow the sl0 SLIP interface to receive
# traffic to then bring the interface up.
#
# Disabled by default
#
#/sbin/ipchains -A forward -j MASQ -i sl0 -s $INTLAN -d $UNIVERSE
#--------------------------------------------------------------------
# Port Forwarding
#--------------------------------------------------------------------
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example for this is when a user needs to have external
# users directly contact a WWW server behind the MASQ server.
#
# To use PORTFW, you need to un-# out and edit the $SECUREHOST section at
# the top of the rule set.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to read the IP-MASQ-HOWTO for a full explanation.
#
# Do not use ports greater than 1023 for redirection ports.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " * Enabling Port Forwarding onto internal hosts."
#/usr/sbin/ipmasqadm portfw -f
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP1"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP1 22
#
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP2"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP2 22
#
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP3"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP3 22
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Turn on IP Forwarding in the Linux kernel
#
# There are TWO methods of turning on this feature. The first method is the
# Red Hat way. Edit the /etc/sysconfig/network file and change the
# "FORWARD_IPV4" line to say:
#
# FORWARD_IPV4=true
#
# The second method is shown below and can executed at any time while the
# system is running.
#
echo " - Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Masquerade from local net on local interface to anywhere.
#
echo " - Enable IP Masquerading from the internal LAN."
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INT2LAN -d $UNIVERSE
/sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INT2LAN -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT -i $INT2IF -s $INTLAN -d $INT2LAN
fi
# Enabling Always Defrag for Masqueraded systems
#
# Some 2.2.x and ALL 2.4.x kernels dont support this feature.
# If your kernel gives you an error on this line, you can safely
# ignore it.
#
echo " - Enable IP Always Defrag for the internal LAN."
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Disabling the LooseUDP patch required by some Internet-based games
#
# NOTE: Some distros such as TurboLinux delete this option from the kernel
#
# Enabled by default
echo " - Disable LooseUDP [needed by some games] due to security"
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
fi
# Catch all rule, all other forwarding is denied.
#
/sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# The end
#********************************************************************
echo "----------------------------------------------------------------------"
echo -e "TrinityOS IPCHAINS Firewall $FWVER implemented.\n\n"
#/usr/local/sbin/beep
#/usr/local/sbin/success
sleep 1
#/usr/local/sbin/beep
sleep 1
#/usr/local/sbin/beep
sleep 1
Have the firewall rule set automatically load:
It should be noted that Mandrake 7.0+ and most likely newer Redhat versions have a section in /etc/rc.d/rc.sysinit to automatically load a /etc/rc.d/rc.firewall script if it exists. Since the network interfaces aren't up yet, I recommend to edit it and # out those lines
Various Linux Distributions:
--
#!/bin/sh
#
# firewall Bring up/down networking
#
# chkconfig: 2345 11 89
# description: Loads a modified version of the TrinityOS rc.firewall rule set
# probe: true
# ----------------------------------------------------------------------------
# # TrinityOS-firewall
# v11/11/00
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# Updates
# -------
#
# 11/11/00 - Fixed an echo typo to say that the policy is REJECT
# and added a MASQ list "mlist" option
# 10/08/00 - Changed the defaults when the firewall is stopped from ACCEPT
# to REJECT
#
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Check that networking is up.
# This line no longer work with bash2
#[ ${NETWORKING} = "no" ] && exit 0
# This should be OK.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# See how we were called.
case "$1" in
start)
/etc/rc.d/rc.firewall
;;
stop)
echo -e "\nFlushing firewall and setting default policies to REJECT\n"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
;;
restart)
$0 stop
$0 start
;;
status)
/sbin/ipchains -L
;;
mlist)
/sbin/ipchains -M -L
;;
*)
echo "Usage: firewall {start|stop|restart|status|mlist}"
exit 1
esac
exit 0
--
Next, make it executable:
chmod 700 /etc/rc.d/init.d/firewall
Lastly, enable the firewall to start automatically:
chkconfig --add firewall
chkconfig --level 345 firewall on
Slackware:
Next, append this to the end of the "/etc/rc.d/rc.local" file
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
- Make the rc.firewall file executable
chmod 700 /etc/rc.d/rc.firewall
Now, if you aren't running a 2.0.x kernel, please skip down to the Firewall Confirm subsection to see how to safely make changes to your live firewall configuration.
+------------------------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPFWADM rule set for 2.0.x kernels | | | | *** Discontinued!!! Patch your 2.0.x kernel and use the IPCHAINS rules!! | +------------------------------------------------------------------------------+ /etc/rc.d/rc.firewall
