Here's a copy of my rc.firewall... This should set up ipmasq, & a halfway
decent firewall at the same time... If anyone sees anything they don't like
about this, please pipe up & let me know what you think I aught to be doing
differently...
#!/bin/sh
#
#
############################################################################
#
# rc.firewall
# Heavily plagiarized from Hal Burgiss ([EMAIL PROTECTED])
#
# Tom Burke - 5 May 00 ([EMAIL PROTECTED])
#
############################################################################
#
# variables
#
# internal interface
INTERNAL_IF=eth0
INTERNAL_IP=192.168.68.1
INTERNAL_MASK=255.255.255.0
INTERNAL_NET=$INTERNAL_IP/$INTERNAL_MASK
#
#
# external interface
EXTERNAL_IF=ppp0
#
# These lines for dynamic IP
# EXTERNAL_IP=`ifconfig $EXTERNAL_IF | grep inet | cut -d : -f 2 | cut -d \
-f 1`
# EXTERNAL_MASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
#
EXTERNAL_IP=209.122.117.221
EXTERNAL_MASK=255.255.255.0
EXTERNAL_NET=$EXTERNAL_IP/$EXTERNAL_MASK
echo -n "External net -> "
echo $EXTERNAL_NET
#
#
# Loopback Interface
LOOPBACK=lo
#
#
# All addresses
ALLADDR=0/0
#
#
# location of ipchains
IPCHAINS=/sbin/ipchains
#
#
#
############################################################################
##
# We assume that all interfaces are up...
# Maybe this should be run in the PPP sartup script?
#
# First, we flush all rules
echo -n "Flushing all rules"
#
# Flush empty chains
$IPCHAINS -X
echo -n "."
#
# Flush Incoming rules (packets from the outside network)
$IPCHAINS -F input
echo -n "."
#
# Flush Outgoing rules (packets from the internal network)
$IPCHAINS -F output
echo -n "."
#
# Flush forwarding rules (masquerading stuff, etc)
$IPCHAINS -F forward
echo -n "."
echo "Done!"
#
############################################################################
#
#
# Handle the loopback device - we should accept anything coming from
# or going to this device, otherwise we'll break the system.
#
echo -n "Loopback.."
$IPCHAINS -A input -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
echo -n ".."
echo "Done!"
#
############################################################################
#
# Different system tweaks
echo -n "/proc tweaks.."
#
# IP Spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
fi
echo -n "."
#
# Block all ICMP echo requests (will this break my internal boxes'
# ability to ping the outside world?
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo -n "."
#
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $i
done
echo -n "."
#
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
echo -n "."
#
# Start IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo -n "."
#
# Start ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n "."
#
# Start Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -n "."
#
# Start SYS COOKIES protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
echo -n "."
echo "Done!"
#
###########################################################################
#
# Block nonroutable IPs from entering our box
#
# Block 192.168.0.0/16 on outer interface, only
#
###########################################################################
#
echo -n "Blocking non-routable addresses.."
$IPCHAINS -A input -s 10.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 127.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 172.16.0.0/12 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -i $EXTERNAL_IF -s 192.168.0.0/16 -d $EXTERNAL_NET -j
DENY
echo -n "."
echo "Done!"
#
###########################################################################
#
# Trusted networks and services
# Put in rules to unconditionally allow connections from
# hosts/nets that might otherwise be blocked.
#
# Any services that we want global, unfiltered access to
# go here
#
# Currently, global unfiltered access is only
# allowed to our internal network.
#
# External network (the internet) can have full access to
# http, snmp, ftp, ssh, and nothing else
###########################################################################
echo -n "Trusted Networks.."
#
# Add the internal net's unconditional access, here.
echo -n "Internal Network..."
$IPCHAINS -A input -i $INTERNAL_IF -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
#
#
# Stuff we want the outside world to be able to use...
echo -n "Global Services..."
#
# http (80)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 80 -j ACCEPT
echo -n "."
#
# ftp (21)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 21 -j ACCEPT
echo -n "."
#
# smtp (25)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 25 -j ACCEPT
#
# ssh (22)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 22 -j ACCEPT
echo -n "."
echo "Done!"
#
# DNS
# May need to enable this so MASQ'd network can do DNS lookups
# to ISP's DNS machine (Seems to be working without it)
#$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#
###########################################################################
#
# Banned Networks
#
# Put troublemakers here - Rules to specifically block connections
# from hosts/nets that are known to cause problems. Packets are logged.
#
###########################################################################
#
# echo -n "Banned Networks.."
#
# Generic blocker/logger
# $IPCHAINS -A input -l -s [banned host/net] -d $EXTERNAL_NET [ports] -j
DENY
# echo -n "."
#
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $EXTERNAL_IF -p icmp -s [host/net] -d
$EXTERNAL_NET -j DENY
# echo -n "."
# echo "Done!"
#
$IPCHAINS -A input -l -s 64.23.24.254 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 207.110.40.160 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 209.203.36.68 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 216.3.223.49 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 216.216.57.161 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 209.249.182.198 -d $EXTERNAL_NET -j DENY
echo -n "."
#
############################################################################
#
# Specific blocks/logging on external interface
#
# blocks off ports with known vulnerabilities
#
############################################################################
#
echo -n "Port Blocks and traps.."
