#!/bin/sh # Tue Feb 12 13:31:58 PST 2002 # /etc/rc.d/init.d/firewall (redhat/turbo/mandrake) # /etc/init.d/firewall (debian/corel/storm) # /sbin/init.d/firewall (SuSE) # Firewall & IP Masquarading for kernel 2.2.XX # This is a sample firewall template. It must be edited before use. If # you are looking for a firewall to setup in 10 minutes you are looking in # the wrong place - see www.nblug.org/firewall/ - this could take a while # if you have never done it before. If you want to fully understand # and control all the details of your firewall this provides a good # framework to work from. How well it works will depend on how much # effort you put into making sure your machine is not running any # un-necessary services, making sure the services that you do run are # secure, and configuring this firewall correctly. References in the form # of web addresses are included in the comments throughout the document. # I've taken the (paranoid) approach of blocking everything unless there # is a reason to allow it. You may want to run something I don't, and that # may require that another hole be opened thru the firewall to make it work. # Here's what the script kiddies are looking for these days: # www.cert.org/current/current_activity.html # when reading logs: PROTO=1 is ICMP, PROTO=6 is TCP, and PROTO=17 is UDP # review ipchains rules with "/sbin/ipchains -L -n | less" # see ports with services running with "netstat -l | less" # service names for port numbers for your machine are found in /etc/services # more port number assignments are at nblug.org/firewall/internet/port-numbers # # Ethernet & IP configuration # # Put your internal (private) network information here # Internal Device = eth0 or eth1 intdev=eth1 # Internal IP address = class C private network address intip=192.168.0.1 # # Put your external (internet) network information here # External Device = eth0 or eth1 or ppp0 extdev=eth0 # External IP address = your static external IP address extip=141.121.145.28 # If your ISP doesn't give you a static IP address then # DHCP users can find their IP address with one of these lines # extip=`ifconfig ppp0|perl -ne '/inet addr:(\S+)/ and print $1'` # extip=`ifconfig eth0|perl -ne '/inet addr:(\S+)/ and print $1'` # extip=`ifconfig eth1|perl -ne '/inet addr:(\S+)/ and print $1'` # # Input Rules # # Flush ipchains rules for input. # Clears all input rules, defaults to ACCEPT everything /sbin/ipchains -F input # Change Policy (default behavior) to DENY everything. # While firewall is reloading this denys everything. # Specific ports will be opened later. /sbin/ipchains -P input DENY # # Kernel anti-IP Spoofing # # turn on Kernel Source Address Verification and get # spoof protection on all current and future interfaces if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $f done fi # # Local and Internal network traffic # # Do this to stop timeout delays waiting for auth. # Comment out this line if you only have one computer. /sbin/ipchains -A input -i $intdev -p tcp -d 0.0.0.0/0 113 -j REJECT # Allow all local machine and internal network traffic to be accepted. # Comment out this line if you only have one computer. /sbin/ipchains -A input -i $intdev -s $intip/24 -j ACCEPT /sbin/ipchains -A input -i lo -j ACCEPT # # Closing external access to high numbered ports with services running. # # Block access to any services running on any high numbered ports (>1023) # that we don't want accessed from outside. "netstat -l" shows open # ports. Any port that shows up from "netstat -l" with a high port number # (1023-65535) that you do not want open to the outside world gets blocked # here. See /etc/services for a list of port numbers for services. This # is just a few examples, you may not need all of them, and you may very # well need other ports blocked. Be aware that more ports may be opened # later if you start up any new service or program. # Port number assignments are at nblug.org/firewall/internet/port-numbers # # radius 1645:1646/udp /sbin/ipchains -A input -p udp -d 0.0.0.0/0 1645:1646 -l -j DENY # # Xwindows DANGEROUS /sbin/ipchains -A input -p tcp -d 0.0.0.0/0 6000:6100 -l -j DENY # # junkbuster 8000/tcp /sbin/ipchains -A input -p tcp -d 0.0.0.0/0 8000 -l -j DENY # # nessus /sbin/ipchains -A input -p udp -d 0.0.0.0/0 3001 -l -j DENY # # Replys to tcp connections # # Allow replies to tcp connections I made. Everybody