blob: c7f1b10b7ce6023a737b39f8ff3992c207356258 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
#!/bin/sh
#
# firewall This script sets up firewall rules.
#
# chkconfig: 2345 09 91
# description: Sets up or removes firewall rules.
#
# Firewall rules for a firewall between a private internal network and the
# Internet.
#
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# Interface to Internet
EXTIF=ppp0
# Internal network address. For stand-alone machines, delete this and
# all the "forward" rules.
INTERNAL=192.168.2.0/24
# Wildcard address
ANY=0.0.0.0/0
# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
. /etc/rc.d/init.d/functions
### For details, see the man page ipchains(1) and
### /usr/share/doc/HOWTO/IPCHAINS-HOWTO -- David.
case "$1" in
start)
echo -n "Setting up firewall rules"
# Turn on forwarding to silence warnings...
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set default policies; clear all rules
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -F forward
ipchains -F input
ipchains -F output
### Spoof protection: Drop obviously suspect packets ###
# Drop packets claiming to be from unroutable addresses
ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY
ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY
ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY
# Drop packets wanting to go to unroutable addresses
ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY
ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY
ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY
### External access to services on this machine ###
# Reject identd packets without logging
ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT
# Allow access to sendmail -- log connection attempts
#ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT
#ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT
# Allow access to ssh -- we run ssh on port 23 because of
# a stupid client firewall at one place we work.
#ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT
#ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT
# Deny all other TCP connection attempts on the external interface
ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
### FORWARD rules only apply if you have an internal LAN gatewaying
### through this computer.
# Allow DNS queries
ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ
# Allow internal users to browse web (http and https)
ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ
# Allow internal users to read news
ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ
# Allow internal users to access POP and IMAP services on mail server
ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ
# Allow internal users to access external FTP servers
ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ
# Allow internal users to access external Telnet and SSH servers
ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ
# Allow unprivileged ports --> unprivileged ports for passive FTP
ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ
# A catch-all rule for logging purposes
ipchains -A forward -s $ANY -d $ANY -l -j DENY
# Turn on forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo_success
echo ""
;;
stop)
echo -n "Shutting down firewall rules"
# Turn off forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Set default policies; clear all rules
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -F forward
ipchains -F input
ipchains -F output
echo_success
echo ""
;;
*)
echo "Usage: firewall {start|stop}"
exit 1
esac
exit 0
|
