Schau dir das beiliegende script an, ich verwende es als startup script On 09-Feb-99 Johann Kappacher wrote: > > Hi, > > habe bis jetzt die Threads rund um die beiden Tools konsequent > ignoriert - jetzt brauch ich es selbst =:-O > > SuSE6.0/2.2.1 > > Habe RTFM gemacht: > Kernel Changes: ipfwadm MUSS (zB durch ipchains) ersetzt werden! > > Nun besteht das firewall-Startscript aus einer Menge ipfwadm-Aufrufe! > > Ausserdem moechte ich zuerst die FW installieren und erst dann die > Theorie durchgehen, weil ich jetzt im Telekabel-Netz staendig online > bin! > > Gibt es ein Patentrezept fuer den Umstieg, damit ich ein man ipchains > auf spaeter verschieben kann? > > Danke, > -- hannes >| Johann S. Kappacher +--------+ http://surf.to/Kappacher | >| Gellertgasse 21/4/19 | Hannes | voice: +43-1-6066763 | >| A-1100 Wien/Vienna +--------+ GSM: +43-676-3743268 | > +------------ PGP - registered at http://pgp5.ai.mit.edu ------------+ > -- > Um aus der Liste ausgetragen zu werden, eine Mail an [EMAIL PROTECTED] > schicken, mit dem Text: unsubscribe suse-linux ---------------------------------- E-Mail: [EMAIL PROTECTED] Date: 09-Feb-99 Time: 14:32:42 This message was sent by XFMail ----------------------------------
#!/bin/sh #STAMPEDE:3 4 5:72:Packet Filtering services # rc.firewall # Script version 1.05 - January 16, 1999 # ################################################################ # # Initialization script to set up tight rules-based firewalling and # masquerading for private LAN/internet gateways, via ipchains. # # Standard usage is to put this in rc.local after loading the ip masq # modules, but any changes can be immediately activated simply by running # this script., as it flushes the old ones and puts in the new ruleset. # # Requires Linux 2.1.102 and up or a 2.0.x kernel patched for ipchains, # as well as the ipchains program, available from the official website at: # [http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html] # # All logging goes to dmesg/klogd # # Recommended reading: # # RFC 1918, 'Address allocation for private internets' # Ethernet-HOWTO NET-3-HOWTO # PPP-HOWTO ipchains-HOWTO # The Jargon File Anything by Terry Pratchett # ################################################################ # Copyright info: # # ipchains (C) 1998 Paul Russell [[EMAIL PROTECTED]] # # script (C) 1998 Ian Hall-Beyer [[EMAIL PROTECTED]] # # Contributors: # Raymond Moyers [[EMAIL PROTECTED]] - Original ipfwadm script # # You are free to distribute this script as you see fit. Any # modified script must list the authors and contributors above. # I would also appreciate an email letting me know what you've # done to improve on it. # ################################################################ # # set the following variables to match your network INTERNALIF="eth0" INTERNALNET="192.168.0.0/24" INTERNALIP="192.168.0.1" INTERNALIF2="eth1" INTERNALNET2="192.168.1.0/24" INTERNALIP2="192.168.1.1" # EXTERNALIF="ippp0" EXTERNALNET="0.0.0.0/0" EXTERNALIP="0.0.0.0" # # This is the location of the ipchains command IPCHAINS="/sbin/ipchains" #Enable ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # ################################################################ # ## Flush everything, start from scratch # # Incoming packets from the outside network $IPCHAINS -F input # Outgoing packets from the internal network $IPCHAINS -F output # Forwarding/masquerading $IPCHAINS -F forward # ## Allow all connections on the internal interface # $IPCHAINS -A input -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A input -i $INTERNALIF2 -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i $INTERNALIF2 -s 0/0 -d 0/0 -j ACCEPT # # ## IP Masq # ## dont masq internal-internal traffic $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT $IPCHAINS -A forward -s $INTERNALNET2 -d $INTERNALNET2 -j ACCEPT $IPCHAINS -A forward -s $INTERNALNET2 -d $INTERNALNET -j ACCEPT $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET2 -j ACCEPT # ## dont masq external interface direct $IPCHAINS -A forward -s $EXTERNALIP -d 0/0 -j ACCEPT # ## masquerade all internal IP's going outside $IPCHAINS -A forward -s $INTERNALNET -d 0/0 -j MASQ $IPCHAINS -A forward -s $INTERNALNET2 -d 0/0 -j MASQ # # Type of Service (TOS) bits # This is a new feature of ipchains - check the ipchains HOWTO for # details on what this does # # Set telnet, www and FTP for minimum delay $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10 # # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 # # ################################################################ # Insert trusted networks here # (specific networks that can connect to your system) # #$IPCHAINS -A input -p [protocol] -s [TRUSTED NET] -d 0/0 [port range] -j ACCEPT ################################################################ # Insert banned networks here # (specific networks that are banned from your system) # This is good for blocking the script kiddies. # any packets meeting these rules are logged. # #$IPCHAINS -A input -p [protocol] -s [BANNED NET] -d 0/0 [port range] -l -j DENY ################################################################ # Insert prohibited sites here # (specific networks that your system is not allowed to connect to) # any packets meeting these rules are logged. # #$IPCHAINS -A output [-p [protocol]] -s $INTERNALNET -d [prohibited net] [port r ange] -l -j REJECT ################################################################ # # ## Specific port blocks on the external interface ## These ports have known vulnerabilities and should not be open ## to the outside world unless there is a really good reason for it. ## Since these are potentially vulnerable, packets are logged. # ## NetBEUI $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 139 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 139 -l -j DENY # ## MS-SQL $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 1433 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 1433 -l -j DENY # ## NFS #$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 2049 -l -j DENY #$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 2049 -l -j DENY # ## postgresSQL $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 5432 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 5432 -l -j DENY # ## X11disp:0-:2- $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 5999:6003 -l -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 5999:6003 -l -j DENY # ## Back Orifice $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 31337 -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 31337 -j DENY # ## NetBus $IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 12345:12346 -j DENY $IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 12345:12346 -j DENY # # ## High unpriv ports # $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s 0/0 -d 0/0 1023:65535 -j ACCEPT # # ## Basic Services # Note that unlike ipfw, ipchains cannot take more than one port per # command, unless it is a range of ports (e.g. 20:23). You can also # specify a service type (it must be defined in /etc/services) # instead of a port number. Comment any of these out to block the # service. # # ftp-data $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT # ftp $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT # ssh $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT # telnet $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 23 -j ACCEPT # smtp $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 25 -j ACCEPT # DNS $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT $IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT # http $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT # POP-3 $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 110 -j ACCEPT # indentd $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 113 -j ACCEPT # NNTP $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 119 -j ACCEPT # https $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 443 -j ACCEPT # ## ICMP # # Deny # Use this to deny ICMP attacks from specific addresses #$IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DENY # # Allow incoming ICMP $IPCHAINS -A input -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A input -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT # Allow outgoing ICMP $IPCHAINS -A output -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT # # ## set default policies ## ipchains reverts to these if it hasn't matched any of the previous ## rules. # $IPCHAINS -A input -j DENY $IPCHAINS -A output -j ACCEPT $IPCHAINS -A forward -j DENY