--
#!/bin/sh
#--------------------------------------------------------------------
# Version v2.97
#
# NOTE to ALL IPFWADM users:
#
# As you all know, IPFWADM has been replaced by IPCHAINS for some time
# now. I've also been updating the IPCHAINS rule sets for a while yet
# the IPFWADM rule sets haven't been updated.
#
# Though this sucks that I have to do this, I can't maintain both.
# In the future, I will REMOVE these rule sets though I will make them
# available via a different URL.
#
# ** BUT... there is a kernel patch to get IPCHAINS running on 2.0.x
# kernels. Please see <ref id="sect-5" name="Section 5"> for the URL and use IPCHAINS from
# now on. Ok?
#
# v2.97 - Deleted the DHCPcd commands as the syntax was old an misleading. Update
# to IPCHAINS.
#
# v2.96 - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas that
# DHCP users should use "dhcpcd" with the -c option to re-run
# the rule set upon lease renews. It is also mentioned that both
# DHCP and PPP users need to get their EXTBROAD and DGW addresses
# dynamically.
# - Changed the debug system to re-create the debug log each time
# (removed one of the >'s at the top of the debug setup)
#
# v2.95 - Added a /0 to the final OUTPUT reject rule. It was implicitly there but its good
# for documentation reasons. There were also a few IMPUT rules that DENYed
# instead of REJECTed traffic for spoofed traffic, etc. Fixed.
# I also noted that the automatic $extbroad varible will only be properly set if
# you have a typical 255.255.255.0 netmask. If you don't, you'll have to statically
# define it vs. use the automatic method.
# v2.94 - Added explicit INPUT filters for NFS and OUTPUT filters for Mountd and RPC
# v2.93 - Added explicit OUTPUT filters for the BackOrofice and NetBus Windows trojans
# v2.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from
# the top of each section to the top top of the entire rule set.# v2.91
# v2.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007
# v2.90 - Changed the default policies from DENY to REJECT.
# v2.80 - Clarified the input/output rules for HTTP to use the -W interface option and
# added a #ed out rule for allowing HTTP traffic directly to the Linux box
# from the Internet.
# v2.75 - Added and commented on the enabling of multicast traffic
# - Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though
# this is inconsitant with the other commands, this has been confirmed.
# v2.71 - Redirectted the rc.firewall debugging info to /tmp/rc.firewall.dump
# v2.70 - Added commented out debugging echo statements right after the environment vars
# v2.65 - Removed the /32 bit subnet mask from the intip, extip, dgw, secondarydns,
# and securehost variables and manually placed them back within the rule sets
# themselves. This is for users who use DHCP and/or PPP that wouldn't get the
# correct netmask. Also, the netmask built into these variables would break
# the IPPORTFW section.
# - Added the LOOPBACK variable for better readibilty
# - Cleaned the comment sections a little
#
# v2.60 - Added #'ed out rules to support the Linux box getting addressed via DHCP
# v2.51 - Corrected the vars passed to PPPd as shown bellow in the comments section
# v2.50 - Deleted an already #ed out line to allow in ALL incoming
# traffic.
# - Added a /32 bit subnet mask to the intip, extip, dgw, secondarydns,
# and securehost variables. Because of this, I then deleted a few stray
# and possibly incorrect /24 and /32 bit masks on various IPFWADM rules
# - Cleaned up (split up) the explicit INPUT section for internal and external
# hosts.
# - Cleaned up the IPPORTFW area to use all environment vars and added the
# $portfwip var.
# - Deleted a duplicate line for the "outgoing from local net on remote interface,
# stuffed masquerading, deny" rule set
#
# v2.45 - Added the environment variables that PPPd passes to ease the
# use of IPFWADM firewalls
# v2.40 - Change the default behavior of IPORTFW to disabled
# - Made some clarifications for dynamically addressed users and
# the "extif" variable.
# v2.30 - Commented and changed the unrestricted ports to 1024-65535
# since SSH sometimes creates connections at port 1023
# - Added #'ed out IPFWADM statements to do non-logged filtering
# of BOOTP (ports 67-68), Samba (ports 137-138), RIP
# (port 520), and SNMP (port 161)
# - Added TCP support for DHCP
# v2.25 - Rearranged the ordering and description of the IPFWADM enviro variables
# - Added #'ed out IPFWADM statements for WWW access to the world
# v2.20 - Addition of IPPORTFW commands
# v2.10 - Disabled ALL outbound Xwindows (Xwin uses port 6000) which was
# previously allowed since its in the >1024 port range. Gotcha!
# v2.00 - Totally re-written and MUCH stronger
# v1.00 - Oringial draft
#--------------------------------------------------------------------
# ++ Best viewed in a window at 90+ columns
#
# This script was adapted from Ambrose's IPMASQ-HOWTO and several
# other resources including:
#
# - Me
#
# **Note**: This config ASSUMES:
#
# 1) that you have your private LAN addressing set as
# 192.168.0.x
# 2) Your internal LAN is on eth1
# 3) Your external LAN is on eth0
# 3) Your static IP address is 100.200.0.212
# * If you get your external IP address via DHCP, you
# will need to un-comment (un-#) the "DHCP - Client" rule set
#
# Obviously, this config won't be totally correct for your
# environment nor can your static IP address be the same
# as mine! So, you might need to change the IP addresses,
# internal/external interface names, un-comment out the #'ed out DHCP client
# lines, etc.
#
# ---------------------------------------------------------------
#
# This config also handles both IP spoofing and stuffed routing
# and IP Masquerading. Anything not explicitly allowed is
# REJECTED. Rejecting traffic is better than DENYING it since
# it makes the IPFWADM'ED machine look like its not CAPABLE of
# doing that particular protocol!
#
# ***PPP and DHCP USERS***
#
# 1) All PPP and DHCP users that get Dynamic IP address should
# # out the "extip" variable a page or so down and then un-# out the
# following command for your dynamic IP address:
#
# NOTE: DHCP users will need to replace the "ppp0" interface name with
# the interface name of your external Internet interface.
#
# extip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
#
# 2. Create the /etc/ppp/ip-up script file to execute this rule set:
#
# /etc/ppp/ip-up
# --
# #!/bin/sh
# /etc/rc.d/rc.firewall
# --
#
# NOTE: When PPPd runs the /etc/ppp/ip-up script, it passes several
# environment variables which can help bring up the script.
# Though I haven't updated my doc to use these variables, I will
# at a future date:
#
# $1 = Interface being brought up (e.g. ppp0)
# $2 = TTY device being used (/dev/modem)
# $3 = Terminal speed (38400)
# $4 = IP address of my local PPP interface
# $5 = IP address of the remote P-t-P link (default gw)
# $6 = This is the IPPARM string that is passed from the
# options file for any ip-up specific use
#
#
# 3. Now make this new script executable by running "chmod 700 /etc/ppp/ip-up"
#---------------------------------------------------------------------------
