#!/bin/bash # chkconfig: 2345 09 99 # description: firewall script for 2.0.x kernel # # LEGAL INFO: # This file distributed without warranty of any sort... Hopefully it will # prove useful, but who knows?!? :-) # Feel free to do what you will with it! # # NOTES # Since this uses ipfwadm, it's for kernel versions 2.0.x. There should be an # ipchains version (for 2.1.x or 2.2.x kernels) available where you got this # one... try http://LinuxSIG.org/files/ # This firewall should work for most home routers. It should work for dial-up # or cable modem setups. It works with the RedHat distributed kernels. If # you re-compile and chenge the wrong kernel settings, it might break or it # might work better... It is fairly restrictive, but most home nets don't # need to offer much to the outside world. It could be tightened up with more # information and customization. Remember, security is built in layers and a # firewall is a good start. Good passwords also help. If you want to access # the machine from outside (over the Internet) consider using an encrypted # tool like ssh rather than telnet (since telnet sends clear-text passwords). # Be careful about offering public services like web or (especially) ftp # servers. Don't unless you you must and if you must - read the docs!!! I've # tried to provide many comments to make sense of what's going on. Please # read the ipfwadm man page. # enjoy - Anthony Ball # # RELEASE NOTES # Be sure to check back for updates occasionally! # 20 July, 1999 ---> initial writing # # INSTALLATION: # 1. This file planned for a RedHat system. It would work # on other distro's with perhaps no modification, but again... # Who knows?!!? These instructions apply to RedHat systems. # # 2. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root " # make it executable --> "chmod 755 " # # 3. set the values for your network, internal interface, and DNS servers # uncomment lines further down to enable optional in-bound services # make sure "eth0" is your internal NIC (or change the value below) # test it --> "/etc/rc.d/init.d/ start" # you can list the inbound rules --> "ipfwadm -Iln" # and the forwarding rules --> "ipfwadm -Fln" # fix anything that broke... :-) # # 4. add the firewall to the RH init structure --> "chkconfig --add " # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # ################################################ # Fill in the values below to match your # local network. LOCALNET=10.0.0.0/24 INTERNALIF=eth0 # your dns servers DNS1=xxx.xxx.xxx.xxx/32 DNS2=xxx.xxx.xxx.xxx/32 # ################################################ if [ "$1" = "stop" ]; then # do we really want to take the firewall down? exit 0 fi echo -n "Building firewall: ..." # Insert the active ftp module. This will allow non-passive ftp to machines on # the local network (but not to the router since it is not masq'd) if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then echo -n "ftp module..." /sbin/insmod ip_masq_ftp fi # set up kernel to handle dynamic IP masquerading echo 7 > /proc/sys/net/ipv4/ip_dynaddr # some handy generic values to use ANY=0.0.0.0/0 ALLONES=255.255.255.255/32 # # Setup the incoming packets firewall. # echo -n "inbound..." # set default policy to deny /sbin/ipfwadm -I -p deny # flush the list /sbin/ipfwadm -I -f # allow all packets on the loopback interface /sbin/ipfwadm -I -a accept -S $ANY -D $ANY -W lo # allow all packets from the internal "trusted" interface /sbin/ipfwadm -I -a accept -S $LOCALNET -D $ANY -W $INTERNALIF # uncomment the following line if you run a DHCP server on the router # /sbin/ipfwadm -I -a accept -S $ANY -D $ALLONES -W $INTERNALIF # Also a DHCP server, on a RedHat system, create a file called # /etc/sysconfig/static-routes with the line "eth0 host 255.255.255.255" # where you substitute your internal interface for eth0 if it is # something else. # uncomment the following if you use diald (it uses SLIP) # /sbin/ipfwadm -I -a accept -S $ANY -D $ANY -W sl0 # deny bcasts & reserved/private nets from remaining interfaces /sbin/ipfwadm -I -a deny -S $ANY -D 0.0.0.0/32 /sbin/ipfwadm -I -a deny -S $ANY -D 255.255.255.255/32 /sbin/ipfwadm -I -a deny -S 10.0.0.0/8 -D $ANY /sbin/ipfwadm -I -a deny -S 127.0.0.0/8 -D $ANY /sbin/ipfwadm -I -a deny -S 172.16.0.0/12 -D $ANY /sbin/ipfwadm -I -a deny -S 192.168.0.0/16 -D $ANY # allow ICMP /sbin/ipfwadm -I -a accept -S $ANY -D $ANY -P icmp # allow established TCP connections /sbin/ipfwadm -I -a accept -S $ANY -D $ANY -P tcp -k # allow lookups to/from DNS servers to router /sbin/ipfwadm -I -a accept -S $DNS1 domain -D $ANY -P udp /sbin/ipfwadm -I -a accept -S $DNS2 domain -D $ANY -P udp # or (BETTER IDEA) run a caching DNS server on the router and use the following # two lines instead... # /sbin/ipfwadm -I -a accept -S $DNS1 domain -D $ANY domain -P udp # /sbin/ipfwadm -I -a accept -S $DNS2 domain -D $ANY domain -P udp # allow auth in for sending mail or doing ftp /sbin/ipfwadm -I -a accept -S $ANY -D $ANY ident -P tcp # allow ports in for masquerading /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 61000:65096 -P udp /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 61000:65096 -P tcp # uncomment the following to allow ssh in # /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 22 -P tcp # uncomment the following to allow telnet in (BAD IDEA!!) # /sbin/ipfwadm -I -a accept -S $ANY -D $ANY telnet -P tcp # uncomment to allow NTP (network time protocol) to router # /sbin/ipfwadm -I -a accept -S $ANY ntp -D $ANY ntp -P udp # uncomment to allow SMTP in (don't need for mail clients - only a server) # /sbin/ipfwadm -I -a accept -S $ANY -D $ANY smtp -P tcp # uncomment to allow HTTP in (only if you run a web server on the router) # /sbin/ipfwadm -I -a accept -S $ANY -D $ANY http -P tcp # deny these without logging 'cause there tend to be a lot... /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 137 -P tcp # NetBIOS over IP /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 137 -P udp # "" /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 138 -P tcp # "" /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 138 -P udp # "" /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 67 -P udp # bootp /sbin/ipfwadm -I -a accept -S $ANY -D $ANY 68 -P udp # "" /sbin/ipfwadm -I -a deny -S 224.0.0.0/8 -D $ANY # Multicast addresses # deny other packets and log them to /var/log/messages /sbin/ipfwadm -I -a deny -S $ANY -D $ANY -o # # Setup the forwarding firewall. # echo -n "forwarding..." # flush the list /sbin/ipfwadm -F -f # masquerade packets forwarded from internal network /sbin/ipfwadm -F -a masquerade -S $LOCALNET -D $ANY echo "done."