[tslug] Re: 2.4 Firewall Script

Mon, 26 Feb 2001 08:52:57 -0800 

On Mon, Feb 26, 2001 at 11:00:06AM -0600, [EMAIL PROTECTED] wrote:
> Would it be possible for you send me the firewall script you presented at 
> the last TSLUG meeting?  I am working on a firewall, and would like 
> somewhere to start.  Thanks.

#!/bin/bash

case "$1" in
start)
 echo "Configuring firewall."

# Local traffic
 ipchains -I input -j ACCEPT -s 0/0 -d 127.0.0.1 -i lo

# Set up for non-local traffic
 ipchains -N nonlocal
 ipchains -F nonlocal
 ipchains -A input -j nonlocal -s ! 150.243.0.0/16 -d 150.243.160.42

# Port 53 -- nameserver
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 53 -p udp
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 53 -p tcp

# Port 109&110 -- pop2 and pop3
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 109 -p udp
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 109 -p tcp
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 110 -p udp
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 110 -p tcp

# Port 515 lpd
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 515 -p tcp

# Port 3306 mysqld
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 3306 -p tcp

# Ports 580* 590* VNC Virtual network computer
 for i in 0 1 2 3 4 5 6 7 8 9; do
  ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 580$i -p tcp
  ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 590$i -p tcp
 done

# Port 7100 xfs X font server
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 7100 -p tcp

# Port 7101 xfstt X TrueType font server
 ipchains -A nonlocal -j DENY -s 0/0 -d 0/0 7101 -p tcp

# All portmap stuff
 ipchains -N portmap
 ipchains -F portmap
 ipchains -A nonlocal -j portmap

 rpcinfo -p | tail +2 | cut -c18-29 | sort -u |\
{
  while read proto port
   do
    prot=`echo $proto | tr "a-z" "A-Z"`
    ipchains -l -A portmap -j DENY -s 0/0 -d 0/0 $port -p $prot 
  done
}
# End portmap section

# Show list of what we have done:
 ipchains -n -L input
 ipchains -n -L nonlocal
 ipchains -n -L portmap
 ;;
stop)
 echo "Clearing firewall entries."
 ipchains -F input
 ipchains -F nonlocal
 ipchains -F portmap
 ipchains -X portmap
 ipchains -X nonlocal
 ;;
restart)
 $0 stop
 sleep 1
 $0 start
 ;;
*)
 printf "Usage: $0 {start|stop|restart}\n" >&2
 exit 1
 ;;
esac

-- 
Don Bindner <[EMAIL PROTECTED]>

Reply via email to