#Enviroment Variables - Change to suit your environment
#
#Specification of the LOOPBACK interface
loopback="127.0.0.1"
#Specification of the INTERNAL NIC
intif="eth1"
#The IP address on your INTERNAL nic
intip="192.168.0.1"
#IP network address of the INTERNAL net
intnet="192.168.0.0"
#IP address of an internal host that should have IPPORTFW forward traffic to
portfwip="192.168.0.20"
#Specification of the EXTERNAL NIC
#
# PPP Users: If you are using the Dynamic PPP "extif" script from above,
# make sure to comment the below line out so it doesn't override it.
#
# If you want to use the PPPd variables, change this to read:
#
# extip=ppp0
#
extif="eth0"
#The IP address you get from the Internet
#
# PPP users: If you are getting dynamic address, either use the "extip" script
# from the header above or if you want to use the PPPd variables,
# change this to read:
#
# EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
# NOTE: DHCP users should also update the script that runs DHCP to
# use "dhcpcd" instead of other solutions like RH6's
# "pump" DHCP solution and also have dhcpcd load.
# It should be noted that newer versions of pump can run scripts
# upon lease bringup, renew, etc.
#
# This will let the firewall re-run upon DHCP lease renews
# just in case you get a different IP address.
#
extip="100.200.0.212"
#The IP broadcast address of the external net
#
# PPP users: If you are getting dynamic address, use the PPPd variables.
# Change "extbroad" to read (this make an assuption but it should
# be a safe assumption):
# extbroad=`echo $4 | cut -d '.' -f 1-3`.255
#
# NOTE: This method will only work for typical 255.255.255.0 netmasks,
# if you get other masks such as a 255.255.252.0, you will have to
# statically define it like it is now instead of using the dynamic
# setup.
#
extbroad="100.200.0.255"
#IP address of the default gateway on the EXTERNAL NIC
#
# PPP and DHCP users: If you are getting dynamic address, use the PPPd variables.
# Change "dgw" to read:
#
# dgw=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/gateway/ { print $2 } ' | sed -e s/addr://`
#
dgw="100.200.0.1"
#IP Mask for ALL IP addresses
universe="0.0.0.0"
#IP Mask for BROADCAST
broadcast="255.255.255.255"
#Specification of HIGH IP ports
# NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should.
# for some reason SSH sometimes initiates connections at 1023 which
# is a TCP violation but shit happens.
#
# Brief update: This is due to SSH not being executed with "-P"
#
unprivports="1024:65535"
#Specification of backup DNS server
secondarydns="102.200.0.25"
#Specifically allowed external host - secure1.host.com
securehost="200.211.0.40"
#---------------------------------------------------------------------------
# Debugging Section: If you are having problems with the firewall, uncomment
# out (un # out) the follow echo lines and then re-run
# the firewall to make sure that the rc.firewall is
# getting the right info.
#
#echo Loopback IP: $loopback >> /tmp/rc.firewall.dump
#echo Internal interface name: $intif >> /tmp/rc.firewall.dump
#echo Internal interface IP: $intip >> /tmp/rc.firewall.dump
#echo Internal interface net: $intnet >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $extif >> /tmp/rc.firewall.dump
#echo External interface IP: $extip >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $extbroad >> /tmp/rc.firewall.dump
#echo External interface default gateway: $dgw >> /tmp/rc.firewall.dump
#echo Internet IP to be port forwarded to: $portfwip >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secondary DNS (optional): $secondarydns >> /tmp/rc.firewall.dump
#echo External secured host (optional): $securehost >> /tmp/rc.firewall.dump
#---------------------------------------------------------------------------
# For a nice display
echo " "
#Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $extif
echo "Enabling IP Masquerading.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------------------
# Masq timeouts
# -------------
#
# Set timeout values for masq sessions (seconds).
# I only did this because my telnet connections would drop after inactivity
# of 15 mins.
echo "Changing IP MASQ Timeouts.."
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec
# firewall timeout in ICQ itself)
/sbin/ipfwadm -M -s 7200 10 60
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# Masq Modules
# -------------
#
echo "Loading MASQ modules.."
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_raudio
#---------------------------------------------------------------------------
#Set all default policies to REJECT and flush all old rules:
echo "Set all default policies to REJECT and flush all old rules"
#Change default policies
/sbin/ipfwadm -I -p reject
/sbin/ipfwadm -O -p reject
/sbin/ipfwadm -F -p reject
#Flush all old rule sets
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
#---------------------------------------------------------------------------
echo "Enabling general INPUT on the internal LAN.. line 74"
#---------------------------------------------------------------------------
# INCOMING traffic on the INTERNAL LAN network
# --------------------------------------------
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V $intip -S $intnet/24 -D $universe/0
# remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipfwadm -I -a reject -V $extip -S $intnet/24 -D $universe/0 -o
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe/0 bootps -D $broadcast/0 bootpc
#/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 bootps -D $broadcast/0 bootpc
echo "Enabling general INPUT on the external LAN.. line 94"
#---------------------------------------------------------------------------
# INCOMING traffic on the EXTERNAL LAN network
# --------------------------------------------------------------------------
#
# Questionable... ???
# /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe/0 -D $intnet/24 $unprivports
#-----------
# ICMP: Allow ICMP from the local default GW
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/32 -D $extip/32
## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you
## can figure out how to ignore REPLIES.. this is too much logging!
#/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 -o
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 ntp
# IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 113
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS server, we must
# open up DNS to the public on ALL interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 53
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $universe/0 53
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces.
