15.2 GFCC script

#!/bin/bash #

# Firewall Script - Version 0.9.0

# chkconfig:   2345 09 99

# description:  firewall script for 2.2.x kernel

# Set for testing

# set -x

#

# NOTES: #

# This script is written for RedHat 6.0 or better. #

# This firewall script should work for most routers,  dial-up or cable modem.

# It was written for RedHat distributions. #

# Be careful about offering public services like web or ftp servers. #

# INSTALLATION:

# 1.  This file planned for a RedHat system.    It would work

# on other distro's with perhaps no modification,  but again...

# Who knows?!!?    These instructions apply to RedHat systems. #

# 2. place this file in /etc/rc.d/init.d    (you'll have to be root..)

# call it something like "firewall" :-)

# make it root owned -->    "chown root.root <filename>"

# make it executable -->    "chmod 755 <filename>" #

# 3.  set the values for your network,  internal interface,  and DNS servers

# uncomment lines further down to enable optional in-bound services

# make sure "eth0" is your internal NIC  (or change the value below)

# test it -->    "/etc/rc.d/init.d/<filename> start"

# you can list the rules -->    "ipchains -L -n"

# fix anything that broke... :-) #

# 4.  add the firewall to the RH init structure --> "chkconfig --add <filename>"

# next time the router boots,  things should happen automagically!

# sleep better at night knowing you are *LESS* vulnerable than before... #

# RELEASE NOTES

# 20 July,   1999 - initial writing - Anthony Ball <tony@LinuxSIG.org>

# 11 Dec,   1999 - updated by Mark Grennan <mark@grennan.com> #

################################################

# Fill in the values below to match your

# local network.

PRIVATENET=xxx.xxx.xxx.xxx/xx

PUBLIC=ppp0 PRIVATE=eth0

# your dns servers

################################################

# some handy generic values to use ANY=0.0.0.0/0 ALLONES=255.255.255.255

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration. . /etc/sysconfig/network

# Check that networking is up.

[ ${NETWORKING}  =  "no"  ]   && exit 0

# See how we are called case "$1" in

start)

# Start providing access

action "Starting firewall:   " /bin/true

##

## Setup Envirement ##

# Flush all lists /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward

# Plug up everything /sbin/ipchains -I input 1 -j DENY

# set policy to deny   (Default is ACCEPT) /sbin/ipchains -P input DENY /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT

# Turn on packet forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

##

## Install Modules ##

# Insert the active ftp module.    This will allow non-passive ftp to machines

# on the local network  (but not to the router since it is not masq'd) if  !   ( /sbin/lsmod  |   /bin/grep masq_ftp > /dev/null  ); then

/sbin/insmod ip_masq_ftp

fi

##

## Some Security Stuff ##

# turn on Source Address Verification and get spoof protection

# on all current and future interfaces.

if   [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f

done

echo

echo  "PROBLEMS SETTING UP IP SPOOFING PROTECTION.     BE WORRIED." echo

fi

# deny bcasts on remaining interfaces /sbin/ipchains -A input -d 0.0.0.0 -j DENY /sbin/ipchains -A input -d 2 55.255.255.255 -j DENY

# deny these without logging  'cause there tend to be /sbin/ipchains -A input -p udp -d $ANY 137 -j DENY /sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY /sbin/ipchains -A input -p udp -d $ANY 138 -j DENY /sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY

##

## Allow private network out ##

# allow all packets on the loopback interface /sbin/ipchains -A input -i lo -j ACCEPT

# allow all packets from the internal  "trusted" interface

/sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT /sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT

##

## Allow Outside Services into the firewall   (if you dare) ##

# allow ICMP

/sbin/ipchains -A input -p icmp -j ACCEPT

# allow TCP

/sbin/ipchains -A input -p tcp ! -y -j ACCEPT

# allow lookups to DNS   (on firewall)

/sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT

# or   (BETTER IDEA)   run a caching DNS server on the router and use the

# following two lines instead...

# /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT

# /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT

# uncomment the following to allow ssh in /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT

# uncomment the following to allow telnet in   (BAD IDEA!!) /sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT

# uncomment to allow NTP  (network time protocol)  to router

# /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT

# uncomment to allow SMTP in  (not for mail clients - only a server) /sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT

# uncomment to allow POP3 in  (for mail clients) /sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT

# allow auth in for sending mail or doing ftp /sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT

a lot...

# NetBIOS over IP

# ""

# ""

# ""

# bootp

# ""

# Multicast addresses

# uncomment to allow FTP in

/sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT ##

## Masquerading stuff ##

# masquerade packets forwarded from internal network /sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ

##

## deny EVERYthing else and log them to /var/log/messages ##

/sbin/ipchains -A input -l -j DENY

# Remove the Plug /sbin/ipchains -D input 1

stop)

action "Stoping firewall:   " /bin/true echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward

echo restart)

action "Restarting firewall:   " /bin/true $0 stop $0 start

echo

status)

# List out settings /sbin/ipchains -L

test)

##

## This is about as simple as it gets

## (This is not secure AT ALL)

action "WARNING Test Firewall: " /bin/true

/sbin/ipchains -F input

/sbin/ipchains -F output

/sbin/ipchains -F forward

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/ipchains -A input -j ACCEPT

/sbin/ipchains -A output -j ACCEPT

/sbin/ipchains -P forward DENY

/sbin/ipchains -A forward -i $PUBLIC -j MASQ

echo

echo "Usage: $0 {start|stop|restart|status|test}" exit 1

esac