BASH   105

ipchains script

Guest on 9th June 2022 01:27:22 AM

  1. #!/bin/sh
  2.  
  3. # Script generated Wed Aug 22 23:44:51
  4.  
  5.  
  6. # ----------------------------------------------------------------------------
  7. # Copyright (C) Robert L. Ziegler
  8. #
  9. #  Permission to use, copy, modify, and distribute this software and its
  10. #  documentation for educational, research, private and non-profit purposes,
  11. #  without fee, and without a written agreement is hereby granted.
  12. #  This software is provided as an example and basis for individual firewall
  13. #  development.  This software is provided without warranty.
  14. #
  15. #  Any material furnished by Robert L. Ziegler is furnished on an
  16. #  "as is" basis.  He makes no warranties of any kind, either expressed
  17. #  or implied as to any matter including, but not limited to, warranty
  18. #  of fitness for a particular purpose, exclusivity or results obtained
  19. #  from use of the material.
  20. # ----------------------------------------------------------------------------
  21.  
  22. #  /etc/rc.d/rc.firewall
  23. #  Invoked from /etc/rc.d/rc.local.
  24.  
  25. echo "Starting firewalling... "
  26.  
  27. # ----------------------------------------------------------------------------
  28. #  Some definitions for easy maintenance.
  29. #  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
  30.  
  31. EXTERNAL_INTERFACE="eth0"               # Internet connected interface
  32. LOOPBACK_INTERFACE="lo"                 # or your local naming convention
  33. LOCAL_INTERFACE_1="eth1"                # internal LAN interface
  34.  
  35. IPADDR="10.0.0.10"                      # your IP address
  36. LOCALNET_1="192.168.1.0/24"             # whatever private range you use
  37.  
  38. ANYWHERE="any/0"                        # match any IP address
  39.  
  40. NAMESERVER_1="209.21.75.52"                     # everyone must have at least one
  41. NAMESERVER_2="208.194.248.8"
  42.  
  43.  
  44. LOOPBACK="127.0.0.0/8"                  # reserved loopback address range
  45. CLASS_A="10.0.0.0/8"                    # class A private networks
  46. CLASS_B="172.16.0.0/12"                 # class B private networks
  47. CLASS_C="192.168.0.0/16"                # class C private networks
  48. CLASS_D_MULTICAST="224.0.0.0/4"         # class D multicast addresses
  49. CLASS_E_RESERVED_NET="240.0.0.0/5"      # class E reserved addresses
  50. BROADCAST_SRC="0.0.0.0"                 # broadcast source address
  51. BROADCAST_DEST="255.255.255.255"        # broadcast destination address
  52. PRIVPORTS="0:1023"                      # well known, privileged port range
  53. UNPRIVPORTS="1024:65535"                # unprivileged port range
  54.  
  55. # ----------------------------------------------------------------------------
  56.  
  57. NFS_PORT="2049"                         # (TCP/UDP) NFS
  58. SOCKS_PORT="1080"                       # (TCP) Socks
  59.  
  60. # X Windows port allocation begins at 6000 and increments to 6063
  61. # for each additional server running.
  62. XWINDOW_PORTS="6000:6063"               # (TCP) X windows
  63.  
  64. # The SSH client starts at 1023 and works down to 513 for each
  65. # additional simultaneous connection originating from a privileged port.
  66. # Clients can optionally be configured to use only unprivileged ports.
  67. SSH_LOCAL_PORTS="1022:65535"            # port range for local clients
  68. SSH_REMOTE_PORTS="513:65535"            # port range for remote clients
  69.  
  70. # traceroute usually uses -S 32769:65535 -D 33434:33523
  71. TRACEROUTE_SRC_PORTS="32769:65535"
  72. TRACEROUTE_DEST_PORTS="33434:33523"
  73.  
  74. # ----------------------------------------------------------------------------
  75. # Default policy is DENY
  76. # Explicitly accept desired INCOMING & OUTGOING connections
  77.  
  78.     # Remove all existing rules belonging to this filter
  79.     ipchains -F
  80.  
  81.     # Set the default policy of the filter to deny.