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 smtp
# WWW: Allow HTTP traffic. By default, allow all HTTP traffic from the Internal
# LAN but DISABLE it from the Internet. If you also require HTTP access
# from the Internet, uncomment the #ed out rule below.
#
#Internal LAN:
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S $intnet/24 -D $intip/32 www
#
#Internet:
#/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 www
# NFS
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 -D $extip/32 2049
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 2049 -D $extip/32
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 $unprivports
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $extip/32 $unprivports
echo "Enabling explicit INPUT on the -INTERNAL- LAN.. line 136"
##############################################################################
# Begin Explict IP INPUT allows on the INTERNAL LAN network:
##############################################################################
#
### NOTE: copy a set of the following (3) lines and modify them to reflect any
# additional internal hosts you want to be able to access your Linux
# box. These examples allow FTP, FTP-DATA, SSH, and Samba.
#
# If you want to enable TELNET access, just append the word "telnet" after
# the word "ssh"
#coyote
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.2/32 -D $intip/32 ftp ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.2/32 -D $intip/32 137 138 139
#spare
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.9/32 -D $intip/32 ftp ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.9/32 -D $intip/32 137 138 139
#spare2
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.10/32 -D $intip/32 ftp ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.10/32 -D $intip/32 137 138 139
echo "Enabling explicit INPUT on the -EXTERNAL- LAN.. line 136"
##############################################################################
# Begin Explicit IP INPUT allows on the EXTERNAL LAN network:
##############################################################################
#
### NOTE: If you need to need to have more than just one remote Secure Host
# into your Linux box, copy the set of (2) lines below and modify
# them to reflect their proper IP addresses. This example allows
# SSH and POP3 in. In addition to this "Explict IP INPUT" exception,
# you will need to explicitly allow this remote secure
# host traffic to be let -OUT- of the firewall. See the "Explict IP
# OUTPUT allows" later in this rule set to complete the firewall rule set.
#
### NOTE2: If you want to enable TELNET access in addition to SSH and POP3, just
# append the word "telnet" after the word "pop-3"
#
### NOTE3: If you want to forward FTP traffic, you will need to install a different
# ip_masq_ftp module. Please see the IP-MASQ-HOWTO for full details.
#secure1.host.com
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip/32 ssh pop-3
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# IPPORTFW Re-directions..
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# Port forwarding allows people from the outside to directly connect to a machine
# on the MASQed side. An example of this is the need for people to directly
# contact an FTP server on the MASQed network from the Internet.
# NOTE: Do *NOT* use ports greater than 1023 for redirection ports.
#
# I used to use ports 2312 for TELNET redirection but I figured out
# that with ports > 1023, all my IPFWADM rule sets were being
# ignored and all Internet hosts could hit my re-directed server!
#
# Why? Due to the default behavior of TCP/IP and MASQing, you
# have to allow all ports > 1023 through the firewall.
##### NOTE: Un-#ed out these statements if you want to enable IPPORTFW
#echo "Enabling IPPORTFW Redirection on the external LAN.. line 229"
#/usr/local/sbin/ipportfw -C
#/usr/local/sbin/ipportfw -A -t$extip/2112 -R $portfwip/21
#/usr/local/sbin/ipportfw -A -t$extip/2312 -R $portfwip/23
#/usr/local/sbin/ipportfw -A -t$extip/8012 -R $portfwip/80
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# END IPPORTFW Re-directions..
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# ********************************************************************************
# ** Uncomment these non-logging IPFWADM rules if they apply to your enivroment **
# ********************************************************************************
# Reject all stray BOOTP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 68
# Reject all stray Samba traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 137 138 139
# Reject all stray RIP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 520
# Reject all stray SNMP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $broadcast/0 161
# Final INPUT Rule
#
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o
echo "Enabling general OUTPUT on the internal LAN.. line 174 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the INTERNAL LAN network
# --------------------------------------------
# local interface, any source going to local net is valid
/sbin/ipfwadm -O -a accept -V $intip -S $universe/0 -D $intnet/24
# outgoing to local net on remote interface, stuffed routing, deny & log
/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a reject -V $extip -S $intnet/24 -D $universe/0 -o
#DISABLED - Too open
## anything else outgoing on remote interface is valid
#ipfwadm -O -a accept -V $extip -S $extip/32 -D $universe/0
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip/32 bootps -D $broadcast/0 bootpc
/sbin/ipfwadm -O -a accept -W $intif -P tcp -S $intip/32 bootps -D $broadcast/0 bootpc
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
#/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps
echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the external LAN network
# --------------------------------------------
# ICMP: Allow ICMP traffic out
/sbin/ipfwadm -O -a accept -P icmp -S $universe/0 -D $universe/0
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ntp -D $universe/0
# IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf
/sbin/ipfwadm -O -a accept -P tcp -S $universe/0 113 -D $universe/0
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS
# server, we must open up DNS to the public
# on ALL interfaces
# - You do not need port 42?
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 53 -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 53 -D $universe/0
