#!/bin/sh # # firewall Firewall startup/shutdown script # # Version: @(#) /etc/rc.d/init.d/firewall 05-March-2000 # # Adapted from: "Linux Firewalls", Auth: Robert L. Ziegler # Appendix B: Firewall Examples and Support Scripts # # By: Craig Zeller # Modified: 24-May-2000 by R. Sully # # chkconfig: 345 11 91 # # description: IP Firewall startup/shutdown script for IPCHAINS # # probe: true # # # CONSTANTS - Do not edit # ANYWHERE="any/0" # Match any IP address BROADCAST_SRC="0.0.0.0" # Broadcast Source Address BROADCAST_DEST="255.255.255.255" # Broadcast Destination Address CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks CLASS_D_MULTICAST="224.0.0.0/4" # Class-D Multicast Addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # Class-E Reserved Addresses PRIVPORTS="0:1023" # Well-Known, Privileged Port Range UNPRIVPORTS="1024:65535" # Unprivileged Port Range TRACEROUTE_SRC_PORTS="32769:65535" # Traceroute Source Ports TRACEROUTE_DEST_PORTS="33434:33523" # Traceroute Destination Ports # # The Loopback interface defines should not be # edited unless your Linux distribution defines # these differently. # LOOPBACK_INTERFACE="lo" # The loopback interface LOOPBACK_NETWORK="127.0.0.0/8" # Reserved Loopback Address Range # # Source function library. # . /etc/rc.d/init.d/functions # # See how we were called. # case "$1" in start) echo "Starting Firewall services" echo "firewall: Configuring Firewall Rules using IPCHAINS" # Open the configuration file if [ -f /etc/firewall/firewall.conf ]; then . /etc/firewall/firewall.conf else # Turn off IP Forwarding & Masquerading echo 0 > /proc/sys/net/ipv4/ip_forward # Flush the rule chains ipchains -F # Set the default policy to deny ipchains -P input DENY ipchains -P output DENY # Allow unlimited traffic on the loopback interface ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT echo "firewall: No configuration file found at /etc/firewall/firewall.conf" exit 1 fi # # If your IP address is dynamically assigned by a DHCP server, # name servers are found in /etc/dhcpc/resolv.conf. If used, the # sample ifdhcpc-done script updates these automatically and # appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or # /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info. # # If using the sample ifdhcpc-done script, the following NAMESERVER # definitions (one per server, up to 3) will be overridden correctly # here. # if [ $DHCP -gt 0 ]; then # The IP address, $EXTERNAL_IP, is defined by DHCP. if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then . /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then . /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info DHCP_SERVER=$DHCPSIADDR else echo "firewall: DHCP is not configured" # Turn off IP Forwarding & Masquerading echo 0 >/proc/sys/net/ipv4/ip_forward # Flush the rule chains ipchains -F # Set the default policy to deny ipchains -P input DENY ipchains -P output DENY # Allow unlimited traffic on the loopback interface ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # Allow unlimited local traffic on the internal interface ipchains -A input -i $INTERNAL_INTERFACE -j ACCEPT ipchains -A output -i $INTERNAL_INTERFACE -j ACCEPT exit 1 fi echo "firewall: DHCP configured" fi # # Edit these to match the number of servers or connections # you support. # # X Window port allocation begins at 6000 and increments # for each additional server running from 6000 to 6063. XWINDOW_PORTS="6000:6063" # (TCP) X Windows # SSH starts at 1023 and works down to 513 for each additional # simultaneous incoming connection. SSH_HI_PORTS="513:1023" # SSH Simultaneous Connections # Flush any existing rules from all chains. ipchains -F input ipchains -F output ipchains -F forward # Set the default policy to deny. ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Set masquerade timeout to 10 hours for TCP connections. ipchains -M -S 36000 0 0 # Disallow fragmented packets. ipchains -A input -f -i $INTERNAL_INTERFACE -j DENY ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable IP Spoofing Protection by turning on # source address verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # These modules are necessary to Masquerade their respective services: if [ $MASQUERADING -gt 0 ]; then if [ $FTP_CLIENT -gt 0 ]; then /sbin/modprobe ip_masq_ftp if [ $VERBOSE -gt 0 ]; then echo "firewall: FTP module loaded" fi fi if [ $RAUDIO_CLIENT -gt 0 ]; then /sbin/modprobe ip_masq_raudio if [ $VERBOSE -gt 0 ]; then echo "firewall: RealAudio module loaded" fi fi if [ $IRC_CLIENT -gt 0 ]; then /sbin/modprobe ip_masq_irc if [ $VERBOSE -gt 0 ]; then echo "firewall: IRC module loaded" fi fi if [ $VDOLIVE_CLIENT -gt 0 ]; then /sbin/modprobe ip_masq_vdolive if [ $VERBOSE -gt 0 ]; then echo "firewall: VideoLive module loaded" fi fi if [ $CUSEEMEE_CLIENT -gt 0 ]; then /sbin/modprobe ip_masq_cuseeme if [ $VERBOSE -gt 0 ]; then echo "firewall: CuSeeMee module loaded" fi fi if [ $QUAKE_CLIENT -gt 0 ]; then /sbin/modprobe ip_masq_quake if [ $VERBOSE -gt 0 ]; then echo "firewall: Quake module loaded" fi