[Masq] Masq rulesets

Tom Elsesser Mon, 16 Oct 2000 11:44:21 -0700
/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


   I have a linux box (RH6.2) with an ADSL line hooked
to it, from which 3 of us share for email, www, ftp,
etc. Everything works fine & dandy, but I am concerned
about security, as I concentrated more on getting
everyone connected to the net than security, and also I
am learning as I go.  I have been following the mail
list for a while, and have applied things I thought
were necessary, but I'd appreciate it if someone could
take a peek at my rulesets and tell me if there is
something(s) I could change to lessen a chance of
unwanted intrusion. I use 2 ethnernet cards eth0 and
eth1. The DSL line is connected to eth0. If any more
info is needed, please let me know.

Thanks in advance.

--
Tom

+++++++++++++++

#!/bin/sh
# Start and Stop masquerading

NAME=$0
case "$1" in
  start)
        echo -n "Starting IP Masquerading ............"

# Flush any residual BS
/sbin/ipchains -F


# modules
/sbin/depmod -a

# Robt.Ziegler stuff
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Spoofing Protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
        echo 0 > $f
done
#Disable Source routed packets (?)
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
        echo 0 > $f
done
# Log spoofed packets,source routed packets, redirect
packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
done


# Load modules
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_vdolive
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_autofw

# Try to optimize ftp & telnet
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t
0x01 0x10
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t
0x01 0x10
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 ftp-data
-t 0x01 0x08

# default is to deny packets
/sbin/ipchains -P forward DENY

# Accept local activities
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT

# Other machines here
/sbin/ipchains -A input -i eth1 -s 0/0 -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 0/0 -j ACCEPT

# Here it is ....
/sbin/ipchains -A forward -s 192.168.0.2/24 -j MASQ
/sbin/ipchains -A forward -s 192.168.0.3/24 -j MASQ
/sbin/ipchains -A forward -s 192.168.0.5/24 -j MASQ

# Whack
#/sbin/ipchains -P input ACCEPT
#/sbin/ipchains -l -i eth0 -p tcp  --dport 20:1024 -j
DENY
#/sbin/ipchains -l -i eth0 -p tcp --dport 20:1024 -j
DENY

# Enable Telnet server
/sbin/ipchains -A input -i eth0 -p tcp \
        --source-port 1024:65535 \
        -d  123.123.123.123 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp \
        -s 123.123.123.123  23 \
        --destination-port 1024:65535 -j ACCEPT

#Enable DNS
/sbin/ipchains -A input -i eth0 -p tcp \
        --source-port 53 \
        -d 123.123.123.123  53:1024 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp \
        -s 123.123.123.123  53 \
        --destination-port 53:65535 -j ACCEPT
/sbin/ipchains -A input -i eth0 -p udp \
        --source-port 53 \
        -d 123.123.123.123  53:65535 -j ACCEPT

# Internal Netbios packets
/sbin/ipchains -A input -i eth0 -p tcp \
        -s 123.123.123.123  138 \
        -d 123.123.123.255 138 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp \
        -s 123.123.123.255 138 \
        -d 123.123.123.123  138 -j ACCEPT
/sbin/ipchains -A input -i eth0 -p udp \
        -s 123.123.123.123  138 \
        -d 123.123.123.255 138 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p udp \
        -s 123.123.123.255 138 \
        -d 123.123.123.123  138 -j ACCEPT


# Enable FTP server
/sbin/ipchains -A input -i eth0 -p tcp \
        --source-port 1024:65535 \
        -d 123.123.123.123  21 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp \
        -s 123.123.123.123  21 \
        --destination-port 1024:65535 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp \
        -s 123.123.123.123  20 \
        --destination-port 1024:65535 -j ACCEPT
/sbin/ipchains -A input -i eth0 -p tcp \
        --source-port 1024:65535 \
        -d 123.123.123.123  20 -j ACCEPT

# Allow mail
/sbin/ipchains -A input -i eth0 -p tcp --dport 113 -j
ACCEPT

# Whack unwanted nasti's
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -A input -l -i eth0 -p tcp --dport
21:1024 -j DENY
/sbin/ipchains -A input -l -i eth0 -p udp --dport
21:1024 -j DENY



echo -n ".."
echo "DONE"
;;

stop)
  echo -n "Stopping all this masquerading
......................"
/sbin/rmmod ip_masq_ftp
/sbin/rmmod ip_masq_quake
/sbin/rmmod ip_masq_raudio
/sbin/rmmod ip_masq_vdolive

echo "DONE."
;;

*)
echo -n "Get it right ... masq {start/stop}"
exit 1
esac
exit 0

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
[Masq] Masq rulesets

Reply via email to