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 smtp -D $universe/0
# WWW: Allow HTTP traffic. By default, allow all HTTP traffic from the
# Internal LAN but DISABLE it from the Internet. If you also require
# HTTP access from the Internet, uncomment the #ed out rule below.
#
#Internal LAN:
/sbin/ipfwadm -O -a accept -W $intif -P tcp -S $intip/32 www -D $intnet/24
#
#Internet:
#/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 www -D $universe/0
# RPC - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 111 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 111 -D $universe/0 -o
# Mountd - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 635 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 635 -D $universe/0 -o
# PPTP - reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1723 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1723 -o
# Remote Winsock - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1745 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1745 -o
# NFS - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 2049 -D $universe/0 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 2049 -D $universe/0 -o
# PcAnywhere - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5632 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5632 -o
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6007 -o
#
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6007 -o
# NetBus: REJECT Netbus and LOG it
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12345 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12346 -o
# BackOrofice: REJECT BO on LOG it
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 31337 -o
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 $unprivports -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 $unprivports -D $universe/0
echo "Enabling explicit OUTPUT on the external LAN.. line 231"
##############################################################################
# Begin Explict IP OUTPUT allows on the EXTERNAL LAN network:
##############################################################################
#
### NOTE: If you need to need to have more than just one remote Secure Host
# into your Linux box, copy the set of (2) lines below and modify
# them to reflect their proper IP addresses. This example allows
# FTP, FTP-DATA, SSH, and POP3 out. In addition to this "Explict IP
# OUTPUT" exception, you will need to explicitly allow this remote secure
# host traffic to be let -IN- to the firewall. See the "Explict IP
# INPUT allows" previously in this rule set to complete the firewall
# rule set.
#
### NOTE2: If you want to enable TELNET access in addition to FTP, FTP-DATA,
# and POP3, just append the word "telnet" after the word "pop-3"
#secure1.host.com
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh pop-3 -D $securehost/32 $unprivports
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##############################################################################
# End Explict IP OUTPUT allows:
##############################################################################
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# This should catch everything including SAMBA an all non-explicitly allowed
# TELNET, FTP, FTP-DATA, SSH, etc.
/sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o
echo "Enabling MASQ on the external LAN.. line 250"
#---------------------------------------------------------------------------
# Forwarding traffic from the internal LAN network
# --------------------------------------------
#
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a masquerade -W $extif -S $intnet/24 -D $universe/0
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o
#--------------------------------------------------------------------
# For a nice display
echo " "
--
Redhat:
edit /etc/rc.d/init.d/network and find where the [STAR] block ends (search for the sentance "stop") and ADD the following just above the double semi-colons ";;"
/etc/rc.d/init.d/network
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
Slackware:
Next, append this to the end of the "/etc/rc.d/rc.local" file
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
- Make the rc.firewall file executable
chmod 700 /etc/rc.d/rc.firewall
Now, if you aren't running a 2.0.x kernel for non-Masq users, please skip down to the Firewall Confirm subsection to see how to safely make changes to your live firewall configuration.
############################################################################# # NON-MASQ rc.firewall # # # # The follwing IPFWADM rule set, based upon the rule set above, is for # # NON-MASQ users who just want to restrict access to their Linux box. # # This current config allows gloabal acces to: # # # # - DNS, SENDMAIL, WWW # # # # But it restricts access to only a few IPS for: # # # # - SSH, FTP, FTP-DATA, and POP-3 # ############################################################################# +-----------------------------------------------+ | rc.firewall for NON-MASQ setups using IPFWADM | | | | *** Discontinued!!! Patch your 2.0.x kernel | | and use the IPCHAINS rules!! | +-----------------------------------------------+