fi fi # # Loopback # # Unlimited traffic on the loopback interface (lo) ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # # Localizations # # The /etc/firewall/firewall.local file should contain rules in # standard 'ipchains' format. # if [ -f /etc/firewall/firewall.local ]; then . /etc/firewall/firewall.local fi # # Refuse any connections to/from problem sites. # # /etc/firewall/firewall.banned contains a list of IPs # to block all access, both inbound and outbound. # The file should contain IP addresses with CIDR # netmask, one per line: # # NOTE: No comments are allowed in the file. # # 111.222.333.444/32 - To block a single IP address # 111.222.333.444/8 - To block a Class-A network # 111.222.333.444/16 - To block a Class-B network # 111.222.333.444/24 - To block a Class-C network # # The CIDR netmask number describes the number of bits # in the network portion of the address, and may be on # any boundary. # if [ -f /etc/firewall/firewall.banned ]; then while read BANNED; do ipchains -A input -i $EXTERNAL_INTERFACE -s $BANNED -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $BANNED -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $BANNED -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $BANNED -j DENY -l done < /etc/firewall/firewall.banned fi # # Spoofing and Bad Addresses # # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from # the external interface's IP address. ipchains -A input -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -l -j DENY # Refuse packets claiming to be to or from a Class-A private network. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -l -j DENY # Refuse packets claiming to be to or from a Class-B private network. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -l -j DENY # Refuse packets claiming to be to or from a Class-C private network. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -l -j DENY # Refuse packets claiming to be from the loopback. ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK_NETWORK -l -j DENY # Refuse malformed broadcast packets. ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -l -j DENY # Refuse Class-D Multicast addresses. # Multicast is only illegal as a source address. # Multicast uses UDP. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \ -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \ -l -j REJECT # Refuse Class-E reserved IP addresses. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \ -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \ -l -j REJECT # Refuse addresses defined as reserved by the IANA. # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*, # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -l -j DENY # 65: 01000001 - /3 includes 64 - need 65 - 79 spelled out # ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -l -j DENY # ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -l -j DENY # 80: 01010000 - /4 masks 80 - 95 ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -l -j DENY # 96: 01100000 - /4 masks 96 - 111 ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -l -j DENY # 126: 01111110 - /3 includes 127 - need 112 - 126 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -l -j DENY # 217: 11011001 - /5 includes 216 - need 217 - 219 spelled out # ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -l -j DENY # 223: 11011111 - /6 masks 220 - 223 ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -l -j DENY # # ICMP # # (4) Source Quench. # Incoming & outgoing requests to slow down (flow control) ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 4 -d $EXTERNAL_IP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP 4 -d $ANYWHERE -j ACCEPT # (12) Parameter Problem. # Incoming & outgoing error messages ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 12 -d $EXTERNAL_IP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP 12 -d $ANYWHERE -j ACCEPT # (3) Destination Unreachable, Service Unavailable. # Incoming & outgoing size negotiation, service or # destination unavailability, final traceroute response ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 3 -d $EXTERNAL_IP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP 3 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP fragmentation-needed -d $ANYWHERE -j ACCEPT # (11) Time Exceeded. # Incoming & outgoing timeout conditions, # also intermediate TTL response to traceroutes ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 11 -d $EXTERNAL_IP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP 11 -d $ANYWHERE -j ACCEPT # (0 | 8) Allow output pings to anywhere. if [ $OUTBOUND_PING -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP 8 -d $ANYWHERE -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 0 -d $EXTERNAL_IP -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Outbound ping enabled" fi fi # (0 | 8) Allow incoming pings from anywhere # (stops at firewall). if [ $INBOUND_PING -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 8 -d $EXTERNAL_IP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP 0 -d $ANYWHERE -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Inbound ping enabled" fi fi # The following two lines deny router broadcasts (520) but don't log them: ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $EXTERNAL_IP 520 -d $ANYWHERE 520 -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $EXTERNAL_IP 520 -d $ANYWHERE 520 -j DENY # Deny BO2K (Back Orifice) ports ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE 31337 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE 31789 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE 31790 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 12345 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 12346 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 20034 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $EXTERNAL_IP 31337 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $EXTERNAL_IP 31789 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $EXTERNAL_IP 31790 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $EXTERNAL_IP 12345 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $EXTERNAL_IP 12346 -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $EXTERNAL_IP 20034 -l -j DENY if [ $GAME_PORTS -gt 0 ]; then # Open game ports for Network gaming (from and to ports 27000-27015 on outside systems); Counterstrike # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 27000:27050 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE 27000:27050 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 27000:27050 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 27000:27050 -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Game ports opened" fi fi # # Unprivileged Ports # Avoid ports subject to protocol and system administration problems. # NFS_PORT="2049" # (TCP/UDP) NFS OPENWINDOWS_PORT="2000" # (TCP) Openwindows SOCKS_PORT="1080" # (TCP) Socks NTOP_PORTS=3000:3001 # (TCP) Ntop broadcast ports # Openwindows: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $EXTERNAL_IP -d $ANYWHERE $OPENWINDOWS_PORT -j REJECT # Openwindows: incoming connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -d $EXTERNAL_IP $OPENWINDOWS_PORT -j DENY # X Window: establishing a remote connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $EXTERNAL_IP -d $ANYWHERE $XWINDOW_PORTS -j REJECT # X Window: incoming connection attempt ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $EXTERNAL_IP $XWINDOW_PORTS -l -j DENY # SOCKS: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $EXTERNAL_IP -d $ANYWHERE $SOCKS_PORT -l -j REJECT # SOCKS: incoming connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $EXTERNAL_IP $SOCKS_PORT -j DENY # NFS: TCP connections ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $EXTERNAL_IP $NFS_PORT -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -d $ANYWHERE $NFS_PORT -l -j REJECT # NFS: UDP connections ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $EXTERNAL_IP $NFS_PORT -l -j DENY # NFS: incoming request (normal UDP mode) ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -d $ANYWHERE $NFS_PORT -l -j REJECT # Ntop incoming request on external interface; OK on internal network ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -d $EXTERNAL_IP $NTOP_PORTS -l -j DENY # # NOTE: # The symbolic names used in /etc/services for the port numbers # vary by supplier. Using them is less error-prone and more # meaningful. # # Required Services # # DNS client modes (53) # if [ $DNS_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 53 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT # TCP client-to-server requests are allowed by the protocol # if UDP requests fail. This is rarely seen. Usually, clients # use TCP as a secondary name server for zone transfers from # their primary name servers, and as hackers. ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 53 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: DNS client enabled" fi fi # # DNS server modes (53) # # # DNS caching & forwarding name server # if [ $DNS_CACHING_SERVER -gt 0 ]; then # Server-to-server query or response # Caching only name server uses UDP, not TCP ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP 53 -d $ANYWHERE 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 53 -d $EXTERNAL_IP 53 -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: DNS Caching server enabled" fi fi # # DNS full name server # if [ $DNS_FULL_SERVER -gt 0 ]; then # Client-to-server DNS transaction. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS -d $EXTERNAL_IP 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP 53 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # Peer-to-peer server DNS transaction. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 53 -d $EXTERNAL_IP 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP 53 -d $ANYWHERE 53 -j ACCEPT # Zone Transfers. # Due to the potential danger of zone transfers, # allow TCP traffic to only specific secondaries. # /etc/firewall/firewall.dns contains a list of # secondary, tertiary, etc. domain name servers with which # zone transfers are allowed. The file should contain IP # addresses with CIDR netmask, one per line: if [ -f /etc/firewall/firewall.dns ]; then while read DNS_SECONDARY; do ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $DNS_SECONDARY $UNPRIVPORTS -d $EXTERNAL_IP 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 53 -d $DNS_SECONDARY $UNPRIVPORTS -j ACCEPT done < /etc/firewall/firewall.dns else echo "firewall: ** No secondary DNS configured **" fi if [ $VERBOSE -gt 0 ]; then echo "firewall: DNS Full server enabled" fi fi # # AUTH (113) - Allowing your outgoing AUTH requests as a client # if [ $AUTH_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 113 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 113 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Auth client enabled" fi fi # AUTH server (113) if [ $AUTH_SERVER -gt 0 ]; then # Accepting incoming AUTH requests ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS -d $EXTERNAL_IP 113 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 113 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Auth server enabled" fi else # Rejecting incoming AUTH requests ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -d $EXTERNAL_IP 113 -j REJECT if [ $VERBOSE -gt 0 ]; then echo "firewall: Auth server requests will be rejected" fi fi # # TCP Services on selected ports. # # # Sending Mail through a remote SMTP server (25) # if [ $SMTP_REMOTE_SERVER -gt 0 ]; then # SMTP client to an ISP account without a local server ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $SMTP_SERVER 25 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $SMTP_SERVER 25 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: SMTP Remote server enabled" fi fi # # Sending Mail through a local SMTP server (25) # if [ $SMTP_LOCAL_SERVER -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 25 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 25 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT # Receiving Mail as a Local SMTP server (25) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS -d $EXTERNAL_IP 25 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 25 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: SMTP Local server enabled" fi fi # # POP3 (110) - Retrieving Mail as a POP3 client # if [ $POP3_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $POP_SERVER 110 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $POP_SERVER 110 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote POP-3 servers" fi fi # # POP3 (110) - Hosting a POP3 server for remote clients # if [ $POP3_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_POP3_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 110 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 110 -d $MY_POP3_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local POP-3 server" fi fi # # IMAP (143) - Retrieving Mail as an IMAP client # if [ $IMAP_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $MY_IMAP_SERVER 143 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $MY_IMAP_SERVER 143 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote IMAP servers" fi fi # # IMAP (143) - Hosting an IMAP server for remote clients # if [ $IMAP_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_IMAP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 143 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 143 -d $MY_IMAP_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local IMAP server" fi fi # # NNTP (119) - Reading and posting news as a Usenet client # if [ $NNTP_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $NEWS_SERVER nntp -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NEWS_SERVER nntp -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote NNTP servers" fi fi # # NNTP (119) - Hosting a Usenet news server for remote clients # if [ $NNTP_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_NNTP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 119 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 119 -d $MY_NNTP_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local NNTP server" fi fi # # NNTP (119) - Allowing peer news feeds for a local Usenet server # if [ $NNTP_NEWS_FEED -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $MY_NEWS_FEED 119 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $MY_NEWS_FEED 119 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: External NNTP News feed access enabled" fi fi # # TELNET (23) - Allowing outgoing client access to remote sites # if [ $TELNET_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 23 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 23 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote TELNET servers" fi fi # # TELNET (23) - Allowing incoming access to your local server # if [ $TELNET_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_TELNET_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 23 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 23 -d $MY_TELNET_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local