#!/bin/sh logger THIS IS firewallupbig # 1) The external interface is running on "eth0" # 2) The external IP address is dynamically assigned # 3) The internal IP Masqueraded network interface is "eth1" # 4) The internal network is addressed within the private # 192.168.0.x TCP/IP addressing scheme per RFC1918 # # **** # NOTE: All 2.2.x Linux kernels prior to 2.2.11 have a fragmentation # **** bug that renders all strong IPCHAINS rulesets void. It # is CRITICAL that users upgrade the Linux kernel to 2.2.11+ # for proper firewall security. # #******************************************************************** # Initializing #******************************************************************** logger Loading IPCHAINS Firewall Version 3.20 #-------------------------------------------------------------------- # Variables #-------------------------------------------------------------------- # The loopback interface and address # LOOPBACKIF="lo" LOOPBACKIP="127.0.0.1" # External interface device. # # NOTE: PPP and SLIP users will want to replace this interface # with the correct modem interface such as "ppp0" or "sl0" # EXTIF="ppp0" echo External Interface: $EXTIF # IP address of the external interface # EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://` echo External IP: $EXTIP # EXTBROAD=`/sbin/ifconfig | grep -A 1 $EXTIF | awk '/Bcast/ { print $3 }' | sed -e s/Bcast://` echo External broadcast: $EXTBROAD # EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'` echo Default GW: $EXTGW echo " --- " # Internal interface device. INTIF="eth0" # IP address on the internal interface INTIP="192.168.0.2" logger Internal IP: $INTIP # IP network address of the internal network INTLAN="192.168.0.0/24" # IP Mask for all IP addresses UNIVERSE="0.0.0.0/0" # IP Mask for broadcast transmissions BROADCAST="255.255.255.255" # Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535" # Specification of X Window System (TCP) ports. XWINDOWS_PORTS="6000:6010" # Logging state. # LOGGING="-l" # Disable IP spoofing attacks. # for file in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > $file done # Comment the following out of you are not using a dynamic address # logger Enabling dynamic TCP/IP address hacking echo "1" > /proc/sys/net/ipv4/ip_dynaddr #-------------------------------------------------------------------- # Masquerading Timeouts #-------------------------------------------------------------------- /sbin/ipchains -M -S 7200 10 60 # Default Policies #-------------------------------------------------------------------- # Set all default policies to REJECT and flush all old rules. #-------------------------------------------------------------------- # /sbin/ipchains -P input REJECT /sbin/ipchains -P output REJECT /sbin/ipchains -P forward REJECT logger Flush all old rulesets # echo " - Flushing all old rules and setting all default policies to REJECT " /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # Input Rules # Local interface, local machines, going anywhere is valid. # # Comment this line out if you want to only allow specific traffic on the # internal network. /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE # Loopback interface is valid. /sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE # DHCP Server. # # If you have configured a DHCP server on the Linux machine to serve IP # addresses to the internal network, you will need to enable this section. # # This is an example of how to let input traffic flow through the local # LAN if we have rejected all prior requests above. # # Disabled by default #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps #-------------------------------------------------------------------- # Incoming Traffic from the External Interface # Remote interface, claiming to be local machines, IP spoofing, get lost & log /sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING # DHCP Clients. # logger If you get a dynamic IP address for your ADSL or Cablemodem connection you # will need to enable these lines. # # Enabled by default. /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc # FTP: Allow external users to connect to the Linux server ITSELF for # PORT-style FTP services. This will NOT work for PASV FTP transfers. # # Disabled by default. #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data # HTTP: Allow external users to connect to the Linux server ITSELF for # HTTP services. # # Disabled by default. #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http logger ICMP: Allow ICMP packets from all external TCP/IP addresses # # /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP # NFS: Reject NFS traffic FROM and TO external machines. # /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP # TELNET: Allow external computers to connect to the Linux server ITSELF for # TELNET access. # # Disabled by default. #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet # SSH server: Allow external computers to connect to the Linux server ITSELF # for SSH access. # # Disabled by default. #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh # Incoming Traffic on all Interfaces # AUTH: Allow the authentication protocol, ident, to function on all # interfaces but disable it in /etc/inetd.conf. /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth logger BOOTP/DHCP: Reject all stray bootp traffic. # /sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc # DNS: If you are running an authoritative DNS server, you must open # up the DNS ports on all interfaces to allow lookups. If you are # running a caching DNS server, you will need to at least open the DNS # ports to internal interfaces. #/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain #/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain logger RIP: Reject all stray RIP traffic. /sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route # SAMBA: Reject all stray SAMBA traffic. #-------------------------------------------------------------------- # Explicit