/etc/rc.d/rc.firewall
--
#!/bin/sh
#--------------------------------------------------------------------
# Version v2A.97
#
# NOTE to ALL IPFWADM users:
#
# As you all know, IPFWADM has been replaced by IPCHAINS for some time
# now. I've also been updating the IPCHAINS rule sets for a while yet
# the IPFWADM rule sets haven't been updated.
#
# Though this sucks that I have to do this, I can't maintain both.
# In the future, I will REMOVE these rule sets though I will make them
# available via a different URL.
#
# ** BUT... there is a kernel patch to get IPCHAINS running on 2.0.x
# kernels. Please see <ref id="sect-5" name="Section 5"> for the URL and use IPCHAINS from
# now on. Ok?
#
# v2A.97 - Fixed a typo in the BackOrofice filter. It was using the var
# exitif vs. the correct extif.
#
# v2A.96 - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable
# areas that DHCP users should use "dhcpcd" with the -c option to re-run
# the rule set upon lease renews. It is also mentioned that both
# DHCP and PPP users need to get their EXTBROAD and DGW addresses
# dynamically.
#
# - Changed the debug system to re-create the debug log each time
# (removed one of the >'s at the top of the debug setup)
#
# v2A.95 - Added a /0 to the final OUTPUT reject rule. It was implicitly there but its good
# for documentation reasons. There were also a few IMPUT rules that DENYed
# instead of REJECTed traffic for spoofed traffic, etc. Fixed.
# I also noted that the automatic $extbroad varible will only be properly set if
# you have a typical 255.255.255.0 netmask. If you don't, you'll have to statically
# define it vs. use the automatic method.
# v2A.94 - Added explicit INPUT filters for NFS and OUTPUT filters for Mountd and RPC
# v2A.93 - Added explicit OUTPUT filters for the BackOrofice and NetBus Windows trojans
# v2A.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from
# the top of each section to the top top of the entire rule set.
# v2A.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007
# v2A.90 - Changed the default policies from DENY to REJECT.
# v2A.80 - Clarified the input/output rules for HTTP to use the -W interface
# option.
# v2A.75 - Added and commented on the addition of multicast traffic
# - Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though
# this is inconsitant with the other commands, this has been confirmed.
# v2A.71 - Redirectted the rc.firewall debugging info to /tmp/rc.firewall.dump
# v2A.70 - Added commented out debugging echo statements right after the environment vars
# - Deleted the un-used $intif, $intip, and $intnet environment vars
#
# v2A.65 - Removed the /32 bit subnet mask from the intip, dgw, secondarydns,
# and securehost variables and manually placed them back within the rule sets
# themselves. This is for users who use DHCP and/or PPP that wouldn't get the
# correct netmask. Also, the netmask built into these variables would break
# the IPPORTFW section.
# - Added the LOOPBACK variable for better readibilty
# - Cleaned the comment sections a little
#
# v2A.60 - Added #'ed out rules to support the Linux box getting addressed via DHCP
# v2A.51 - Corrected the vars passed to PPPd as shown bellow in the comments section
# v2A.50 - Deleted an already #ed out line to allow in ALL incoming
# traffic.
# - Added a /32 bit subnet mask to the intip, extip, dgw, secondarydns,
# and securehost variables. Because of this, I then deleted a few stray
# and possibly incorrect /24 and /32 bit masks on various IPFWADM rules
# v2A.45 - Added the environment variables that PPPd passes to ease the
# use of IPFWADM firewalls
# v2A.40 - Made some clarifications for dynamically addressed users and
# the "extif" variable.
# v2A.30 - Added the better commented environment vars
# - Added #'ed out IPFWADM statements to do non-logged filtering
# of BOOTP (ports 67-68), Samba (ports 137-138), RIP
# (port 520), and SNMP (port 161)
# - Deleted out all the leftover header docments that were
# specific to the MASQ firewall
# - Added TCP support for DHCP
# - Fixed outgoing DNS to reflect port 53 on the SOURCE packet
#
# v2A.20 - New rev for firewalling of a single interface server
#
#--------------------------------------------------------------------
# ++ Best viewed in a window at 90+ columns
#
# This script was adapted from Ambrose's IPMASQ-HOWTO and several
# other resources including:
#
# - Me
#
# **Note**: This config ASSUMES:
# 1) Your external LAN is on eth0
# 2) Your static IP address is 100.200.0.212
#
# Obviously, this config won't be totally correct for your
# environment nor can your static IP address be the same
# as mine!
#
# So, you'll need to either manually change the IP address in
# the environment variable section or or use the following
# command to set it up for you.
#
# This config also handles both IP spoofing and stuffed routing
# and IP Masquerading. Anything not explicitly allowed is
# REJECTED. Rejecting traffic is better than DENYING it since
# it makes the IPFWADM'ED machine look like its not CAPABLE of
# doing that particular protocol!
#
# ***PPP USERS***
#
# 1) All PPP users that get Dynamic IP address should
# # out the "extip" variable a page or so down and then un-# out the
# following command for your dynamic IP address:
#
# extip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
# 2. Create the /etc/ppp/ip-up script file to execute this rule set:
#
# /etc/ppp/ip-up
# --
# #!/bin/sh
# /etc/rc.d/rc.firewall
# --
#
# Now make this new script executable by running "chmod 700 /etc/ppp/ip-up"
#
# NOTE: When PPPd runs the /etc/ppp/ip-up script, it passes several
# environment variables which can help bring up the script.
# Though I haven't updated my doc to use these variables, I will
# at a future date:
#
# $1 = Interface being brought up (e.g. ppp0)
# $2 = TTY device being used (/dev/modem)
# $3 = # Terminal speed (38400)
# $4 = IP address of my local PPP interface
# $5 = IP address of the remote P-t-P link (default gw)
# $6 = This is the IPPARM string that is passed from the options
# file for any ip-up specific use
#
# 3. Now make this new script executable by running "chmod 700 /etc/ppp/ip-up"
#---------------------------------------------------------------------------
#Enviroment Variables - Change to suit your environment
#
#Specification of the LOOPBACK interface
loopback="127.0.0.1"
#Specification of the EXTERNAL NIC
#
# PPP Users: If you are using the Dynamic PPP "extif" script from above,
# make sure to comment the below line out so it doesn't override it.
#
# If you want to use the PPPd variables, change this to read:
# extif="$1"
#
extif="eth0"
#The IP address you get from the Internet
#
# PPP users: If you are getting dynamic address, either use the "extip" script
# from the header above or if you want to use the PPPd variables,
# change this to read:
# extip="$3"
#
# or you can use the following script:
#
# EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
#
# DHCP users: DHCP users should also update the script that runs DHCP to
# use "dhcpcd" instead of other solutions like RH6's
# "pump" DHCP solution. It should be noted that newer
# versions of pump can run scripts upon lease bringup, renew, etc.
# Fow now, have dhcpcd load with the option:
#
# -c /etc/rc.d/rc.firewall.ipchains
#
# This will let the firewall re-run upon DHCP lease renews
# just in case you get a different IP address.
#
extip="100.200.0.212"
#The IP broadcast address of the external net
#
# PPP users: If you are getting dynamic address, use the PPPd variables.
# Change "extbroad" to read (this make an assuption but it should
# be a safe assumption):
# extbroad=`echo $4 | cut -d '.' -f 1-3`.255
#
# NOTE: This method will only work for typical 255.255.255.0 netmasks,
# if you get other masks such as a 255.255.252.0, you will have to
# statically define it like it is now instead of using the dynamic
# setup.
#
extbroad="100.200.0.255"
