#!/bin/sh
echo "Starting firewalling... "
# Some definitions for easy maintenance.
# --------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
LAN_INTERFACE_1="eth1" # internal LAN interface
IPADDR="24.11.70.92" # your IP address
LAN_1="192.168.1.0/24" # whatever (private) range you use
LAN_IPADDR_1="192.168.1.1" # your internal interface address
ANYWHERE="any/0" # match any IP address
DHCP_SERVER="24.0.0.0/8" # if you use one
MY_ISP="24.0.0.0/8" # ISP & NOC address range
NAMESERVER_1="24.3.196.33"
NAMESERVER_2="24.3.196.34"
NAMESERVER_3="24.3.196.35"
SMTP_SERVER="24.0.0.0/8" # external mail server
SMTP_GATEWAY="24.0.0.0/8" # external mail relay
POP_SERVER="24.0.0.0/8" # external pop server, if any
IMAP_SERVER="24.0.0.0/8" # external imap server, if any
NEWS_SERVER="24.0.0.0/8" # external news server, if any
WEB_PROXY_SERVER="24.0.0.0/8" # ISP web proxy server, if any
WEB_PROXY_PORT="8080" # ISP web proxy port, if any
# typically 8008 or 8080
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # wellknown, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ....................................................................
# If your IP address is dynamically assigned by a DHCP server, then
# nameservers are found in /etc/dhcpc/resolv.conf. If used, the
# example ifdhcpc-done script updates these automatically and
# appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
# /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.
# If using the example ifdhcpc-done script, the following NAMESERVER
# definitions (one per server, up to 3) will be overridden correctly
# here.
# The IP address, $IPADDR, is defined by dhcp
if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
. /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
. /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
. /etc/dhcpc/pump.info
else
echo "rc.firewall: dhcp is not configured."
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A input -i $LAN_INTERFACE_1 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 -j ACCEPT
exit 1
fi
# If using the example ifdhcpc-done script, any previous definitions of
# IPADDR and NAMESERVER will be overridden correctly here.
DHCP_SERVER=$DHCPSIADDR
# ....................................................................
# EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS
# YOU SUPPORT.
# X Windows port allocation begins at 6000 and increments
# for each additional server running from 6000 to 6063.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1020:1023" # simultaneous connections
# --------------------------------------------------------------------
SOCKS_PORT="1080" # (TCP) socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
NFS_PORT="2049" # (TCP/UDP) NFS
# --------------------------------------------------------------------
# Flush any existing rules from all chains
ipchains -F
# Set the default policy to deny
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# Set masquerade timeout to 10 hours for TCP connections.
ipchains -M -S 36000 10 120
# Disallow Fragmented Packets
ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# These modules are necessary to masquerade
# their respective services.
/sbin/insmod ip_masq_ftp
/sbin/insmod ip_masq_icq
/sbin/insmod ip_masq_raudio
#/sbin/insmod ip_masq_irc
#/sbin/insmod ip_masq_vdolive
#/sbin/insmod ip_masq_cuseeme
#/sbin/insmod ip_masq_quake
# --------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# --------------------------------------------------------------------
# Refuse any connections from problem sites
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s
-j DENY
# rules to block all access.
# Refuse packets claiming to be from the banned list
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# --------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from
# the external interface's IP address
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
# Refuse malformed broadcast packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses
# Multicast is only illegal as a source address.
# Multicast uses UDP
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j REJECT -l
# Refuse Class E reserved IP addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
-j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
-j REJECT
# Refuse addresses defined as reserved by the IANA.
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
# 65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
# 80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96: 01100000 - /4 masks 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
# 126: 01111110 - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
# 217: 11011001 - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
# 223: 11011111 - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# --------------------------------------------------------------------
# ICMP
# (4) Source_Quench
# incoming & outgoing requests to slow down (flow control)
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
# (12) Parameter_Problem
# incoming & outgoing error messages
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
# (3) Dest_Unreachable, Service_Unavailable
# incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
# -s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT
# (11) Time_Exceeded
# incoming & outgoing time out conditions,
# also intermediate TTL response to traceroutes
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# allow outgoing pings to anywhere
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts
#ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
# -s $MY_ISP 8 -d $IPADDR -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
# -s $IPADDR 0 -d $MY_ISP -j ACCEPT
# --------------------------------------------------------------------
# UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Open Windows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $OPENWINDOWS_PORT -j REJECT
# Open Windows incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $OPENWINDOWS_PORT -j DENY
# X Windows: establishing a remote connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $XWINDOW_PORTS -j REJECT
# X Windows: incoming connection attempt
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $XWINDOW_PORTS -j DENY -l
# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $SOCKS_PORT -j REJECT -l
# SOCKS incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $SOCKS_PORT -j DENY
# NFS: TCP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-d $ANYWHERE $NFS_PORT -j REJECT -l
# NFS: UDP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $NFS_PORT -j DENY -l
# NFS incoming request (normal UDP mode)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $ANYWHERE $NFS_PORT -j REJECT -l
# --------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers
# vary by supplier. Using them is less error prone and more
# meaningful.
# --------------------------------------------------------------------
# Required Services
# DNS client modes (53)
# ---------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_3 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_3 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_3 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_3 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# DNS server modes (53)