TELNET server" fi fi # # SSH Client - Allowing client access to remote SSH servers # if [ $SSH_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $SSH_HI_PORTS -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 -d $EXTERNAL_IP $SSH_HI_PORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote SSH servers" fi fi # # SSH - Allowing remote client access to your local SSH server # if [ $SSH_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_SSH_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP $SSH_PORT -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP $SSH_PORT -d $MY_SSH_CLIENTS $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_SSH_CLIENTS $SSH_HI_PORTS -d $EXTERNAL_IP $SSH_PORT -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP $SSH_PORT -d $MY_SSH_CLIENTS $SSH_HI_PORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote sites may access local SSH server" fi fi # # FTP (20, 21) - Allowing outgoing client access to remote FTP servers # if [ $FTP_CLIENT -gt 0 ]; then # Outgoing request ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 21 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 21 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT # Normal Port mode FTP data channels ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 20 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 20 -j ACCEPT # Passive mode FTP data channels ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote FTP servers" fi fi # # FTP (20, 21) - Allowing incoming access to your local FTP server # if [ $FTP_SERVER -gt 0 ]; then # Incoming request ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_FTP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 21 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 21 -d $MY_FTP_CLIENTS $UNPRIVPORTS -j ACCEPT # Normal Port mode FTP data channel responses ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP 20 -d $MY_FTP_CLIENTS $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $MY_FTP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 20 -j ACCEPT # Passive mode FTP data channel responses ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_FTP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP $UNPRIVPORTS -d $MY_FTP_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local FTP server" fi fi # # HTTP (80) - Accessing remote web sites as a client # if [ $HTTP_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 80 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote HTTP servers" fi fi # # HTTP (80) - Allowing remote access to a local web server # if [ $HTTP_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_HTTP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 80 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 80 -d $MY_HTTP_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local HTTP server" fi fi # # HTTPS (443) - Accessing remote web sites over SSL as a client # if [ $HTTPS_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 443 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 443 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote HTTPS servers" fi fi # # HTTPS (443) - Allowing remote access to a local SSL web server # if [ $HTTPS_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_HTTP_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 443 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 443 -d $MY_HTTP_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local HTTPS server" fi fi # # HTTP Proxy Client (8008/8080) # if [ $HTTP_PROXY -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS \ -d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $WEB_PROXY_SERVER $WEB_PROXY_PORT \ -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote sites via HTTP Proxy Server" fi fi # # FINGER (79) - Accessing remote finger servers as a client # if [ $FINGER_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 79 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 79 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote FINGER servers" fi fi # # FINGER (79) - Allowing remote client access to a local finger server # if [ $FINGER_SERVER -gt 0 ]; then ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $MY_FINGER_CLIENTS $UNPRIVPORTS -d $EXTERNAL_IP 79 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $EXTERNAL_IP 79 -d $MY_FINGER_CLIENTS $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Remote clients may access local FINGER server" fi fi # # WHOIS (43) - Accessing a remote WHOIS server as a client # if [ $WHOIS_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 43 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 43 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote WHOIS servers" fi fi # # GOPHER (70) - Accessing a remote GOPHER server as a client # if [ $GOPHER_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 70 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 70 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote GOPHER servers" fi fi # # WAIS (210) - Accessing a remote WAIS server as a client # if [ $WAIS_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 210 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 210 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Clients may access remote WAIS servers" fi fi # # Real Video (544) - Real Video Client # if [ $RV_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 554 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 554 -d $EXTERNAL_IP -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Real Video Client enabled" fi fi # # UDP - Accept only on selected ports # # # TRACEROUTE # # Traceroute usually uses -s 32769:65535 -d 33434:33523 # if [ $OUTBOUND_TRACEROUTE -gt 0 ]; then # Enable outgoing TRACEROUTE requests ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP $TRACEROUTE_SRC_PORTS \ -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Outbound TRACEROUTE enabled" fi fi if [ $INBOUND_TRACEROUTE -gt 0 ]; then # Enable incoming TRACEROUTE query ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $TRACEROUTE_SRC_PORTS \ -d $EXTERNAL_IP $TRACEROUTE_DEST_PORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: Inbound TRACEROUTE enabled" fi fi # # DHCP Client (67, 68) # if [ $DHCP -gt 0 ]; then # INIT or REBINDING: No Lease or Lease Time Expired ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_0 68 -d $BROADCAST_1 67 -j ACCEPT # Getting renumbered ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_0 67 -d $BROADCAST_1 68 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 -d $BROADCAST_1 68 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_0 68 -d $DHCP_SERVER 67 -j ACCEPT # As a result of the above, we're supposed to change our IP # address with this message, which is addressed to our new # address before the DHCP client has received the update. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 -d $MY_ISP 68 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 -d $EXTERNAL_IP 68 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP 68 -d $DHCP_SERVER 67 -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: DHCP enabled" fi fi # # NTP (123) - Accessing remote Network Time Servers # if [ $NTP_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 123 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP 123 -d $ANYWHERE 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 123 -d $EXTERNAL_IP 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP 123 -d $ANYWHERE 123 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 123 -d $EXTERNAL_IP 123 -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: NTP Client enabled" fi fi # # ICQ (4000) - The Miribilis ICQ Client # if [ $ICQ_CLIENT -gt 0 ]; then ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP $UNPRIVPORTS -d $ANYWHERE 4000 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 4000 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT if [ $VERBOSE -gt 0 ]; then echo "firewall: ICQ Client enabled" fi fi # # ------------------------------------------------------------- # # Deny and log anything else on the external (red) interface # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE -l -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE -l -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE -l -j DENY # ------------------------------------------------------------- # # Unlimited traffic within the local network # # All internal machines have access to the firewall machine ipchains -A input -i $INTERNAL_INTERFACE -s $INTERNAL_NETWORK -j ACCEPT ipchains -A output -i $INTERNAL_INTERFACE -d $INTERNAL_NETWORK -j ACCEPT # ------------------------------------------------------------- # # Masquerade internal traffic # if [ $MASQUERADING -gt 0 ]; then # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # All internal traffic is masqueraded externally ipchains -A forward -i $EXTERNAL_INTERFACE -s $INTERNAL_NETWORK -j MASQ if [ $VERBOSE -gt 0 ]; then echo "firewall: Masquerading internal network" fi fi # ------------------------------------------------------------- echo "firewall: configuration complete" touch /var/lock/subsys/firewall echo ;; status) if [ -f /var/lock/subsys/firewall ]; then echo "Firewall started and configured" else echo "Firewall stopped" fi exit 0 ;; restart|reload) $0 stop $0 start ;; stop) echo "Shutting down Firewall services" # Turn off IP Forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # Flush the rule chains ipchains -F # Set the default policy to deny ipchains -P input DENY ipchains -P output DENY # Allow unlimited traffic on the loopback interface ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # Open the configuration file if [ -f /etc/firewall/firewall.conf ]; then . /etc/firewall/firewall.conf else echo "firewall: No configuration file found at /etc/firewall/firewall.conf" exit 1 fi # Enable the Internal (Black) Interface ipchains -A input -i $INTERNAL_INTERFACE -j ACCEPT ipchains -A output -i $INTERNAL_INTERFACE -j ACCEPT rm -f /var/lock/subsys/firewall echo ;; *) echo "Usage: /etc/rc.d/init.d/firewall {start|stop|status|restart|reload}" exit 1 esac exit 0