#IP address of the default gateway on the EXTERNAL NIC
#
# PPP users: If you are getting dynamic address, use the PPPd variables.
# Change "dgw" to read:
# dgw=$4
#
# or
#
# dgw=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/gateway/ { print $2 } ' | sed -e s/addr://`
#
dgw="100.200.0.1"
#IP Mask for ALL IP addresses
universe="0.0.0.0"
#IP Mask for BROADCAST
broadcast="255.255.255.255"
#Specification of HIGH IP ports
# NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should.
# for some reason SSH sometimes initiates connections at 1023 which
# is a TCP violation but shit happens.
#
# Brief update: This is due to SSH not being executed with "-P"
#
unprivports="1024:65535"
#Specification of backup DNS server
secondarydns="102.200.0.25"
#Specifically allowed external host - secure1.host.com
securehost="200.211.0.40"
#---------------------------------------------------------------------------
# Debugging Section: If you are having problems with the firewall, uncomment
# out (un # out) the follow echo lines and then re-run
# the firewall to make sure that the rc.firewall is
# getting the right info.
#
#echo Loopback IP: $loopback > /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $extif >> /tmp/rc.firewall.dump
#echo External interface IP: $extip >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $extbroad >> /tmp/rc.firewall.dump
#echo External interface default gateway: $dgw >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secondary DNS (optional): $secondarydns >> /tmp/rc.firewall.dump
#echo External secured host (optional): $securehost >> /tmp/rc.firewall.dump
#---------------------------------------------------------------------------
# For a nice display
echo " "
#Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $extif
#---------------------------------------------------------------------------
#Set all default policies to REJECT and flush all old rules:
echo "Set all default policies to REJECT and flush all old rules"
#Change default policies
/sbin/ipfwadm -I -p reject
/sbin/ipfwadm -O -p reject
/sbin/ipfwadm -F -p reject
#Flush all old rule sets
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
#---------------------------------------------------------------------------
echo "Enabling general INPUT on the external LAN.. line 74"
#---------------------------------------------------------------------------
# INCOMING traffic on the EXTERNAL LAN network
# --------------------------------------------
#
# local interface, local machines, going anywhere is valid
#/sbin/ipfwadm -I -a accept -V $extip -S $intnet/24 -D $universe/0
# remote interface, claiming to be local machines, IP spoofing, get lost & log
#/sbin/ipfwadm -I -a reject -V $extip -S $intnet/24 -D $universe/0 -o
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
#/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe/0 bootps -D $broadcast/0 bootpc
#/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 bootps -D $broadcast/0 bootpc
# Questionable... ???
# /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe/0 -D $intnet/24 $unprivports
#-----------
# ICMP: Allow ICMP from the local default GW
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/32 -D $extip/32
## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you
## can figure out how to ignore REPLIES.. this is too much logging!
#/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 -o
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 ntp
# IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 113
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS server, we must
# open up DNS to the public on ALL interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 53
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $universe/0 53
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 smtp
# WWW: Since this site is an authoritative WWW server, allow it in on ALL
# interfaces
/sbin/ipfwadm -I -a accept -P tcp -W $extif -S $universe/0 -D $extip/32 www
# NFS
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 -D $extip/32 2049
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 2049 -D $extip/32
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 $unprivports
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $extip/32 $unprivports
echo "Enabling explicit INPUT on the external LAN.. line 136"
##############################################################################
# Begin Explict IP INPUT allows on the EXTERNAL LAN network:
##############################################################################
#
#securehost
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip/32 ftp ftp-data ssh
#
##############################################################################
# End Explict IP INPUT allows on the EXTERNAL LAN network:
##############################################################################
# ********************************************************************************
# ** Uncomment these non-logging IPFWADM rules if they apply to your enivroment **
# ********************************************************************************
# Reject all stray BOOTP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 68
# Reject all stray Samba traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 137 138 139
# Reject all stray RIP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 520
# Reject all stray SNMP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $broadcast/0 161
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o
echo "Enabling general OUTPUT on the external LAN.. line 174 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the EXTERNAL LAN network
# --------------------------------------------
# local interface, any source going to local net is valid
#/sbin/ipfwadm -O -a accept -V $intip -S $universe/0 -D $intnet/24
# outgoing to local net on remote interface, stuffed routing, deny & log
#/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
#/sbin/ipfwadm -O -a reject -V $extip -S $intnet/24 -D $universe/0 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
#/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
#/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip/32 bootps -D $broadcast/0 bootpc
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
#/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps
echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 "
# --------------------------------------------
# ICMP: Allow ICMP traffic out
/sbin/ipfwadm -O -a accept -P icmp -S $universe/0 -D $universe/0
# NTP: Allow NTP updatestcp from any host
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ntp -D $universe/0
# IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf
/sbin/ipfwadm -O -a accept -P tcp -S $universe/0 113 -D $universe/0
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS
# server, we must open up DNS to the public
# on ALL interfaces
# - You do not need port 42?
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 53 -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 53 -D $universe/0
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 smtp -D $universe/0
# WWW: Since this site is an authoritative www server, allow it in on ALL
# interfaces
/sbin/ipfwadm -O -a accept -P tcp -W $extif -S $extip/32 www -D $universe/0
# RPC - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 111 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 111 -D $universe/0 -o
# Mountd - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 635 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 635 -D $universe/0 -o
# PPTP - reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1723 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1723 -o
# Remote Winsock - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1745 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1745 -o
# NFS - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 2049 -D $universe/0 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 2049 -D $universe/0 -o
# PcAnywhere - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5632 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5632 -o
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6007 -o
#
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6007 -o
# NetBus: REJECT Netbus and LOG it
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12345 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12346 -o
# BackOrofice: REJECT BO on LOG it
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 31337 -o
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 $unprivports -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 $unprivports -D $universe/0
echo "Enabling explicit OUTPUT on the external LAN.. line 231"
##############################################################################
# Begin Explict IP OUTPUT allows on the EXTERNAL LAN network:
##############################################################################
#
#securehost
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh -D $securehost/32 $unprivports
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##############################################################################
# End Explict IP OUTPUT allows:
##############################################################################
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# This should catch everything including SAMBA an all non-explicitly allowed
