#!/bin/sh echo "Starting firewalling... " # Some definitions for easy maintenance. # -------------------------------------------------------------------- # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # Internet connected interface LOOPBACK_INTERFACE="lo" # or your local naming convention LAN_INTERFACE_1="eth1" # internal LAN interface IPADDR="24.11.70.92" # your IP address LAN_1="192.168.1.0/24" # whatever (private) range you use LAN_IPADDR_1="192.168.1.1" # your internal interface address ANYWHERE="any/0" # match any IP address DHCP_SERVER="24.0.0.0/8" # if you use one MY_ISP="24.0.0.0/8" # ISP & NOC address range NAMESERVER_1="24.3.196.33" NAMESERVER_2="24.3.196.34" NAMESERVER_3="24.3.196.35" SMTP_SERVER="24.0.0.0/8" # external mail server SMTP_GATEWAY="24.0.0.0/8" # external mail relay POP_SERVER="24.0.0.0/8" # external pop server, if any IMAP_SERVER="24.0.0.0/8" # external imap server, if any NEWS_SERVER="24.0.0.0/8" # external news server, if any WEB_PROXY_SERVER="24.0.0.0/8" # ISP web proxy server, if any WEB_PROXY_PORT="8080" # ISP web proxy port, if any # typically 8008 or 8080 LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # wellknown, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # .................................................................... # If your IP address is dynamically assigned by a DHCP server, then # nameservers are found in /etc/dhcpc/resolv.conf. If used, the # example ifdhcpc-done script updates these automatically and # appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or # /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info. # If using the example ifdhcpc-done script, the following NAMESERVER # definitions (one per server, up to 3) will be overridden correctly # here. # The IP address, $IPADDR, is defined by dhcp if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then . /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then . /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info elif [ -f /etc/dhcpc/pump.info ]; then . /etc/dhcpc/pump.info else echo "rc.firewall: dhcp is not configured." ipchains -F ipchains -P input DENY ipchains -P output DENY ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A input -i $LAN_INTERFACE_1 -j ACCEPT ipchains -A output -i $LAN_INTERFACE_1 -j ACCEPT exit 1 fi # If using the example ifdhcpc-done script, any previous definitions of # IPADDR and NAMESERVER will be overridden correctly here. DHCP_SERVER=$DHCPSIADDR # .................................................................... # EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS # YOU SUPPORT. # X Windows port allocation begins at 6000 and increments # for each additional server running from 6000 to 6063. XWINDOW_PORTS="6000:6063" # (TCP) X windows # SSH starts at 1023 and works down to 513 for # each additional simultaneous incoming connection. SSH_PORTS="1020:1023" # simultaneous connections # -------------------------------------------------------------------- SOCKS_PORT="1080" # (TCP) socks OPENWINDOWS_PORT="2000" # (TCP) openwindows NFS_PORT="2049" # (TCP/UDP) NFS # -------------------------------------------------------------------- # Flush any existing rules from all chains ipchains -F # Set the default policy to deny ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT # Set masquerade timeout to 10 hours for TCP connections. ipchains -M -S 36000 10 120 # Disallow Fragmented Packets ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY # Enable TCP SYN Cookie Protection echo 1 >/proc/sys/net/ipv4/tcp_syncookies # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # These modules are necessary to masquerade # their respective services. /sbin/insmod ip_masq_ftp /sbin/insmod ip_masq_icq /sbin/insmod ip_masq_raudio #/sbin/insmod ip_masq_irc #/sbin/insmod ip_masq_vdolive #/sbin/insmod ip_masq_cuseeme #/sbin/insmod ip_masq_quake # -------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # -------------------------------------------------------------------- # Refuse any connections from problem sites # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s
-j DENY # rules to block all access. # Refuse packets claiming to be from the banned list if [ -f /etc/rc.d/rc.firewall.blocked ]; then . /etc/rc.d/rc.firewall.blocked fi # -------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from # the external interface's IP address ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l # Refuse packets claiming to be to or from a Class A private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l # Refuse packets claiming to be to or from a Class B private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l # Refuse packets claiming to be to or from a Class C private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l # Refuse packets claiming to be from the loopback interface ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l # Refuse malformed broadcast packets ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses # Multicast is only illegal as a source address. # Multicast uses UDP ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \ -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \ -j REJECT -l # Refuse Class E reserved IP addresses ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \ -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \ -j REJECT # Refuse addresses defined as reserved by the IANA. # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l # 65: 01000001 - /3 includes 64 - need 65-79 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l # 80: 01010000 - /4 masks 80-95 ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l # 96: 01100000 - /4 masks 96-111 ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l # 126: 01111110 - /3 includes 127 - need 112-126 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l # 217: 11011001 - /5 includes 216 - need 217-219 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l # 223: 11011111 - /6 masks 220-223 ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l # -------------------------------------------------------------------- # ICMP # (4) Source_Quench # incoming & outgoing requests to slow down (flow control) ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 4 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 4 -d $ANYWHERE -j ACCEPT # (12) Parameter_Problem # incoming & outgoing error messages ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 12 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 12 -d $ANYWHERE -j ACCEPT # (3) Dest_Unreachable, Service_Unavailable # incoming & outgoing size negotiation, service or # destination unavailability, final traceroute response ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 3 -d $IPADDR -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ # -s $IPADDR 3 -d $MY_ISP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT # (11) Time_Exceeded # incoming & outgoing time out conditions, # also intermediate TTL response to traceroutes ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 11 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 11 -d $MY_ISP -j ACCEPT # allow outgoing pings to anywhere ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 8 -d $ANYWHERE -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 0 -d $IPADDR -j ACCEPT # allow incoming pings from trusted hosts #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ # -s $MY_ISP 8 -d $IPADDR -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ # -s $IPADDR 0 -d $MY_ISP -j ACCEPT # -------------------------------------------------------------------- # UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. # Open Windows: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $IPADDR \ -d $ANYWHERE $OPENWINDOWS_PORT -j REJECT # Open Windows incoming connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $OPENWINDOWS_PORT -j DENY # X Windows: establishing a remote connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $IPADDR \ -d $ANYWHERE $XWINDOW_PORTS -j REJECT # X Windows: incoming connection attempt ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $XWINDOW_PORTS -j DENY -l # SOCKS: establishing a connection ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -s $IPADDR \ -d $ANYWHERE $SOCKS_PORT -j REJECT -l # SOCKS incoming connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $SOCKS_PORT -j DENY # NFS: TCP connections ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ -d $IPADDR $NFS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ -d $ANYWHERE $NFS_PORT -j REJECT -l # NFS: UDP connections ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $NFS_PORT -j DENY -l # NFS incoming request (normal UDP mode) ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -d $ANYWHERE $NFS_PORT -j REJECT -l # -------------------------------------------------------------------- # NOTE: # The symbolic names used in /etc/services for the port numbers # vary by supplier. Using them is less error prone and more # meaningful. # -------------------------------------------------------------------- # Required Services # DNS client modes (53) # --------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_3 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_3 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # TCP client to server requests are allowed by the protocol # if UDP requests fail. This is rarely seen. Usually, clients # use TCP as a secondary nameserver for zone transfers from # their primary nameservers, and as hackers. ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_3 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_3 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # DNS server modes (53) # --------------------- # DNS caching & forwarding nameserver # ----------------------------------- # server to server query or response # Caching only name server uses UDP, not TCP #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR 53 \ # -d $NAMESERVER_1 53 -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s $NAMESERVER_1 53 \ # -d $IPADDR 53 -j ACCEPT # DNS full nameserver # ------------------- # client to server DNS transaction #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s $UNPRIVPORTS \ # -d $IPADDR 53 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR 53 \ # -d $UNPRIVPORTS -j ACCEPT # peer-to-peer server DNS transaction #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s 53 \ # -d $IPADDR 53 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR 53 \ # -d 53 -j ACCEPT # Zone Transfers # due to the potential danger of zone transfers, # only allow TCP traffic to specific secondaries. #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 53 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 53 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client # ------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 113 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 113 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # AUTH server (113) # ----------------- # Accepting Incoming AUTH Requests #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 113 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 113 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # # OR # Rejecting Incoming AUTH Requests ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -d $IPADDR 113 -j REJECT # -------------------------------------------------------------------- # TCP services on selected ports # Sending Mail through a remote SMTP gateway (25) # ----------------------------------------------- # SMTP client to an ISP account without a local server ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $SMTP_GATEWAY 25 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $SMTP_GATEWAY 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # OR # Sending Mail through a local SMTP server #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 25 -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 25 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # Receiving Mail as a Local SMTP server (25) # ------------------------------------------ #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 25 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 25 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # POP (110) - Retrieving Mail as a POP Client # ------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $POP_SERVER 110 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $POP_SERVER 110 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # POP (110) - Hosting a POP Server for Remote Clients # --------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 110 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 110 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # IMAP (143) - Retrieving Mail as an IMAP Client # ---------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $IMAP_SERVER 143 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IMAP_SERVER 143 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # IMAP (143) - Hosting an IMAP Server for Remote Clients # ------------------------------------------------------ #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 143 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 143 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # NNTP (119) - Reading and Posting News as a Usenet Client # -------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NEWS_SERVER 119 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NEWS_SERVER 119 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # NNTP (119) - Hosting a Usenet News Server for Remote Clients # ------------------------------------------------------------ #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 119 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 119 \ # -d $UNPRIVPORTS -j ACCEPT # NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server # --------------------------------------------------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d 119 -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s 119 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # TELNET (23) - Allowing Outgoing Client Access to Remote Sites # ------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 23 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 23 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # TELNET (23) - Allowing Incoming Access to Your Local Server # ----------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 23 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 23 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # SSH client (22) - Allowing Client Access to Remote SSH Servers # -------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_PORTS \ -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 \ -d $IPADDR $SSH_PORTS -j ACCEPT # -------------------------------------------------------------------- # SSH (22) - Allowing Remote Client Access to Your Local SSH Server # ----------------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 