  82.     ipchains -P input  DENY
  83.     ipchains -P output REJECT
  84.     ipchains -P forward DENY
  85.  
  86.     # set masquerade timeout to 10 hours for tcp connections
  87.     ipchains -M -S 36000 0 0
  88.  
  89.  
  90. # ----------------------------------------------------------------------------
  91.  
  92.     # Enable IP Forwarding, if it isn't already
  93.     echo 1 > /proc/sys/net/ipv4/ip_forward
  94.  
  95.     # Enable TCP SYN Cookie Protection
  96.     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  97.  
  98.     # Enable always defragging Protection
  99.     echo 1 > /proc/sys/net/ipv4/ip_always_defrag
  100.  
  101.     # Enable broadcast echo  Protection
  102.     echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  103.  
  104.     # Enable bad error message  Protection
  105.     echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  106.  
  107.     # Enable IP spoofing protection
  108.     # turn on Source Address Verification
  109.     for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
  110.         echo 1 > $f
  111.     done
  112.  
  113.     # Disable ICMP Redirect Acceptance
  114.     for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
  115.         echo 0 > $f
  116.     done
  117.  
  118.     for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
  119.         echo 0 > $f
  120.     done
  121.  
  122.     # Disable Source Routed Packets
  123.     for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
  124.         echo 0 > $f
  125.     done
  126.  
  127.     # Log Spoofed Packets, Source Routed Packets, Redirect Packets
  128.     for f in /proc/sys/net/ipv4/conf/*/log_martians; do
  129.         echo 1 > $f
  130.     done
  131.  
  132.  
  133.     # These modules are necessary to masquerade their respective services.
  134.     /sbin/modprobe ip_masq_ftp
  135.     /sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
  136.     /sbin/modprobe ip_masq_irc
  137.  
  138. # ----------------------------------------------------------------------------
  139. # LOOPBACK
  140.  
  141.     # Unlimited traffic on the loopback interface.
  142.  
  143.     ipchains -A input  -i $LOOPBACK_INTERFACE  -j ACCEPT
  144.     ipchains -A output -i $LOOPBACK_INTERFACE  -j ACCEPT
  145.  
  146. # ----------------------------------------------------------------------------
  147. # Unlimited traffic within the local network.
  148.  
  149.     # All internal machines have access to the fireall machine.
  150.  
  151.     ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
  152.     ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
  153.  
  154. # ----------------------------------------------------------------------------
  155. # Masquerade internal traffic.
  156.  
  157.     # All internal traffic is masqueraded externally.
  158.     ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
  159.  
  160. # ----------------------------------------------------------------------------
  161. # Network Ghouls
  162.  
  163.     # Deny access to jerks
  164.     # --------------------
  165.     # /etc/rc.d/rc.firewall.blocked contains a list of
  166.     # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
  167.     # rules to block from any access.
  168.  
  169.     # Refuse any connection from problem sites
  170.     if [ -f /etc/rc.d/rc.firewall.blocked ]; then
  171.         . /etc/rc.d/rc.firewall.blocked
  172.     fi
  173.  
  174. # ----------------------------------------------------------------------------
  175. # SPOOFING & BAD ADDRESSES
  176. # Refuse spoofed packets.
  177. # Ignore blatantly illegal source addresses.
  178. # Protect yourself from sending to bad addresses.
  179.  
  180.     # Refuse incoming packets pretending to be from the external address.
  181.     ipchains -A input   -s $IPADDR -j DENY -l
  182.  
  183.     # Refuse incoming packets claiming to be from a Class A, B or C private network
  184.     ipchains -A input   -s $CLASS_A -j DENY
  185.     ipchains -A input   -s $CLASS_B -j DENY
  186.     ipchains -A input   -s $CLASS_C -j DENY
  187.  
  188.     # Refuse broadcast address SOURCE packets
  189.     ipchains -A input   -s $BROADCAST_DEST -j DENY -l
  190.     ipchains -A input   -d $BROADCAST_SRC -j DENY -l
  191.  
  192.     # Refuse Class D multicast addresses
  193.     # Multicast is illegal as a source address.
