13/04/00 11:09:22 PM
I know you won't be able to make it go for me.. but I'd like some "experts" to look it
over..
Can anyone see anything immediatly wrong with this firewall?
#/bin/sh
#
# firewall Install firewall rules.
# Note: these rules are ordered by most frequently
# accessed to the least frequent. This saves kernel
# processing time in finding the rule to match an incoming
# packet.
#
# Version: @(#) /etc/init.d/firewall 1.02 November 18th 1999
#
# Author: Patrick D'Cruze,
# Modified by: Paul Raj Khangure
#
# Source function library.
. /etc/rc.d/init.d/functions
[ -f /sbin/ipchains ] || exit 0
# See how we were called.
case "$1" in
start)
# First, let's turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $file
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
fi
# By default DENY all incoming services
/sbin/ipchains --flush
/sbin/ipchains --flush
/sbin/ipchains --flush
/sbin/ipchains --delete-chain eth-in
# Create a new chain
/sbin/ipchains --new-chain eth-in
# Some definitions
INT_IP="192.168.100.1/24" # Internal Network.
EXT_IP="203.57.131.0/32" # Here be hackers.
INTLAN="192.168.100.0/24" # Internal LAN.
LOKI="192.168.100.2/24" # Marcus machine.
IPCHAIN_IN="/sbin/ipchains --append eth-in"
ACC1="--proto tcp --interface eth+ --jump ACCEPT"
ACC2="--proto udp --interface eth+ --jump ACCEPT"
ACC3="--proto icmp --interface eth+ --jump ACCEPT"
DEN1="--proto tcp --interface eth+ --jump DENY"
DEN2="--proto udp --interface eth+ --jump DENY"
DEN3="--proto icmp --interface eth+ --jump DENY"
echo "Def's done"
# Let local host contact itself
/sbin/ipchains -A input -s 127.0.0.0/8 -d 0/0 -p all --jump ACCEPT
# Allow ICMP for the moment for MTU discovery
${IPCHAIN_IN} -s 0/0 -d 0/0 ${ACC3}
# Allow this machine to receive web pages.
${IPCHAIN_IN} -s 0/0 80 -d ${EXT_IP} ${ACC1}
# ${IPCHAIN_IN} -s 0/0 80 -d ${INT_IP} ${ACC1}
echo "part 1 done"
# Allow DNS traffic - the local LAN to use this server, and
# this server to make DNS requests of others.
${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 53 ${ACC1}
${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 53 ${ACC2}
${IPCHAIN_IN} -s 0/0 53 -d ${EXT_IP} ${ACC1}
${IPCHAIN_IN} -s 0/0 53 -d ${EXT_IP} ${ACC2}
# Allow the dirty side to use this server as a DNS server
${IPCHAIN_IN} -s ${EXTLAN} -d ${EXT_IP} 53 ${ACC1}
${IPCHAIN_IN} -s ${EXTLAN} -d ${EXT_IP} 53 ${ACC2}
# Block any other DNS
${IPCHAIN_IN} -s 0/0 -d 0/0 53 -l ${DEN1}
${IPCHAIN_IN} -s 0/0 -d 0/0 53 -l ${DEN2}
# Allow FTP and Telnet out.
${IPCHAIN_IN} -s ${INTLAN} -d 0/0 20:21 ${ACC1}
${IPCHAIN_IN} -s ${INTLAN} -d 0/0 23 ${ACC1}
${IPCHAIN_IN} -s 0/0 20:21 -d ${EXT_IP} ${ACC1}
${IPCHAIN_IN} -s 0/0 23 -d ${EXT_IP} ${ACC1}
# This lan is allowed to access the LAN
${IPCHAIN_IN} -s ${INTLAN} -d ${INTLAN} ${ACC1}
${IPCHAIN_IN} -s ${INTLAN} -d ${INTLAN} ${ACC2}
# Nothing else should get into the LAN.
${IPCHAIN_IN} -s 0/0 -d ${INTLAN} -l ${DEN1}
${IPCHAIN_IN} -s 0/0 -d ${INTLAN} -l ${DEN2}
# Now add the rules and set the default policy
/sbin/ipchains --append input --interface eth+ --jump eth-in
/sbin/ipchains --policy input REJECT
/sbin/ipchains --policy output ACCEPT
/sbin/ipchains --policy forward ACCEPT
# Firewall has been configured
echo "B AWARE, stay alert and trust no-one. Protection is active."
touch /var/lock/subsys/firewall
;;
stop)
/sbin/ipchains -F
/sbin/ipchains --policy input ACCEPT
/sbin/ipchains --policy output ACCEPT
/sbin/ipchains --policy forward ACCEPT
echo "You've dropped your guard. Death is but a soul away..."
rm -f /var/lock/subsys/firewall
;;
*)
echo "Usage: firewall {start|stop}"
exit 1
esac
exit 0
================Sig Start==================
Motto for the I.T. Industry:
BIGGER, <i>faster</i>, <b>more</b>, <u>NOW!</u>
Thought for the future:
If you thought the Y2k Bug was a media frenzie,
just you wait till the IPv6 issue is announced...
================Sig Stop==================
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
