<begin>
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <[EMAIL PROTECTED]>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this with due credits to
# BoingWorld.com
#
########### # Configuration options, these will speed you up getting this script to # work with your own setup.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# STATIC_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP_RANGE="192.168.0.0/24" LAN_IP="192.168.0.1/32" LAN_BCAST_ADRESS="192.168.0.255/32" LOCALHOST_IP="127.0.0.1/32" #STATIC_IP="194.236.50.155/32" INET_IFACE="ppp0" LAN_IFACE="eth0" IPTABLES="/sbin/iptables"
######### # Load all required IPTables modules #
# # Needed to initially load modules # /sbin/depmod -a
# # Adds some iptables targets like LOG, REJECT and MASQUARADE. # /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_REDIRECT # # Support for owner matching # #/sbin/modprobe ipt_owner
# # Support for connection tracking of FTP and IRC. # /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc
#CRITICAL: Enable IP forwarding since it is disabled by default. # echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on eth0, and the Internet is on ppp0.
#
# Please change the network devices to match your own configuration.
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#fix speeds????
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# # set default policies for the INPUT, FORWARD and OUTPUT chains #
$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
# # Create separate chains for ICMP, TCP and UDP to traverse #
#$IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets
#
# the allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
# # ICMP rules # #commented out just now...
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# # TCP rules #
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 -j allowed
# # UDP ports #
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j ACCEPT
# # PREROUTING chain. # # Do some checks for obviously spoofed IP's #
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
# # INPUT chain # # establish the basic INPUT chain and filter the packets onto the correct # chains. #
#$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p TCP -m state --state RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
#$IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
# # OUTPUT chain # # establish the basic OUTPUT chain and filter them onto the correct chain #
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
</end>
======================================================== Security Is A Series Of Well-Defined Steps...
chmod -R 0 / ; and smile :)
