Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window)

#!/bin/sh
#
# Copyright 2001, James Lee
#  Released under the GPL.
#

### firewall start-up script

case "$1" in
    start)
	## set up variables
	# external interface
	EX_IN=eth0
	# internal interface
	IN_IN=eth1
	# external ip
	EX_IP="123.45.678.9"
	# internal network
	IN_NET="192.168.1.0/24"
	# dns servers
	DNS1="123.45.678.10"
	DNS2="123.45.678.11"
	DNS3="123.45.678.12"
	


	# turn on Source Address Verification and get
	# spoof protection on all current and future interfaces.
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
	    echo -n "Setting up IP spoofing protection..."
	    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
		    echo 1 > $f
	    done
	    echo "done."
	else
	    echo "Can't set up spoofing protection."
	fi

	# masquerading

	echo "Turning on masquerading..."
	echo 1 > /proc/sys/net/ipv4/ip_forward

	###
	### the ipchains commands
	###

	echo "Executing ipchains commands..."

	## initial stuff

	# flush current rules
	/sbin/ipchains -F

	# deny all packets while we set up the firewall -
	# these rules will be deleted later
	/sbin/ipchains -I input 1 -j DENY
	/sbin/ipchains -I forward 1 -j DENY
	/sbin/ipchains -I output 1 -j DENY

	# allow all packets to local interface
	/sbin/ipchains -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
	/sbin/ipchains -A output -i lo -s 0/0 -d 0/0 -j ACCEPT

	# set up policies
	/sbin/ipchains -P input DENY
	/sbin/ipchains -P forward DENY
	/sbin/ipchains -P output ACCEPT

	# allow all packets from internal network to firewall
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $IN_NET -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p tcp -s $IN_NET -d $IN_NET -j ACCEPT
	/sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $IN_NET -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p udp -s $IN_NET -d $IN_NET -j ACCEPT

	## ip masquerading
	/sbin/ipchains -A forward -i $EX_IN -s $IN_NET -d 0/0 -j MASQ

	## enter rules for allowed packets

	# dns
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $DNS1 domain -j ACCEPT
	/sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $DNS1 domain -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d $DNS1 domain -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p udp -s $EX_IP -d $DNS1 domain -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s $DNS1 domain -j ACCEPT ! -y
	/sbin/ipchains -A input -i $EX_IN -p udp -d $EX_IP -s $DNS1 domain -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s $DNS1 domain -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p udp -d $IN_NET -s $DNS1 domain -j ACCEPT

	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $DNS2 domain -j ACCEPT
	/sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $DNS2 domain -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d $DNS2 domain -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p udp -s $EX_IP -d $DNS2 domain -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s $DNS2 domain -j ACCEPT ! -y
	/sbin/ipchains -A input -i $EX_IN -p udp -d $EX_IP -s $DNS2 domain -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s $DNS2 domain -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p udp -d $IN_NET -s $DNS2 domain -j ACCEPT

	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d $DNS3 domain -j ACCEPT
	/sbin/ipchains -A input -i $IN_IN -p udp -s $IN_NET -d $DNS3 domain -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d $DNS3 domain -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p udp -s $EX_IP -d $DNS3 domain -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s $DNS3 domain -j ACCEPT ! -y
	/sbin/ipchains -A input -i $EX_IN -p udp -d $EX_IP -s $DNS3 domain -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s $DNS3 domain -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p udp -d $IN_NET -s $DNS3 domain -j ACCEPT

	# ping out but not in...
	/sbin/ipchains -A input -i $EX_IN -p icmp --icmp-type echo-request -s 0/0 -d $EX_IP -j DENY
	/sbin/ipchains -A input -i $IN_IN -p icmp --icmp-type echo-request -s $IN_NET -d 0/0 -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p icmp --icmp-type echo-request -s $EX_IP -d 0/0 -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p icmp --icmp-type echo-reply -s 0/0 -d $EX_IP -j ACCEPT
	/sbin/ipchains -A output -i $IN_IN -p icmp --icmp-type echo-reply -s 0/0 -d $IN_NET -j ACCEPT