#
# NetBEUI/Samba/NetBios - only on external interface
# Do not log - to much traffic
$IPCHAINS -A input -i $EXTERNAL_IF -p tcp -s $ALLADDR -d $EXTERNAL_NET
137:139 -j DENY
$IPCHAINS -A input -i $EXTERNAL_IF -p udp -s $ALLADDR -d $EXTERNAL_NET
137:139 -j DENY
echo -n "."
#
# Microsoft SQL - all interfaces
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY
echo -n "."
#
# Postgres SQL
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY
echo -n "."
#
# NFS
# Does this block mail?
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY
echo -n "."
#
# Back Orifice
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
echo -n "."
#
# NetBus
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j
DENY
echo -n "."
#
# Trin00
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1524 -j DENY
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 27655 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 27444 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31335 -j DENY
echo -n "."
#
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $ALLADDR -j DENY
$IPCHAINS -A input -s $ALLADDR -d 224.0.0.0/8 -j DENY
echo -n "."
echo "Done!"
#
##########################################################################
#
# All I/O rules are done(?) - set up masquerade
#
##########################################################################
#
echo -n "Masquerading.."
#
# Install any helpers we might need - Our CU_SeeMe seems to
# work without the cuseeme module
/sbin/depmod -a > /dev/null 2>&1
/sbin/modprobe ip_masq_ftp > /dev/null 2>&1
/sbin/modprobe ip_masq_raudio > /dev/null 2>&1
/sbin/modprobe ip_masq_irc > /dev/null 2>&1
/sbin/modprobe ip_masq_icq > /dev/null 2>&1
/sbin/modprobe ip_masq_quake > /dev/null 2>&1
/sbin/modprobe ip_masq_user > /dev/null 2>&1
/sbin/modprobe ip_masq_vdolive > /dev/null 2>&1
#/sbin/modprobe ip_masq_mfw > /dev/null 2>&1
#/sbin/modprobe ip_masq_autofw > /dev/null 2>&1
#/sbin/modprobe ip_masq_portfw > /dev/null 2>&1
/sbin/modprobe ip_masq_cuseeme > /dev/null 2>&1
echo -n "."
#
# Masq timeouts - tcp 8hrs, tcp after fin pkt 60s, udp 10min
$IPCHAINS -M -S 14400 60 600
echo -n "."
#
# Tell kernel to allow masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n "."
#
# Tell kernel to alow dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo -n "."
#
# Don't masq internal traffic
$IPCHAINS -A forward -s $INTERNAL_NET -d $INTERNAL_NET -j ACCEPT
echo -n "."
#
# Don't masq external interface direct
$IPCHAINS -A forward -s $EXTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
#
# Masq all internal IPs going outside
$IPCHAINS -A forward -s $INTERNAL_NET -d $ALLADDR -j MASQ
echo -n "."
#
# Set default rule on MASQ chain to deny
$IPCHAINS -P forward DENY
echo -n "."
#
## Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
#########################################################################
#
#This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "Tweak TOS bits for minimum delay.."
#
# Set telnet, www, smtp, pop3 and FTP for minimum delay
$IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
echo -n "."
#
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
echo -n "."
echo "Done!"
#
# Allow outgoing ICMP
echo -n "Allow outgoing ICMP.."
$IPCHAINS -A output -p icmp -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
# end of firewall
#
############################################################
# Allow www.dialpad.com calls
echo -n "DialPad.."
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 51200 51201 -c tcp 7175
echo -n "."
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 51200 51201 -c tcp 7175
echo -n "."
echo "Done!"
> -----Original Message-----
> From: Paul Smith [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, July 28, 2000 10:53 AM
> To: [EMAIL PROTECTED]
> Subject: Re: ipchains question
>
> I am under the impression that if I am using dsl, with a static ip address
> I
> can use a redhat machine with ipchains and two network cards to allow
> multiple
> internal machines to use that one redhat machine (gateway) for browsing
> the
> internet. I suppose that I am trying to use masquerade.
>
> Paul
>
> "Burke, Thomas G." wrote:
>
> > Do you have a routable internal network, or are you using masquerade?
> >
> > > -----Original Message-----
> > > From: Paul Smith [SMTP:[EMAIL PROTECTED]]
> > > Sent: Friday, July 28, 2000 10:34 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: ipchains question
> > >
> > > Hello all,
> > >
> > > What is the basic ipchains command that allows internal computers to
> > > make use of a redhat 6.2 machine gateway for browsing the internet.
> > > I've been playing around with ipchains using different commands, but
> > > don't seem to beable to get my internal machines to browse the
> > > internet. I've read the Howto and man pages, but I just want to get
> my
> > > internal machines browing first before I even move onto tightening
> > > security and such. My ethernet cards are working, I can ping off both
> > > ends (outside onto the internet and internally to clients). My
> internal
> > > client machines have private ipnumbers, same subnet as internal
> gateway
> > > card, my isp dns numbers are in place. Am I missing something? Do the
> > > network cards need to be lined up a certain way (internal eth0,
> external
> > > eth1 is how I have it now)? Ipchains is set up, I can issue commands
> > > and then delete the chains. I have even got it to block ping packets,
> > > but no browsing seems to work from my client ends. Do I have to give
> > > the browsers on my internal machines port numbers, or is the gateway
> > > configuration enough?
> > >
> > > Thanks ahead of time,
> > >
> > > Paul
> > >
> > >
> > > --
> > > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > > as the Subject.
> >
> > --
> > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > as the Subject.
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
