|
(view this code in a separate window) #!/bin/sh # # Copyright 2001, James Lee # Released under the GPL. # ### firewall start-up script case "$1" in start) ## set up variables # external interface EX_IN=eth0 # internal interface IN_IN=eth1 # external ip EX_IP="123.45.678.9" # internal network IN_NET="192.168.1.0/24" # dns servers DNS1="123.45.678.10" DNS2="123.45.678.11" DNS3="123.45.678.12" # turn on Source Address Verification and get # spoof protection on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done." else echo "Can't set up spoofing protection." fi # masquerading echo "Turning on masquerading..." echo 1 > /proc/sys/net/ipv4/ip_forward ### ### the ipchains commands ### echo "Executing ipchains commands..." ## initial stuff # flush current rules /sbin/ipchains -F # deny all packets while we set up the firewall - # these rules will be deleted later /sbin/ipchains -I input 1 -j DENY /sbin/ipchains -I forward 1 -j DENY /sbin/ipchains -I output 1 -j DENY # allow all packets to local interface /sbin/ipchains -A input -i lo -s 0/0 -d 0/0 -j ACCEPT /sbin/ipchains -A output -i lo -s 0/0 -d 0/0 -j ACCEPT # set up policies /sbin/ipchains -P input DENY /sbin/ipchains -P forward DENY /sbin/ipchains -P output ACCEPT # allow all packets from internal network to firewall /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $IN_NET -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p tcp -s $IN_NET -d $IN_NET -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $IN_NET -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p udp -s $IN_NET -d $IN_NET -j ACCEPT ## ip masquerading /sbin/ipchains -A forward -i $EX_IN -s $IN_NET -d 0/0 -j MASQ ## enter rules for allowed packets # dns /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $DNS1 domain -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $DNS1 domain -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d $DNS1 domain -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p udp -s $EX_IP -d $DNS1 domain -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s $DNS1 domain -j ACCEPT ! -y /sbin/ipchains -A input -i $EX_IN -p udp -d $EX_IP -s $DNS1 domain -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s $DNS1 domain -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p udp -d $IN_NET -s $DNS1 domain -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $DNS2 domain -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $DNS2 domain -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d $DNS2 domain -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p udp -s $EX_IP -d $DNS2 domain -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s $DNS2 domain -j ACCEPT ! -y /sbin/ipchains -A input -i $EX_IN -p udp -d $EX_IP -s $DNS2 domain -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s $DNS2 domain -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p udp -d $IN_NET -s $DNS2 domain -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $DNS3 domain -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $DNS3 domain -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d $DNS3 domain -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p udp -s $EX_IP -d $DNS3 domain -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s $DNS3 domain -j ACCEPT ! -y /sbin/ipchains -A input -i $EX_IN -p udp -d $EX_IP -s $DNS3 domain -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s $DNS3 domain -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p udp -d $IN_NET -s $DNS3 domain -j ACCEPT # ping out but not in... /sbin/ipchains -A input -i $EX_IN -p icmp --icmp-type echo-request -s 0/0 -d $EX_IP -j DENY /sbin/ipchains -A input -i $IN_IN -p icmp --icmp-type echo-request -s $IN_NET -d 0/0 -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p icmp --icmp-type echo-request -s $EX_IP -d 0/0 -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p icmp --icmp-type echo-reply -s 0/0 -d $EX_IP -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p icmp --icmp-type echo-reply -s 0/0 -d $IN_NET -j ACCEPT # telnet out /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 telnet -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 telnet -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 telnet -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 telnet -j ACCEPT # pop3 out /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 110 -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 110 -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 110 -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 110 -j ACCEPT # http out /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 www -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 www -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 www -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 www -j ACCEPT # https out /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 https -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 https -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 https -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 https -j ACCEPT # smtp out /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 smtp -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 smtp -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 smtp -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 smtp -j ACCEPT # ssh out /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 ssh -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 ssh -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 ssh -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 ssh -j ACCEPT # sendmail to 123.45.678.9 (mail server is 192.168.1.2) /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 smtp -s 0/0 -j ACCEPT /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 smtp -s 0/0 -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 smtp -d 0/0 -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 smtp -d 0/0 -j ACCEPT # pop3 to 123.45.678.9 (pop3 server is 192.168.1.2) /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 pop3 -s 0/0 -j ACCEPT -l /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 pop3 -s 0/0 -j ACCEPT -l /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 pop3 -d 0/0 -j ACCEPT -l /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 -d 0/0 -j ACCEPT -l # to allow pop to happen faster /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 -s 0/0 -j REJECT /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 113 -s 0/0 -j REJECT /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 113 -d 0/0 -j REJECT /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 -d 0/0 -j REJECT /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 113 -j REJECT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 113 -j REJECT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 113 -j REJECT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 113 -j REJECT # www rules (192.168.1.2 is apache server) /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 www -s 0/0 -j ACCEPT /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 www -d 0/0 -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 -s 0/0 -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 -d 0/0 -j ACCEPT # real audio /sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 554 -j ACCEPT /sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 554 -j ACCEPT /sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 554 -j ACCEPT ! -y /sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 554 -j ACCEPT ## do the ip port forwarding echo "setting up port forwarding..." /usr/sbin/ipmasqadm portfw -f # web server /usr/sbin/ipmasqadm portfw -a -P tcp -L 123.45.678.9 -R 192.168.1.2 80 # mail server /usr/sbin/ipmasqadm portfw -a -P tcp -L 123.45.678.9 -R 192.168.1.2 25 # pop3 server /usr/sbin/ipmasqadm portfw -a -P tcp -L 123.45.678.9 -R 192.168.1.2 110 ## final stuff # if a packet gets this far, deny it and log it /sbin/ipchains -A input -j DENY -l /sbin/ipchains -A forward -j DENY -l # except output packets are ok /sbin/ipchains -A output -j ACCEPT -l # delete the intial blocking rules /sbin/ipchains -D input 1 /sbin/ipchains -D forward 1 /sbin/ipchains -D output 1 # probe modules modprobe ip_masq_ftp modprobe ip_masq_raudio modprobe ip_masq_autofw modprobe ip_masq_mfw modprobe ip_masq_portfw modprobe ip_masq_user ;; stop) echo Shutting down firewall... /sbin/ipchains -F input /sbin/ipchains -F forward /sbin/ipchains -F output /sbin/ipchains -P input ACCEPT /sbin/ipchains -P forward ACCEPT /sbin/ipchains -P output ACCEPT echo 0 > /proc/sys/net/ipv4/ip_forward ;; esac exit 0
|