	# telnet out
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 telnet -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 telnet -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 telnet -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 telnet -j ACCEPT

	# pop3 out
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 110 -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 110 -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 110 -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 110 -j ACCEPT

	# http out
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 www -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 www -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 www -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 www -j ACCEPT

	# https out
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 https -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 https -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 https -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 https -j ACCEPT

	# smtp out
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 smtp -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 smtp -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 smtp -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 smtp -j ACCEPT

	# ssh out
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 ssh -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 ssh -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 ssh -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 ssh -j ACCEPT

	# sendmail to 123.45.678.9 (mail server is 192.168.1.2)
        /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 smtp -s 0/0 -j ACCEPT
        /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 smtp -s 0/0 -j ACCEPT
        /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 smtp -d 0/0 -j ACCEPT
        /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 smtp -d 0/0 -j ACCEPT

 
        # pop3 to 123.45.678.9 (pop3 server is 192.168.1.2)
        /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 pop3 -s 0/0 -j ACCEPT -l
        /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 pop3 -s 0/0 -j ACCEPT -l
        /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 pop3 -d 0/0 -j ACCEPT -l
        /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 -d 0/0 -j ACCEPT -l

	# to allow pop to happen faster
        /sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 -s 0/0 -j REJECT
        /sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 113 -s 0/0 -j REJECT
        /sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 113 -d 0/0 -j REJECT
        /sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 -d 0/0 -j REJECT
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 113 -j REJECT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 113 -j REJECT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 113 -j REJECT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 113 -j REJECT
	
	# www rules (192.168.1.2 is apache server)
	/sbin/ipchains -A output -i $IN_IN -p tcp -d 192.168.1.2 www -s 0/0 -j ACCEPT
	/sbin/ipchains -A input -i $IN_IN -p tcp -s 192.168.1.2 www -d 0/0 -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d 123.45.678.9 -s 0/0 -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s 123.45.678.9 -d 0/0 -j ACCEPT


	# real audio
	/sbin/ipchains -A input -i $IN_IN -p tcp -s $IN_NET -d 0/0 554 -j ACCEPT
	/sbin/ipchains -A output -i $EX_IN -p tcp -s $EX_IP -d 0/0 554 -j ACCEPT
	/sbin/ipchains -A input -i $EX_IN -p tcp -d $EX_IP -s 0/0 554 -j ACCEPT ! -y
	/sbin/ipchains -A output -i $IN_IN -p tcp -d $IN_NET -s 0/0 554 -j ACCEPT

        ## do the ip port forwarding
	echo "setting up port forwarding..."

	/usr/sbin/ipmasqadm portfw -f
	# web server
	/usr/sbin/ipmasqadm portfw -a -P tcp -L 123.45.678.9 -R 192.168.1.2 80
	# mail server
	/usr/sbin/ipmasqadm portfw -a -P tcp -L 123.45.678.9 -R 192.168.1.2 25
	# pop3 server
	/usr/sbin/ipmasqadm portfw -a -P tcp -L 123.45.678.9 -R 192.168.1.2 110

	## final stuff

	# if a packet gets this far, deny it and log it
	/sbin/ipchains -A input -j DENY -l
	/sbin/ipchains -A forward -j DENY -l

	# except output packets are ok
	/sbin/ipchains -A output -j ACCEPT -l

	# delete the intial blocking rules
	/sbin/ipchains -D input 1
	/sbin/ipchains -D forward 1
	/sbin/ipchains -D output 1

	# probe modules
        modprobe ip_masq_ftp
        modprobe ip_masq_raudio
        modprobe ip_masq_autofw
        modprobe ip_masq_mfw
        modprobe ip_masq_portfw
        modprobe ip_masq_user
        ;;
    stop)
	echo Shutting down firewall...
	/sbin/ipchains -F input
	/sbin/ipchains -F forward
	/sbin/ipchains -F output
	/sbin/ipchains -P input ACCEPT
	/sbin/ipchains -P forward ACCEPT
	/sbin/ipchains -P output ACCEPT
    	echo 0 > /proc/sys/net/ipv4/ip_forward
	;;
esac

exit 0