# TELNET, FTP, FTP-DATA, SSH, etc.
/sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o
#---------------------------------------------------------------------------
# Forwarding traffic from the internal LAN network
# --------------------------------------------
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o
#--------------------------------------------------------------------
# For a nice display
echo " "
# --end
--
Next, append this to the end of the "/etc/rc.d/rc.local" file
All distributions:
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
- Make the rc.firewall file executable
chmod 700 /etc/rc.d/rc.firewall
First, you need to figure out what kind of access you are looking for. Ideally (in the name of security), you shouldn't allow the entire Internet to acces your box but only a few IP addresses.
If you can restrict the access down to a few IPs ------------------------------------------------ First, edit the rc.firewall ruleset that you have already modified to fit your needs and un-# out one or more of the SECUREHOST variables towards the top. Here, you will put in your desired remote IP addresses that you want to allow into your box. Next, un-# out the respective SECUREHOST lines in both the INPUT and OUTPUT sections of the rule. One critical thing to change on these two sets of lines is to change the PORT number to reflect the port you want to allow in (23 for telnet, 21 for ftp, etc). Finally, if you actually want to PORTFW this traffic to some internal machine behind a MASQ user, you will want to jump to the section below.
Setting up PORTFW
----------------- To do PORTFW, you need to to towards the top of the rc.firewall file and you need to un-# a PORTFWIP variable. Here, you need to put in the IP address of the internal server you want to contact on, say port 23. Once this is done, you need to goto the PORTFW section of TrinityOS (almost at the very end) and un-# out the line for the respective PORTFW variable you just enabled. Don't forget to update the various TCP/IP ports in the PORTFW example line to be port 23 and 23 where as the example uses 26 and 22.
Thats it.. re-run the firewall and you should be good to go.
#-------------------------------------------------------------------- # How to test your new firewall.. # # From the IPFWADM console: # # TELNET: telnet to a remote site # SSH: ssh to a remote site # DNS: run nslookup with "server = " and "set q =" # NTP: run "/etc/cron.15min/gettime" # Xwin: "export DISPLAY=your-remote-FQDN:0.0" # Run a X-server on the remote machine # Run "xeyes" # # From a MASQed computer on the internal LAN: # # From another machine on the Internet: # TELNET: telnet to your IPFWADMed machine # SSH: SSH to your IPFWADMed machine # # *** Finally.. download "nmap" (URL is in [Section 5] and run it # in both SOCKET and UDP mode to port scan your new firewall! #
One thing that ALL users need to be absolutely PERFECT with is making changes to their firewall rulesets remotely. If you were to make one ill-placed mistake, your firewall machine could become unresponsive to ALL network traffic. This means all incoming and outgoing traffic be it SMTP, WWW, even PINGs could be dropped.
To be sure that you don't take your remote machine offline, create this script file:
/usr/local/sbin/firewall-confirm
#!/bin/sh # ---------------------------------------------------------------------------- # # TrinityOS-firewall-confirmed # v11/09/00 # # Part of the copyrighted and trademarked TrinityOS document. # <url url="http://www.ecst.csuchico.edu/~dranch"> # # Written and Maintained by David A. Ranch # dranch at trinnet dot net # # Updates # ------- # # 11/09/00 - The initial release was the wrong version. Ack! This updated # version includes a critical check for /tmp/fwok. This version # also includes a 30 second screen timer. # Please upgrade! # # ---------------------------------------------------------------------------- # This script should be run when editing and running a new firewall # version remotely. # # When you run this command, you will have 30 seconds to: # # touch /tmp/fwok # # If this script doesn't see it in 30 seconds, it will revert back # to the old firewall. if [ ! -f /etc/rc.d/rc.firewall-checked ]; then echo -e "rc.firewall-checked missing.. aborting!\n\n" exit fi if [ -f /tmp/fwok ]; then echo -e "rc.firewall /tmp/fwok already exists.. aborting!\n\n" exit fi echo "Command Line options: $1" echo -e "Running /etc/rc.d/rc.firewall\n\n" /etc/rc.d/rc.firewall & echo -e "You have 30 seconds to create /tmp/fwok..\n" # Verbose wait loop i=1 while [ $i -le 30 ]; do echo -n "[$i]" sleep 1 i=$((i=$i+1)) done echo -e "\nWait loop complete.." if [ ! -f /tmp/fwok ]; then echo -e "Rolling back to last known good config\n\n" /etc/rc.d/rc.firewall-checked else echo -e "\n/tmp/fwok found.. new firewall took effect..\n\n" rm -f /tmp/fwok fi
Now, don't forget to make it executable:
chmod 700 /usr/local/sbin/firewall-confirmed
Ok.. to use this script, do the following:
cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall-checked
/usr/local/sbin/firewall-confirmed &
Please don't forget the "&" at the end to run the script in the background.
touch /tmp/fwok
AaaHa! There is the beauty! If there was a critical error in your new rc.firewall ruleset, you wouldn't have ever seen that counter because your network connection would have been lost. But, because you weren't able to create that /tmp/fwok file, the firewall-confirmed script would run the the known good rc.firewall-checked file. So, in a worst-case senario, your network connection might have been disconnected but you would be still be able to re-connect to the firewall machine, fix your mistake, and try again! Cool eh?