needs this. # This won't work for passive ftp 20/tcp # this was moved up above the IP Spoofing section because a couple of # web sites were answering back with 10. addresses (the irs and apc) /sbin/ipchains -A input ! -y -p tcp -d $extip -j ACCEPT # # IP Spoofing # # www.nblug.org/firewall/internet/ipv4-address-space # RFC 1918 Private Networks # www.isi.edu/in-notes/iana/assignments/ipv4-address-space # Internal network addresses. This should be redundant. /sbin/ipchains -A input -s 192.168.0.0/16 -l -j DENY /sbin/ipchains -A input -s 172.16.0.0/12 -l -j DENY /sbin/ipchains -A input -s 10.0.0.0/8 -l -j DENY # Loopback /sbin/ipchains -A input -s 127.0.0.0/8 -l -j DENY # 224-239/8 IANA - Multicast /sbin/ipchains -A input -s 224.0.0.0/4 -l -j DENY # # ICMP # # www.isi.edu/in-notes/iana/assignments/icmp-parameters # www.robertgraham.com/pubs/firewall-seen.html # # Some ICMP types are needed for normal operation, like type 3, Do NOT # block ICMP type 3. Some types are dangerous and should be blocked: # type 4 source quench, type 5 redirect, type 9 router advertisement, type # 12 parameter problem, type 13 Timestamp and 14 Timestamp Reply. Others # are optional: type 0 echo-reply (outgoing pings), type 8 echo-request # (incoming pings), type 11 Time Exceeded (to do traceroutes), type 30 # Traceroute (incoming, non-unix) # # type 0 echo-reply, outgoing pings, don't log /sbin/ipchains -A input -p icmp --icmp-type 0 -j ACCEPT # type 3 Destination Unreachable is normal traffic, allow it. /sbin/ipchains -A input -p icmp --icmp-type 3 -j ACCEPT # type 11 Time Exceeded, needed to do traceroutes, allow /sbin/ipchains -A input -p icmp --icmp-type 11 -j ACCEPT # DENY and log all other icmp packets. /sbin/ipchains -A input -p icmp -l -j DENY # # Open ports for incoming connections to services you run. # # 20-21/tcp FTP, DANGEROUS. Most ftp deamons have major security holes. # comment out ftp in /etc/inetd.conf. Don't ACCEPT. # Use http, scp, or sftp instead. If you need ftp do the research to # find a good ftp deamon and know how to set it up properly. # see www.time-travellers.org/oftpd/ # linuxmafia.com/pub/linux/security/ftp-daemons # With non-anonymous ftp you risk having your password sniffed. # # 22/tcp ssh Safe when used as directed. Use ssh instead of telnet, # rlogin, rsh, and ftp whenever possible. Choose good passwords. # /sbin/ipchains -A input -p tcp -d $extip 22 -j ACCEPT # # 23/tcp telnet, DANGEROUS. Your password can be sniffed, then you get # hacked. I've seen it happen. Don't allow incoming telnet connections. # comment out telnet in /etc/inetd.conf. Don't ACCEPT. # # 25/tcp smtp (mail). WARNING-the default sendmail configuration is not # secure. Rip it out and replace it with postfix (postfix.org) or qmail # (cr.yp.to). Learning sendmail isn't worth it. Started in /etc/rc.d/ # If you use sendmail only to send, not recieve, mail then take it out of deamon mode. # /sbin/ipchains -A input -p tcp -d $extip 25 -j ACCEPT # # 53/tcp DNS, DANGEROUS. For experts only. Do not ACCEPT. # # 80/tcp httpd (web server) DANGEROUS. Default webserver configurations # have security holes. Do some serious research before opening this port. # Search for "httpd" on freshmeat.net for alternative web servers. # also check out publicfile at cr.yp.to. Don't enable cgi unless you need it. # /sbin/ipchains -A input -p tcp -d $extip 80 -l -j ACCEPT # # 109-110/tcp pop DANGEROUS. Don't ACCEPT. # www.cert.org/current/current_activity.html # # 113/tcp, auth, is REJECTed to stop delays. Many mailservers and some # web servers probe port 113 and will wait for it to timeout. Reject is # ok. Don't ACCEPT, it gives information to people they shouldn't get. # Log enteries for 113/tcp are most likely NOT hack attemps. /sbin/ipchains -A input -p tcp -d $extip 113 -l -j REJECT # # 123/udp ntp (network time protocol, see ntpd or xntpd). This is a cool # thing to run. You can synchronize your machine's clock to a # machine on the internet with an atomic clock, a WWV clock (a radio link # to an atomic clock), or a GPS clock (GPS satellites have an atomic # clock). If you only allow access from particular servers this is very # low risk. Allowing connections from anywhere is slightly higher risk. # # allow ntp only from specific hosts. # /sbin/ipchains -A input -p udp -s ntp-server-ip-address 123 -d $extip 123 -j ACCEPT # to be a server to others allow access