  194.     # Multicast uses UDP.
  195.     ipchains -A input   -s $CLASS_D_MULTICAST -j DENY
  196.  
  197.     # Refuse Class E reserved IP  addresses
  198.     ipchains -A input   -s $CLASS_E_RESERVED_NET -j DENY -l
  199.  
  200.     # Refuse special addresses defined as reserved by the IANA.
  201.     # Note:  The remaining reserved addresses are not included.
  202.     # Filtering them causes problems as reserved blocks are
  203.     # being allocated more often now.
  204.  
  205.     # Note:  this list includes the loopback, multicast, & reserved addresses.
  206.  
  207.     # 0.*.*.*           - Can't be blocked for DHCP users.
  208.     # 127.*.*.*         - LoopBack
  209.     # 169.254.*.*       - Link Local Networks
  210.     # 192.0.2.*         - TEST-NET
  211.     # 224-255.*.*.*     - Classes D & E, plus unallocated.
  212.  
  213.     ipchains -A input   -s 0.0.0.0/8 -j DENY -l
  214.     ipchains -A input   -s 127.0.0.0/8 -j DENY -l
  215.     ipchains -A input   -s 169.254.0.0/16 -j DENY -l
  216.     ipchains -A input   -s 192.0.2.0/24 -j DENY -l
  217.     ipchains -A input   -s 224.0.0.0/3 -j DENY -l
  218.  
  219. # ----------------------------------------------------------------------------
  220. # NOTE:
  221. #      The symbolic names used in /etc/services for the port numbers vary by
  222. #      supplier.  Using them is less error prone and more meaningful, though.
  223.  
  224. # ----------------------------------------------------------------------------
  225. # TCP UNPRIVILEGED PORTS
  226. # Avoid ports subject to protocol & system administration problems.
  227.  
  228.     # NFS: establishing a TCP connection
  229.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
  230.              --destination-port $NFS_PORT -j DENY -l
  231.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
  232.              --destination-port $NFS_PORT -j REJECT
  233.  
  234.     # Xwindows: establishing a connection
  235.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
  236.              --destination-port $XWINDOW_PORTS -j DENY -l
  237.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
  238.              --destination-port $XWINDOW_PORTS -j REJECT
  239.  
  240.     # SOCKS: establishing a connection
  241.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
  242.              --destination-port $SOCKS_PORT -j DENY -l
  243.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
  244.              --destination-port $SOCKS_PORT -j REJECT
  245.  
  246. # ----------------------------------------------------------------------------
  247. # UDP UNPRIVILEGED PORTS
  248. # Avoid ports subject to protocol & system administration problems.
  249.  
  250.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  251.              --destination-port $NFS_PORT -j DENY -l
  252.  
  253.     # DNS server (53)
  254.     # ---------------
  255.  
  256.     # DNS: full server
  257.     # ----------------
  258.  
  259.     # server/client to server query or response
  260.  
  261.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  262.              --source-port $UNPRIVPORTS \
  263.              -d $IPADDR 53 -j ACCEPT
  264.  
  265.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  266.              -s $IPADDR 53 \
  267.              --destination-port $UNPRIVPORTS -j ACCEPT
  268.  
  269.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  270.              -s $IPADDR 53 \
  271.              --destination-port 53 -j ACCEPT
  272.  
  273.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  274.              --source-port 53 \
  275.              -d $IPADDR 53 -j ACCEPT
  276.  
  277.  
  278.     # DNS client (53)
  279.     # ---------------
  280.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  281.              -s $IPADDR $UNPRIVPORTS \
  282.              -d $NAMESERVER_1 53 -j ACCEPT
  283.  
  284.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  285.              -s $NAMESERVER_1 53 \
  286.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  287.  
  288.  
  289.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  290.              -s $IPADDR $UNPRIVPORTS \
  291.              -d $NAMESERVER_1 53 -j ACCEPT
  292.  
  293.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  294.              -s $NAMESERVER_1 53 \
  295.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  296.  
  297.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  298.              -s $IPADDR $UNPRIVPORTS \
  299.              -d $NAMESERVER_2 53 -j ACCEPT
  300.  