22 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 22 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $SSH_PORTS \ # -d $IPADDR 22 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 22 \ # -d $ANYWHERE $SSH_PORTS -j ACCEPT # -------------------------------------------------------------------- # FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers # -------------------------------------------------------------------- # outgoing request ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 21 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # Normal Port Mode FTP Data Channels ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 20 -j ACCEPT # Passive Mode FTP Data Channels ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR $UNPIRVPORTS -j ACCEPT # FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server # ---------------------------------------------------------------- # incoming request #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 21 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 21 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # Normal Port Mode FTP Data Channel Responses #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR 20 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 20 -j ACCEPT # Passive Mode FTP Data Channel Responses #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # HTTP (80) - Accessing Remote Web Sites as a Client # -------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 80 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # HTTP (80) - Allowing Remote Access to a Local Web Server # -------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 80 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 80 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client # ------------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 443 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # HTTPS (443) - Allowing Remote Access to a Local SSL Web Server # -------------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $ANYWHERE $UNPRIVPORTS \ # -d $IPADDR 443 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 443 \ # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # HTTP Proxy client (8008/8080) # ----------------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $WEB_PROXY_SERVER $WEB_PROXY_PORT \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # FINGER (79) - Accessing Remote finger Servers as a Client # --------------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 79 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 79 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # FINGER (79) - Allowing Remote Client Access to a Local finger Server # -------------------------------------------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ # -s $UNPRIVPORTS \ # -d $IPADDR 79 -j ACCEPT #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $IPADDR 79 \ # -d $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # WHOIS client (43) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 43 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 43 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # Gopher client (70) # ------------------ #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 70 -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 70 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # WAIS client (210) # ----------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 210 -j ACCEPT #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 210 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # UDP accept only on selected ports # TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 # ----------------------------------------------------- # Enabling Outgoing traceroute Requests # ------------------------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR $TRACEROUTE_SRC_PORTS \ # -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT # incoming query from the ISP. # All others are denied by default. # --------------------------------- #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s $MY_ISP 32769:65535 \ # -d $IPADDR 33434:33523 -j ACCEPT # -------------------------------------------------------------------- # DHCP client (67, 68) # -------------------- # INIT or REBINDING: No lease or Lease time expired. ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_SRC 68 \ -d $BROADCAST_DEST 67 -j ACCEPT # Getting renumbered ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_SRC 67 \ -d $BROADCAST_DEST 68 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 \ -d $BROADCAST_DEST 68 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $BROADCAST_SRC 68 \ -d $DHCP_SERVER 67 -j ACCEPT # As a result of the above, we're supposed to change our IP # address with this message, which is addressed to our new # address before the dhcp client has received the update. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 \ -d $MY_ISP 68 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $DHCP_SERVER 67 \ -d $IPADDR 68 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 68 \ -d $DHCP_SERVER 67 -j ACCEPT # -------------------------------------------------------------------- # NTP (123) - Accessing Remote Network Time Servers # ------------------------------------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d 192.43.244.18 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s 192.43.244.18 123 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 123 \ -d 192.5.41.4 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s 192.5.41.4 123 \ -d $IPADDR 123 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 123 \ -d 128.102.16.2 123 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s 128.102.16.2 123 \ -d $IPADDR 123 -j ACCEPT # -------------------------------------------------------------------- # RealAudio / QuickTime client # ---------------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 554 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 554 -j ACCEPT # TCP is a more secure method: 7070:7071 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 7070:7071 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 7070:7071 -j ACCEPT # UDP is the preferred method: 6970:6999 # For LAN machines, UDP requires the RealAudio masquerading module and # the ipmasqadm third-party software. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 6970:6999 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 6970:6999 \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # -------------------------------------------------------------------- # ICQ client (4000) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 2000:4000 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 2000:4000 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 4000 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 4000 -j ACCEPT # ---------------------------------------------------------------------------- # ------------------------------------------------------------------ # Unlimited traffic within the local network. # All internal machines have access to the fireall machine. ipchains -A input -i $LAN_INTERFACE_1 \ -s $LAN_1 -j ACCEPT ipchains -A output -i $LAN_INTERFACE_1 \ -d $LAN_1 -j ACCEPT # -------------------------------------------------------------------- # Masquerade internal traffic. # All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ # -------------------------------------------------------------------- echo "done" exit 0