INPUT Access from external LAN Hosts #-------------------------------------------------------------------- # HIGH PORTS: # # Enable all high unprivileged ports for all reply TCP/UDP traffic # # NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the # SYN bit set. In other words, this means that any traffic that is # trying to initiate traffic to your server on a HIGH port will be # rejected. # # The only HIGH port traffic that will be accepted is either return # traffic that the server originally initiated or UDP-based traffic. # # NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use # SYN filtering. Because of this, we must specifically allow it in. # logger Enabling all input REPLY TCP/UDP traffic on high ports /sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS /sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS #-------------------------------------------------------------------- # Catch All INPUT Rule #-------------------------------------------------------------------- # logger Final input catch all rule # All other incoming is denied and logged. /sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # Output Rules logger 2 Output Rules: #-------------------------------------------------------------------- # Outgoing Traffic on the Internal LAN # Local interface, any source going to local net is valid. /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN # Loopback interface is valid. /sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE logger HTTP The following is an example of how to allow HTTP traffic to an # intranet WWW server without allowing access from the external # network. # # Disabled by default. /sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN #-------------------------------------------------------------------- # Outgoing Traffic on the External Interface # Reject outgoing traffic to the local net from the remote interface, # stuffed routing; deny & log /sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING # Reject outgoing traffic from the local net from the external interface, # stuffed masquerading, deny and log /sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING #DHCP Client: If your Linux server is connected via DSL or a Cablemodem # connection and you get dynamic DHCP addresses, you will need to # enable the following rulesets. # # Enabled by default. /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps # FTP: Allow FTP traffic (the Linux server is a FTP server) # # Disabled by default. #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE # HTTP: Allow HTTP traffic (the Linux server is a WWW server) # # Disabled by default #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE # TELNET: Allow telnet traffic (the Linux server is a TELNET server) # # Disabled by default #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE # SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server) # # Disabled by default #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE #-------------------------------------------------------------------- # Outgoing Traffic on all Interfaces #-------------------------------------------------------------------- # This will control output traffic for all interfaces. This is # usually used for what could be considered as public services. It # is noted that we provide a few rejection rulesets as examples but # these are not required due to the overall REJECT statement above. # AUTH: Allow authentication tap indent on all interfaces (but disable it # in /etc/inetd.conf). # /sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE # ICMP: Allow ICMP traffic out # /sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE # NNTP: This allows NNTP-based news out. # /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE #-------------------------------------------------------------------- # Specific Output Rejections #-------------------------------------------------------------------- # These rulesets reject specific traffic that you do not want out of # the system. #-------------------------------------------------------------------- logger Reject specific outputs # RPC. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING # Mountd. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING # PPTP. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING # Remote Winsock. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING # Xwindows. # # NOTE: See variable section above for the example range (6000:6007 by default) # Xwindows can use far more than just ports 6000-6007. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING # NetBus. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING # NetBus Pro. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 20034 $LOGGING # BackOrofice /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE/0 31337 $LOGGING # Win Crash Trojan. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 5742 $LOGGING # Socket De Troye. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 30303 $LOGGING # Unknown Trojan Horse (Master's Paradise [CHR]) /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 40421 $LOGGING #-------------------------------------------------------------------- # Output to Explicit Hosts # echo " - Enabling all output REPLY (TCP/UDP) traffic on high ports." /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE /sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE #-------------------------------------------------------------------- # Catch All Rule # All other outgoing is denied and logged. This ruleset should catch # everything including samba that hasn't already been blocked. # /sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # Forwarding Rules # Masquerade from local net on local interface to anywhere. # echo " - Enable IP Masquerading from the internal LAN." /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE # Catch all rule, all other forwarding is denied. # /sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # The end