  301.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  302.              -s $NAMESERVER_2 53 \
  303.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  304.  
  305.  
  306.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  307.              -s $IPADDR $UNPRIVPORTS \
  308.              -d $NAMESERVER_2 53 -j ACCEPT
  309.  
  310.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  311.              -s $NAMESERVER_2 53 \
  312.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  313.  
  314.     # ------------------------------------------------------------------
  315.  
  316.     # HTTP server (80)
  317.     # ----------------
  318.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  319.              --source-port $UNPRIVPORTS \
  320.              -d $IPADDR 80 -j ACCEPT
  321.  
  322.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  323.              -s $IPADDR 80 \
  324.              --destination-port $UNPRIVPORTS -j ACCEPT
  325.  
  326.  
  327.     # HTTP client (80)
  328.     # ----------------
  329.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  330.              -s $IPADDR $UNPRIVPORTS \
  331.              --destination-port 80 -j ACCEPT
  332.  
  333.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  334.              --source-port 80 \
  335.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  336.  
  337.     # ------------------------------------------------------------------
  338.  
  339.     # HTTPS server (443)
  340.     # ------------------
  341.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  342.              --source-port $UNPRIVPORTS \
  343.              -d $IPADDR 443 -j ACCEPT
  344.  
  345.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  346.              -s $IPADDR 443 \
  347.              --destination-port $UNPRIVPORTS -j ACCEPT
  348.  
  349.  
  350.     # HTTPS client (443)
  351.     # ------------------
  352.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  353.              -s $IPADDR $UNPRIVPORTS \
  354.              --destination-port 443 -j ACCEPT
  355.  
  356.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  357.              --source-port 443 \
  358.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  359.  
  360.     # ------------------------------------------------------------------
  361.  
  362.     # SMTP server (25)
  363.     # ----------------
  364.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  365.              --source-port $UNPRIVPORTS \
  366.              -d $IPADDR 25 -j ACCEPT
  367.  
  368.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  369.              -s $IPADDR 25 \
  370.              --destination-port $UNPRIVPORTS -j ACCEPT
  371.  
  372.     # ------------------------------------------------------------------
  373.  
  374.     # SSH server (22)
  375.     # ---------------
  376.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  377.              --source-port $SSH_REMOTE_PORTS \
  378.              -d $IPADDR 22 -j ACCEPT
  379.  
  380.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  381.              -s $IPADDR 22 \
  382.              --destination-port $SSH_REMOTE_PORTS -j ACCEPT
  383.  
  384.  
  385.     # SSH client (22)
  386.     # ---------------
  387.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  388.              -s $IPADDR $SSH_LOCAL_PORTS \
  389.              --destination-port 22 -j ACCEPT
  390.  
  391.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  392.              --source-port 22 \
  393.              -d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT
  394.  
  395.     # ------------------------------------------------------------------
  396.  
  397.     # TELNET client (23)
  398.     # ------------------
  399.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  400.              -s $IPADDR $UNPRIVPORTS \
  401.              --destination-port 23 -j ACCEPT
  402.  
  403.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  404.              --source-port 23 \
  405.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  406.  
  407.     # ------------------------------------------------------------------
  408.  
  409.     # AUTH server (113)
  410.     # -----------------
  411.  
  412.     # Accept incoming connections to identd but disable in.identd in inetd.conf.
  413.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  414.              --source-port $UNPRIVPORTS \
  415.              -d $IPADDR 113 -j ACCEPT
  416.  
  417.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  418.              -s $IPADDR 113 \
  419.              --destination-port $UNPRIVPORTS -j ACCEPT
  420.  
  421.  
  422.     # AUTH client (113)
  423.     # -----------------
  424.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  425.              -s $IPADDR $UNPRIVPORTS \
  426.              --destination-port 113 -j ACCEPT
  427.  
  428.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  429.              --source-port 113 \
  430.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  431.  
  432.     # ------------------------------------------------------------------
  433.  
  434.     # WHOIS client (43)
  435.     # -----------------
  436.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  437.              -s $IPADDR $UNPRIVPORTS \
  438.              --destination-port 43 -j ACCEPT
  439.  
