summaryrefslogtreecommitdiffstats
path: root/firewall_wizard/scripts/firew.sh
diff options
context:
space:
mode:
authorArnaud Desmons <adesmons@mandriva.com>2002-09-05 07:37:06 +0000
committerArnaud Desmons <adesmons@mandriva.com>2002-09-05 07:37:06 +0000
commitf7cca6ea32444a7764d54989bf360530d07d6092 (patch)
tree779049ed3b297fa40354f497a5e0d6ca86505096 /firewall_wizard/scripts/firew.sh
parent52d4a220029dac288c8b86c3271ce9ab5fbdc6c2 (diff)
downloaddrakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar.gz
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar.bz2
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar.xz
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.zip
untouched
Diffstat (limited to 'firewall_wizard/scripts/firew.sh')
-rwxr-xr-xfirewall_wizard/scripts/firew.sh140
1 files changed, 140 insertions, 0 deletions
diff --git a/firewall_wizard/scripts/firew.sh b/firewall_wizard/scripts/firew.sh
new file mode 100755
index 00000000..c7f1b10b
--- /dev/null
+++ b/firewall_wizard/scripts/firew.sh
@@ -0,0 +1,140 @@
+#!/bin/sh
+#
+# firewall This script sets up firewall rules.
+#
+# chkconfig: 2345 09 91
+# description: Sets up or removes firewall rules.
+#
+# Firewall rules for a firewall between a private internal network and the
+# Internet.
+#
+# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
+# be distributed under the terms of the GNU General Public License, version
+# 2 or any later version.
+
+# Interface to Internet
+EXTIF=ppp0
+
+# Internal network address. For stand-alone machines, delete this and
+# all the "forward" rules.
+INTERNAL=192.168.2.0/24
+
+# Wildcard address
+ANY=0.0.0.0/0
+
+# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
+
+. /etc/rc.d/init.d/functions
+
+### For details, see the man page ipchains(1) and
+### /usr/share/doc/HOWTO/IPCHAINS-HOWTO -- David.
+
+case "$1" in
+ start)
+ echo -n "Setting up firewall rules"
+
+ # Turn on forwarding to silence warnings...
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # Set default policies; clear all rules
+ ipchains -P input ACCEPT
+ ipchains -P output ACCEPT
+ ipchains -P forward DENY
+
+ ipchains -F forward
+ ipchains -F input
+ ipchains -F output
+
+ ### Spoof protection: Drop obviously suspect packets ###
+
+ # Drop packets claiming to be from unroutable addresses
+ ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY
+ ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY
+ ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY
+
+ # Drop packets wanting to go to unroutable addresses
+ ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY
+ ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY
+ ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY
+
+ ### External access to services on this machine ###
+
+ # Reject identd packets without logging
+ ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT
+
+ # Allow access to sendmail -- log connection attempts
+ #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT
+ #ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT
+
+ # Allow access to ssh -- we run ssh on port 23 because of
+ # a stupid client firewall at one place we work.
+ #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT
+ #ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT
+
+ # Deny all other TCP connection attempts on the external interface
+ ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
+
+ # Deny TCP and UDP packets to privileged ports
+ ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
+ ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
+
+ ### FORWARD rules only apply if you have an internal LAN gatewaying
+ ### through this computer.
+ # Allow DNS queries
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ
+
+ # Allow internal users to browse web (http and https)
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ
+
+ # Allow internal users to read news
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ
+
+ # Allow internal users to access POP and IMAP services on mail server
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ
+
+ # Allow internal users to access external FTP servers
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ
+
+ # Allow internal users to access external Telnet and SSH servers
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ
+
+ # Allow unprivileged ports --> unprivileged ports for passive FTP
+ ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ
+
+ # A catch-all rule for logging purposes
+ ipchains -A forward -s $ANY -d $ANY -l -j DENY
+
+ # Turn on forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ echo_success
+ echo ""
+ ;;
+
+ stop)
+ echo -n "Shutting down firewall rules"
+ # Turn off forwarding
+ echo 0 > /proc/sys/net/ipv4/ip_forward
+
+ # Set default policies; clear all rules
+ ipchains -P input ACCEPT
+ ipchains -P output ACCEPT
+ ipchains -P forward DENY
+
+ ipchains -F forward
+ ipchains -F input
+ ipchains -F output
+ echo_success
+ echo ""
+ ;;
+
+ *)
+ echo "Usage: firewall {start|stop}"
+ exit 1
+esac
+
+exit 0