At 03:06 AM 3/15/2001 +0800, Franki wrote:
>do I need any other ports??
You probably do need to open DNS, otherwise you won't be able to do things
like, surf the web, do hostname lookups to find anything out there, etc. I
attached a firewall that I wrote that is pretty simple, should be easy to
adapt, and it not too badly commented. It also does a lot of kernel option
setting (TCP Syncookies, martian logging, etc) that need to be set. This
is for a standalone server mind you and not a NAT or masquerade box. I've
got one of those as well if you need it. Take a look, I hope it helps.
--
Matthew Micene
Systems Development Manager
Express Search Inc.
www.ExpressSearch.com
# Set up some variables to make changing things easier
IPCHAINS="/sbin/ipchains"
LOCALIP=""
LOCALMASK="255.255.255.0"
ANYWHERE="0/0"
NS1=""
NS2=""
# tick.usno.navy.mil
NTP1="192.5.41.40"
# Flush and reset the default policies
$IPCHAINS -P input DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward REJECT
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
# ---------- KERNEL OPTIONS ----------
# Make sure forwarding is off
echo "0" > /proc/sys/net/ipv4/ip_forward
# Setup the anti-spoofing blocks
for a in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo "1" > $a
done
# Turn on SYN cookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Turn off ICMP Broadcast replies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Log impossible addresses
for a in /proc/sys/net/ipv4/conf/*/log_martians;
do
echo "1" > $a
done
# Turn off ICMP redirection
for a in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo "0" > $a
done
# Turn off source routing
for a in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo "0" > $a
done
# ---------- INPUT RULES ----------
# Lets start off with incoming services we need....
# Open holes for DNS, udp only for each nameserver
$IPCHAINS -A input -p udp -s $NS1 53 -d $LOCALIP -j ACCEPT
$IPCHAINS -A input -p udp -s $NS2 53 -d $LOCALIP -j ACCEPT
# Open holes for NTP servers
$IPCHAINS -A input -p udp -s $NTP1 123 -d $LOCALIP 123 -j ACCEPT
# Now on to services we are allowing to be accessed
# Open a hole to httpd and smtpd
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $LOCALIP 80 -j ACCEPT
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $LOCALIP 25 -j ACCEPT
# ICMP will be the next challenge
# Of the different types of ICMP packets we will accept:
# 0 (Echo Reply)
# 3 (Destination Unreachable)
# 11 (Time Exceeded)
# 12 (Parameter Problem)
# from any location and 8 (Echo Request) from the office boxen
# Also allow but log any incoming traceroutes
$IPCHAINS -A input -p icmp -s $ANYWHERE 0 -d $LOCALIP -j ACCEPT
$IPCHAINS -A input -p icmp -s $ANYWHERE 3 -d $LOCALIP -j ACCEPT
$IPCHAINS -A input -p icmp -s $ANYWHERE 11 -d $LOCALIP -j ACCEPT
$IPCHAINS -A input -p icmp -s $ANYWHERE 12 -d $LOCALIP -j ACCEPT
$IPCHAINS -A input -p icmp -s $WORK 8 -d $LOCALIP -j ACCEPT
$IPCHAINS -A input -p icmp -s $ANYWHERE 32769:65535 \
-d $LOCALIP 33434:33523 -l -j ACCEPT
# Next will be return data we are expecting (www, ftp, etc)
$IPCHAINS -A input -p tcp -s $ANYWHERE 20 -d $LOCALIP 1023: -j ACCEPT
$IPCHAINS -A input -p tcp -s $ANYWHERE 21 -d $LOCALIP 1023: -j ACCEPT
$IPCHAINS -A input -p tcp ! -y -s $ANYWHERE -d $LOCALIP 1023:61000 -j ACCEPT
# Allow all local loopback traffic
$IPCHAINS -A input -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPCHAINS -A input -i lo -s $LOCALIP -d $LOCALIP -j ACCEPT
# Deny and log all the rest of the incoming connections
# Identd should be rejected and not denied, and who cares about NetBIOS
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $LOCALIP 113 -j REJECT
$IPCHAINS -A input -p udp -s $ANYWHERE 137:139 -d $LOCALIP -j DENY
$IPCHAINS -A input -s $ANYWHERE -d $LOCALIP -l -j DENY