  440.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  441.              --source-port 43 \
  442.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  443.  
  444.     # ------------------------------------------------------------------
  445.  
  446.     # FTP server (21)
  447.     # ---------------
  448.  
  449.     # incoming request
  450.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  451.              --source-port $UNPRIVPORTS \
  452.              -d $IPADDR 21 -j ACCEPT
  453.  
  454.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  455.              -s $IPADDR 21 \
  456.              --destination-port $UNPRIVPORTS -j ACCEPT
  457.  
  458.  
  459.     # PORT MODE data channel responses
  460.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  461.              -s $IPADDR 20 \
  462.              --destination-port $UNPRIVPORTS -j ACCEPT
  463.  
  464.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  465.              --source-port $UNPRIVPORTS \
  466.              -d $IPADDR 20 -j ACCEPT
  467.  
  468.  
  469.     # FTP client (21)
  470.     # ---------------
  471.  
  472.     # outgoing request
  473.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  474.              -s $IPADDR $UNPRIVPORTS \
  475.              --destination-port 21 -j ACCEPT
  476.  
  477.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  478.              --source-port 21 \
  479.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  480.  
  481.  
  482.     # PORT mode data channel
  483.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  484.              --source-port 20 \
  485.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  486.  
  487.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
  488.              -s $IPADDR $UNPRIVPORTS \
  489.              --destination-port 20 -j ACCEPT
  490.  
  491.     # ------------------------------------------------------------------
  492.  
  493.     # IRC client (6667)
  494.     # -----------------
  495.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  496.              -s $IPADDR $UNPRIVPORTS \
  497.              --destination-port 6667 -j ACCEPT
  498.  
  499.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  500.              --source-port 6667 \
  501.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  502.  
  503.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  504.              -s $IPADDR $UNPRIVPORTS \
  505.              --destination-port $UNPRIVPORTS -j ACCEPT
  506.  
  507.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
  508.              --source-port $UNPRIVPORTS \
  509.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  510.  
  511.     # ------------------------------------------------------------------
  512.  
  513.     # RealAudio / QuickTime client
  514.     # ----------------------------
  515.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  516.              --source-port 554 \
  517.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  518.  
  519.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  520.              -s $IPADDR $UNPRIVPORTS \
  521.              --destination-port 554 -j ACCEPT
  522.  
  523.     # TCP is a more secure method:  7070:7071
  524.  
  525.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  526.              --source-port 7070:7071 \
  527.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  528.  
  529.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  530.              -s $IPADDR $UNPRIVPORTS \
  531.              --destination-port 7070:7071 -j ACCEPT
  532.  
  533.     # UDP is the preferred method:  6970:6999
  534.     # For LAN machines, UDP requires the RealAudio masquerading module and
  535.     # the ipmasqadm third-party software.
  536.  
  537.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  538.              --source-port $UNPRIVPORTS \
  539.              -d $IPADDR 6970:6999 -j ACCEPT
  540.  
  541.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  542.              -s $IPADDR 6970:6999 \
  543.              --destination-port $UNPRIVPORTS -j ACCEPT
  544.  
  545.     # ------------------------------------------------------------------
  546.  
  547.     # ICQ client (4000)
  548.     # -----------------
  549.     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
  550.              -s $IPADDR $UNPRIVPORTS \
  551.              --destination-port 2000:4000 -j ACCEPT
  552.  
  553.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
  554.              --source-port 2000:4000 \
  555.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  556.  
  557.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  558.              -s $IPADDR $UNPRIVPORTS \
  559.              --destination-port 4000 -j ACCEPT
  560.  
  561.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  562.              --source-port 4000 \
  563.              -d $IPADDR $UNPRIVPORTS -j ACCEPT
  564.  
  565. # ----------------------------------------------------------------------------
  566. # UDP accept only on selected ports
  567. # ---------------------------------
  568.  
  569.     # ------------------------------------------------------------------
  570.  
  571.     # OUTGOING TRACEROUTE
  572.     # -------------------
  573.     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
  574.              -s $IPADDR $TRACEROUTE_SRC_PORTS \
  575.              --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l
  576.  