from any host. # /sbin/ipchains -A input -p udp -s 0.0.0.0/0 123 -d $extip 123 -j ACCEPT # # DNS # # Do this so DNS 53/udp connections don't get logged or blocked. # Your system won't work without this. Your DNS servers are listed in # /etc/resolv.conf. Put in one line for each server. Substitute the IP # addresses for DNSserverX below. /sbin/ipchains -A input -p udp -s DNSserver1 53 -d $extip 1024:65535 -j ACCEPT /sbin/ipchains -A input -p udp -s DNSserver2 53 -d $extip 1024:65535 -j ACCEPT # # FTP data # # This is needed for passive ftp data 20/tcp (netscape ftp) # this will cause major logfile spew so you might disable logging /sbin/ipchains -A input -p tcp -s 0.0.0.0/0 20 -d $extip 1024:65535 -l -j ACCEPT # # NTP # # allow connections from ntp server's ntp port, needed for "ntpq -p ntpserver" # /sbin/ipchains -A input -p udp -s ntp-server-ip-address 123 -d $extip 49152:65535 -l -j ACCEPT # This is needed for "ntptrace" and will allow "ntpq -p ntpserver" too. # /sbin/ipchains -A input -p udp -s 0.0.0.0/0 123 -d $extip 1024:65535 -l -j ACCEPT # # PORT FORWARDING # # Open ports used by ipmasqadm # If you use port forwarding open the ports you need here. # /sbin/ipchains -A input -p tcp -d $extip 55022 -l -j ACCEPT # # REALPLAYER # # realplayer audio/video udp connections # set upd ports in realplayer to match, feel free to change them to # other port numbers and reconfigure realplayer to match. # /sbin/ipchains -A input -p udp -d $extip 7070:7074 -j ACCEPT # # Traceroutes # # allow unix traceroutes, or don't, udp 33434-33600 # /sbin/ipchains -A input -p udp -d $extip 33434:33600 -l -j ACCEPT # # Initiation of new TCP connections, other UDP traffic # # We already set the Policy to deny, this will turn on logging. # don't allow any other types of tcp connection attempts /sbin/ipchains -A input -p tcp -y -l -j DENY # # Don't allow any other udp traffic. /sbin/ipchains -A input -p udp -l -j DENY # # IP masquarading (also called NAT - Network Address Translation). # # If you only have one computer comment out this entire section. # # activate packet forwading if it wasn't already echo 1 > /proc/sys/net/ipv4/ip_forward # # Change the timeout values used for masquerading. Values in seconds. # defaults: 20ms TCP session timeout, 10sec TCP FIN timeout, 1m UDP FIN timeout /sbin/ipchains -M -S 14400 10 60 # # Flush all fowarding rules, defaults to accepting everything. /sbin/ipchains -F forward # Change default Policy to DENY /sbin/ipchains -P forward DENY # only permit masquerading from authorized hosts # add private Class C network block to forward list /sbin/ipchains -A forward -s $intip/24 -j MASQ # # You need this for machines inside to be able to use ftp /sbin/modprobe ip_masq_ftp # If you use irc (internet relay chat) uncomment this # /sbin/modprobe ip_masq_irc # If you play quake over the internet uncomment this # /sbin/modprobe ip_masq_quake # If you use real audio uncomment this # /sbin/modprobe ip_masq_raudio # If you need these uncomment them, I don't know what they do. # /sbin/modprobe ip_masq_vdolive # /sbin/modprobe ip_masq_user # # Output Rules # # Flush all output rules, defaults to accepting everything. /sbin/ipchains -F output /sbin/ipchains -P output ACCEPT # # Block outgoing tcp and upd for ports 137, 138, 139. # This blocks smb (samba), nmb, windows file sharing, and more. # You don't want to be broadcasting any of this stuff to the internet. /sbin/ipchains -A output -i $extdev -p tcp -d 0.0.0.0/0 137:139 -l -j DENY /sbin/ipchains -A output -i $extdev -p udp -d 0.0.0.0/0 137:139 -l -j DENY # # Port Forwarding # # This is for forwarding packets to an internal machine thru the firewall # The ports must first be opened by ipchains before ipmasqadm can use them. # ipmasqadm doesn't come with RedHat, but the TurboLinux rpm works fine. # I put a copy of the ipmasqadm rpm at http://nblug.org/firewall/ # # see www.monmouth.demon.co.uk/ipsubs/portfw-2.2.html for general info # see man ipmasqadm for specific syntax (different than web page) # # load kernel module required for port forwarding # /sbin/modprobe ip_masq_portfw # # Flush ipmasqadm rules # /usr/sbin/ipmasqadm portfw -f # # redirect ssh connection to internal host # /usr/sbin/ipmasqadm portfw -a -P tcp -L $extip 55022 -R 192.168.0.3 22 # # redirect http to internal webserver machine # /usr/sbin/ipmasqadm portfw -a -P tcp -L $extip 80 -R 192.168.0.4 80