# ---------------------
# DNS caching & forwarding nameserver
# -----------------------------------
# server to server query or response
# Caching only name server uses UDP, not TCP
#ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR 53 \
# -d $NAMESERVER_1 53 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s $NAMESERVER_1 53 \
# -d $IPADDR 53 -j ACCEPT
# DNS full nameserver
# -------------------
# client to server DNS transaction
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s $UNPRIVPORTS \
# -d $IPADDR 53 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR 53 \
# -d $UNPRIVPORTS -j ACCEPT
# peer-to-peer server DNS transaction
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s 53 \
# -d $IPADDR 53 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR 53 \
# -d 53 -j ACCEPT
# Zone Transfers
# due to the potential danger of zone transfers,
# only allow TCP traffic to specific secondaries.
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $UNPRIVPORTS \
# -d $IPADDR 53 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 53 \
# -d $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# AUTH server (113)
# -----------------
# Accepting Incoming AUTH Requests
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 113 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 113 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
#
# OR
# Rejecting Incoming AUTH Requests
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR 113 -j REJECT
# --------------------------------------------------------------------
# TCP services on selected ports
# Sending Mail through a remote SMTP gateway (25)
# -----------------------------------------------
# SMTP client to an ISP account without a local server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_GATEWAY 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_GATEWAY 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# OR
# Sending Mail through a local SMTP server
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE 25 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE 25 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# Receiving Mail as a Local SMTP server (25)
# ------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 25 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 25 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# POP (110) - Retrieving Mail as a POP Client
# -------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# POP (110) - Hosting a POP Server for Remote Clients
# ---------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $UNPRIVPORTS \
# -d $IPADDR 110 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 110 \
# -d $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# IMAP (143) - Retrieving Mail as an IMAP Client
# ----------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $IMAP_SERVER 143 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IMAP_SERVER 143 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# IMAP (143) - Hosting an IMAP Server for Remote Clients
# ------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $UNPRIVPORTS \
# -d $IPADDR 143 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 143 \
# -d $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# NNTP (119) - Reading and Posting News as a Usenet Client
# --------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# NNTP (119) - Hosting a Usenet News Server for Remote Clients
# ------------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $UNPRIVPORTS \
# -d $IPADDR 119 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 119 \
# -d $UNPRIVPORTS -j ACCEPT
# NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server
# ---------------------------------------------------------------
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d 119 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s 119 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# TELNET (23) - Allowing Outgoing Client Access to Remote Sites
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 23 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TELNET (23) - Allowing Incoming Access to Your Local Server
# -----------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 23 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 23 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# SSH client (22) - Allowing Client Access to Remote SSH Servers
# --------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -j ACCEPT
# --------------------------------------------------------------------
# SSH (22) - Allowing Remote Client Access to Your Local SSH Server
# -----------------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 22 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 22 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $SSH_PORTS \
# -d $IPADDR 22 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 22 \
# -d $ANYWHERE $SSH_PORTS -j ACCEPT
# --------------------------------------------------------------------
# FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
# --------------------------------------------------------------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channels
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# Passive Mode FTP Data Channels
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPIRVPORTS -j ACCEPT
# FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
# ----------------------------------------------------------------
# incoming request
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 21 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 21 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channel Responses
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR 20 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 20 -j ACCEPT
# Passive Mode FTP Data Channel Responses
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP (80) - Accessing Remote Web Sites as a Client
# --------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# HTTP (80) - Allowing Remote Access to a Local Web Server
# --------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 80 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 80 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Allowing Remote Access to a Local SSL Web Server
# --------------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 443 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 443 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP Proxy client (8008/8080)
# -----------------------------
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $WEB_PROXY_SERVER $WEB_PROXY_PORT \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# FINGER (79) - Accessing Remote finger Servers as a Client
# ---------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# FINGER (79) - Allowing Remote Client Access to a Local finger Server
# --------------------------------------------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $UNPRIVPORTS \
# -d $IPADDR 79 -j ACCEPT
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 79 \
# -d $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# Gopher client (70)
# ------------------
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE 70 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE 70 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WAIS client (210)
# -----------------
#ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE 210 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE 210 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# UDP accept only on selected ports
# TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
# -----------------------------------------------------
# Enabling Outgoing traceroute Requests
# -------------------------------------
#ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR $TRACEROUTE_SRC_PORTS \
# -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# incoming query from the ISP.
# All others are denied by default.
# ---------------------------------
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s $MY_ISP 32769:65535 \
# -d $IPADDR 33434:33523 -j ACCEPT
# --------------------------------------------------------------------
# DHCP client (67, 68)
# --------------------
# INIT or REBINDING: No lease or Lease time expired.
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $BROADCAST_DEST 67 -j ACCEPT
# Getting renumbered
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 67 \
-d $BROADCAST_DEST 68 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $BROADCAST_DEST 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $DHCP_SERVER 67 -j ACCEPT
# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new
# address before the dhcp client has received the update.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $MY_ISP 68 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $IPADDR 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 68 \
-d $DHCP_SERVER 67 -j ACCEPT
# --------------------------------------------------------------------
# NTP (123) - Accessing Remote Network Time Servers
# -------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d 192.43.244.18 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s 192.43.244.18 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d 192.5.41.4 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s 192.5.41.4 123 \
-d $IPADDR 123 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d 128.102.16.2 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s 128.102.16.2 123 \
-d $IPADDR 123 -j ACCEPT
# --------------------------------------------------------------------
# RealAudio / QuickTime client
# ----------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 554 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 554 -j ACCEPT
# TCP is a more secure method: 7070:7071
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 7070:7071 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 7070:7071 -j ACCEPT
# UDP is the preferred method: 6970:6999
# For LAN machines, UDP requires the RealAudio masquerading module and
# the ipmasqadm third-party software.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 6970:6999 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 6970:6999 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# ICQ client (4000)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 2000:4000 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 2000:4000 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE 4000 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 4000 -j ACCEPT
# ----------------------------------------------------------------------------
# ------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
ipchains -A input -i $LAN_INTERFACE_1 \
-s $LAN_1 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 \
-d $LAN_1 -j ACCEPT
# --------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ
# --------------------------------------------------------------------
echo "done"
exit 0