#!/bin/bash # chkconfig: 2345 09 99 # description: firewall script for 2.2.x kernel # # LEGAL INFO: # This file distributed without warranty of any sort... Hopefully it will # prove useful, but who knows?!? :-) # Feel free to do what you will with it! # # NOTES # Since this uses ipchains, it's for kernel versions 2.1.x or 2.2.x. There # should be an ipfwadm version (for 2.0.x kernels) available where you got # this one... try http://LinuxSIG.org/files/ # This firewall should work for most home routers. It should work for dial-up # or cable modem setups. It works with the RedHat distributed kernels. If # you re-compile and chenge the wrong kernel settings, it might break or it # might work better... It is fairly restrictive, but most home nets don't # need to offer much to the outside world. It could be tightened up with more # information and customization. Remember, security is built in layers and a # firewall is a good start. Good passwords also help. If you want to access # the machine from outside (over the Internet) consider using an encrypted # tool like ssh rather than telnet (since telnet sends clear-text passwords). # Be careful about offering public services like web or (especially) ftp # servers. Don't unless you you must and if you must - read the docs!!! I've # tried to provide many comments to make sense of what's going on. Please # read the ipchains man page. # enjoy - Anthony Ball # # RELEASE NOTES # Be sure to check back for updates occasionally! # 20 July, 1999 ---> initial writing # # INSTALLATION: # 1. This file planned for a RedHat system. It would work # on other distro's with perhaps no modification, but again... # Who knows?!!? These instructions apply to RedHat systems. # # 2. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root " # make it executable --> "chmod 755 " # # 3. set the values for your network, internal interface, and DNS servers # uncomment lines further down to enable optional in-bound services # make sure "eth0" is your internal NIC (or change the value below) # test it --> "/etc/rc.d/init.d/ start" # you can list the rules --> "ipchains -L -n" # fix anything that broke... :-) # # 4. add the firewall to the RH init structure --> "chkconfig --add " # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # ################################################ # Fill in the values below to match your # local network. LOCALNET=10.0.0.0/24 INTERNALIF=eth0 # your dns servers DNS1=xxx.xxx.xxx.xxx DNS2=xxx.xxx.xxx.xxx # ################################################ if [ "$1" = "stop" ]; then # do we really want to take the firewall down? exit 0 fi echo -n "Building firewall: ..." # Insert the active ftp module. This will allow non-passive ftp to machines on # the local network (but not to the router since it is not masq'd) if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then echo -n "ftp module..." /sbin/insmod ip_masq_ftp fi # set up kernel to handle dynamic IP masquerading echo 7 > /proc/sys/net/ipv4/ip_dynaddr # turn on Source Address Verification and get spoof protection on all current # and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done else echo echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED. echo "CONTROL-D will exit from this shell and continue system startup." echo # Start a single user shell on the console /sbin/sulogin $CONSOLE fi # some handy generic values to use ANY=0.0.0.0/0 ALLONES=255.255.255.255 # # Setup the incoming packets firewall. # echo -n "inbound..." # set default policy to deny /sbin/ipchains -P input DENY # flush the list /sbin/ipchains -F input # allow all packets on the loopback interface /sbin/ipchains -A input -i lo -j ACCEPT # allow all packets from the internal "trusted" interface /sbin/ipchains -A input -i $INTERNALIF -s $LOCALNET -d $ANY -j ACCEPT /sbin/ipchains -A input -i $INTERNALIF -d $ALLONES -j ACCEPT # uncomment the following if you use diald (it uses SLIP) # /sbin/ipchains -A input -i sl0 -j ACCEPT # deny bcasts on remaining interfaces /sbin/ipchains -A input -d 0.0.0.0 -j DENY /sbin/ipchains -A input -d 255.255.255.255 -j DENY # allow ICMP /sbin/ipchains -A input -p icmp -j ACCEPT # allow established TCP connections /sbin/ipchains -A input -p tcp ! -y -j ACCEPT # allow lookups to/from DNS servers to router /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT # or (BETTER IDEA) run a caching DNS server on the router and use the following # two lines instead... # /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT # /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT # allow auth in for sending mail or doing ftp /sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT # allow ports in for masquerading /sbin/ipchains -A input -p tcp -d $ANY 61000:65096 -j ACCEPT /sbin/ipchains -A input -p udp -d $ANY 61000:65096 -j ACCEPT # uncomment the following to allow ssh in # /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT # uncomment the following to allow telnet in (BAD IDEA!!) # /sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT # uncomment to allow NTP (network time protocol) to router # /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT # uncomment to allow SMTP in (don't need for mail clients - only a server) # /sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT # uncomment to allow HTTP in (only if you run a web server on the router) # /sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT # deny these without logging 'cause there tend to be a lot... /sbin/ipchains -A input -p udp -d $ANY 137 -j DENY # NetBIOS over IP /sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY # "" /sbin/ipchains -A input -p udp -d $ANY 138 -j DENY # "" /sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY # "" /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY # bootp /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY # "" /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY # Multicast addresses # deny other packets and log them to /var/log/messages /sbin/ipchains -A input -l -j DENY # # Setup the forwarding firewall. # echo -n "forwarding..." # set default forwading policy to DENY /sbin/ipchains -P forward DENY # flush the list /sbin/ipchains -F forward # masquerade packets forwarded from internal network /sbin/ipchains -A forward -s $LOCALNET -d $ANY -j MASQ echo "done."