  577. # ----------------------------------------------------------------------------
  578. # ICMP
  579.  
  580.     #    To prevent denial of service attacks based on ICMP bombs, filter
  581.     #    incoming Redirect (5) and outgoing Destination Unreachable (3).
  582.     #    Note, however, disabling Destination Unreachable (3) is not
  583.     #    advisable, as it is used to negotiate packet fragment size.
  584.  
  585.     # For bi-directional ping.
  586.     #     Message Types:  Echo_Reply (0),  Echo_Request (8)
  587.     #     To prevent attacks, limit the src addresses to your ISP range.
  588.     #
  589.     # For outgoing traceroute.
  590.     #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
  591.     #     default UDP base: 33434 to base+nhops-1
  592.     #
  593.     # For incoming traceroute.
  594.     #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
  595.     #     To block this, deny OUTGOING 3 and 11
  596.  
  597.     #  0: echo-reply (pong)
  598.     #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
  599.     #  4: source-quench
  600.     #  5: redirect
  601.     #  8: echo-request (ping)
  602.     # 11: time-exceeded
  603.     # 12: parameter-problem
  604.  
  605.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  606.              --icmp-type echo-reply \
  607.              -d $IPADDR -j ACCEPT
  608.  
  609.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  610.              --icmp-type destination-unreachable \
  611.              -d $IPADDR -j ACCEPT
  612.  
  613.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  614.              --icmp-type source-quench \
  615.              -d $IPADDR -j ACCEPT
  616.  
  617.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  618.              --icmp-type echo-request \
  619.              -d $IPADDR -j ACCEPT
  620.  
  621.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  622.              --icmp-type time-exceeded \
  623.              -d $IPADDR -j ACCEPT
  624.  
  625.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  626.              --icmp-type parameter-problem \
  627.              -d $IPADDR -j ACCEPT
  628.  
  629.  
  630.     ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
  631.              -s $IPADDR echo-reply -j ACCEPT
  632.  
  633.     ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
  634.              -s $IPADDR destination-unreachable -j ACCEPT
  635.  
  636.     ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
  637.              -s $IPADDR source-quench -j ACCEPT
  638.  
  639.     ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
  640.              -s $IPADDR echo-request -j ACCEPT
  641.  
  642.     ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
  643.              -s $IPADDR time-exceeded -j ACCEPT
  644.  
  645.     ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
  646.              -s $IPADDR parameter-problem -j ACCEPT
  647.  
  648. # ----------------------------------------------------------------------------
  649. # Enable logging for selected denied packets
  650.  
  651.     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  -j DENY -l
  652.  
  653.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  654.              --destination-port $PRIVPORTS -j DENY -l
  655.  
  656.     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
  657.              --destination-port $UNPRIVPORTS -j DENY -l
  658.  
  659.  
  660.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  661.              --icmp-type 5 -j DENY -l
  662.     ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
  663.              --icmp-type 13:255 -j DENY -l
  664.  
  665.     ipchains -A output -i $EXTERNAL_INTERFACE  -j REJECT -l
  666.  
  667. # ----------------------------------------------------------------------------
  668.  
  669. echo "done"
  670.  
  671. exit 0
  672.  
  673.  
  674.    
  675. ######################
  676. # INSTALLATION NOTES #
  677. ######################
  678. #
  679. #Static IP Users
  680. #
  681. #   6.Edit /etc/rc.d/rc.local and add the following line to the end of the file:
  682. #
  683. #      sh /etc/rc.d/rc.firewall
  684. #
  685. #or alternately,
  686. #
  687. #   6.Create a new executable script file in /etc/rc.d/init.d and add the following lines:
  688. #
  689. #            #!/bin/sh
  690. #            sh /etc/rc.d/rc.firewall
  691. #
  692. #      Create symbolic links to the script in /etc/rc.d/rc3.d and /etc/rc.d/rc5.d. Number the links to #execute after inet and named.
  693. #
  694. #   7.Execute the script from the command line the first time. There is no need to reboot.
  695. #
  696. #

Raw Paste


Login or Register to edit or fork this paste. It's free.