#!/bin/bash PATH=/sbin:/usr/local/sbin:$PATH set -o xtrace # chkconfig: 2345 09 99 # description: firewall script for 2.4.x kernel # # LEGAL INFO: # This file distributed without warranty of any sort... Hopefully it will # prove useful, but who knows?!? :-) # Feel free to do what you will with it! # # NOTES # Since this uses iptables, it's for kernel versions 2.3.x or 2.4.x. There # should be an ipfwadm version (for 2.0.x kernels) available where you got # this one... try http://LinuxSIG.org/files/ # This firewall should work for most home routers. It should work for dial-up # or cable modem setups. It works with the RedHat distributed kernels. If # you re-compile and chenge the wrong kernel settings, it might break or it # might work better... It is fairly restrictive, but most home nets don't # need to offer much to the outside world. It could be tightened up with more # information and customization. Remember, security is built in layers and a # firewall is a good start. Good passwords also help. If you want to access # the machine from outside (over the Internet) consider using an encrypted # tool like ssh rather than telnet (since telnet sends clear-text passwords). # Be careful about offering public services like web or (especially) ftp # servers. Don't unless you you must and if you must - read the docs!!! I've # tried to provide many comments to make sense of what's going on. Please # read the ipchains man page. # enjoy - Anthony Ball # # RELEASE NOTES # Be sure to check back for updates occasionally! # 20 July, 1999 ---> initial writing # 5 Oct, 2000 ---> iptables translation # # INSTALLATION: # 1. This file planned for a RedHat system. It would work # on other distro's with perhaps no modification, but again... # Who knows?!!? These instructions apply to RedHat systems. # # 2. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root " # make it executable --> "chmod 755 " # # 3. set the values for your network, internal interface, and DNS servers # uncomment lines further down to enable optional in-bound services # make sure "eth0" is your internal NIC (or change the value below) # test it --> "/etc/rc.d/init.d/ start" # you can list the rules --> "ipchains -L -n" # fix anything that broke... :-) # # 4. add the firewall to the RH init structure --> "chkconfig --add " # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # ################################################ # Fill in the values below to match your # local network. LOCALNET=192.168.1.0/24 #10.0.0.0/24 INTERNALIF=eth0 # your dns servers DNS1=xxx.xxx.xxx.xxx DNS2=xxx.xxx.xxx.xxx # ################################################ if [ "$1" = "stop" ]; then # do we really want to take the firewall down? exit 0 fi echo -n "Building firewall: ..." # set up kernel to handle dynamic IP masquerading echo 7 > /proc/sys/net/ipv4/ip_dynaddr # turn on Source Address Verification and get spoof protection on all current # and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done else echo echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED. echo "CONTROL-D will exit from this shell and continue system startup." echo # Start a single user shell on the console sulogin $CONSOLE fi # some handy generic values to use ANY=0.0.0.0/0 ALLONES=255.255.255.255 # # Setup the incoming packets firewall. # echo -n "inbound..." # flush the list iptables -F INPUT iptables -F FORWARD iptables -F input iptables -X input # create a table for our rules iptables -N input # add it to the INPUT and FORWARD builtin chains iptables -A INPUT -j input iptables -A FORWARD -j input # allow all packets on the loopback interface iptables -A input -i lo -j ACCEPT # allow all packets from the internal "trusted" interface iptables -A input -i $INTERNALIF -s $LOCALNET -d $ANY -j ACCEPT iptables -A input -i $INTERNALIF -d $ALLONES -j ACCEPT # uncomment the following if you use diald (it uses SLIP) # iptables -A input -i sl0 -j ACCEPT # deny bcasts on remaining interfaces iptables -A input -d 0.0.0.0 -j DROP iptables -A input -d 255.255.255.255 -j DROP # allow ICMP iptables -A input -p icmp -j ACCEPT # allow established TCP connections iptables -A input -p tcp ! --syn -j ACCEPT # enhancement: the state module can do cooler things # iptables -A input -m state --state ESTABLISHED,RELATED -j ACCEPT # allow lookups to/from DNS servers to router # iptables -A input -p udp -s $DNS1 --sport domain --dport 1023: -j ACCEPT # iptables -A input -p udp -s $DNS2 --sport domain --dport 1023: -j ACCEPT # or (BETTER IDEA) run a caching DNS server on the router and use the following # two lines instead... # iptables -A input -p udp -s $DNS1 --sport domain --dport domain -j ACCEPT # iptables -A input -p udp -s $DNS2 --sport domain --dport domain -j ACCEPT iptables -A input -p udp --dport domain -j ACCEPT # allow auth in for sending mail or doing ftp iptables -A input -p tcp --dport auth -j ACCEPT # I don't think this is necessary anymore # allow ports in for masquerading #iptables -A input -p tcp --dport 61000:65096 -j ACCEPT #iptables -A input -p udp --dport 61000:65096 -j ACCEPT # uncomment the following to allow ssh in # iptables -A input -p tcp --dport 22 -j ACCEPT # uncomment the following to allow telnet in (BAD IDEA!!) # iptables -A input -p tcp --dport telnet -j ACCEPT # uncomment to allow NTP (network time protocol) to router # iptables -A input -p udp --dport ntp -j ACCEPT # uncomment to allow SMTP in (don't need for mail clients - only a server) # iptables -A input -p tcp --dport smtp -j ACCEPT # uncomment to allow HTTP in (only if you run a web server on the router) # iptables -A input -p tcp --dport http -j ACCEPT # deny these without logging 'cause there tend to be a lot... iptables -A input -p udp --dport 137 -j DROP # NetBIOS over IP iptables -A input -p tcp --dport 137 -j DROP # "" iptables -A input -p udp --dport 138 -j DROP # "" iptables -A input -p tcp --dport 138 -j DROP # "" iptables -A input -p udp --dport 67 -j DROP # bootp iptables -A input -p udp --dport 68 -j DROP # "" iptables -A input -s 224.0.0.0/8 -j DROP # Multicast addresses # deny other packets and log them to /var/log/messages iptables -A input -j LOG iptables -A input -j DROP # # Setup masquerading # echo -n "masquerading..." # masquerade packets forwarded from internal network iptables -t nat -A POSTROUTING ! -d $LOCALNET -j MASQUERADE echo "done."