/[soft]/drakwizard/trunk/firewall_wizard/scripts/firew.sh
ViewVC logotype

Contents of /drakwizard/trunk/firewall_wizard/scripts/firew.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 486 - (show annotations) (download) (as text)
Tue Feb 8 00:14:32 2011 UTC (13 years, 1 month ago) by dmorgan
File MIME type: application/x-sh
File size: 4344 byte(s)
Import cleaned drakwizard
1 #!/bin/sh
2 #
3 # firewall This script sets up firewall rules.
4 #
5 # chkconfig: 2345 09 91
6 # description: Sets up or removes firewall rules.
7 #
8 # Firewall rules for a firewall between a private internal network and the
9 # Internet.
10 #
11 # Copyright (C) 2000 Roaring Penguin Software Inc. This software may
12 # be distributed under the terms of the GNU General Public License, version
13 # 2 or any later version.
14
15 # Interface to Internet
16 EXTIF=ppp0
17
18 # Internal network address. For stand-alone machines, delete this and
19 # all the "forward" rules.
20 INTERNAL=192.168.2.0/24
21
22 # Wildcard address
23 ANY=0.0.0.0/0
24
25 # Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
26
27 . /etc/rc.d/init.d/functions
28
29 ### For details, see the man page ipchains(1) and
30 ### /usr/share/doc/HOWTO/IPCHAINS-HOWTO -- David.
31
32 case "$1" in
33 start)
34 echo -n "Setting up firewall rules"
35
36 # Turn on forwarding to silence warnings...
37 echo 1 > /proc/sys/net/ipv4/ip_forward
38
39 # Set default policies; clear all rules
40 ipchains -P input ACCEPT
41 ipchains -P output ACCEPT
42 ipchains -P forward DENY
43
44 ipchains -F forward
45 ipchains -F input
46 ipchains -F output
47
48 ### Spoof protection: Drop obviously suspect packets ###
49
50 # Drop packets claiming to be from unroutable addresses
51 ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY
52 ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY
53 ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY
54
55 # Drop packets wanting to go to unroutable addresses
56 ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY
57 ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY
58 ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY
59
60 ### External access to services on this machine ###
61
62 # Reject identd packets without logging
63 ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT
64
65 # Allow access to sendmail -- log connection attempts
66 #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT
67 #ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT
68
69 # Allow access to ssh -- we run ssh on port 23 because of
70 # a stupid client firewall at one place we work.
71 #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT
72 #ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT
73
74 # Deny all other TCP connection attempts on the external interface
75 ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
76
77 # Deny TCP and UDP packets to privileged ports
78 ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
79 ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
80
81 ### FORWARD rules only apply if you have an internal LAN gatewaying
82 ### through this computer.
83 # Allow DNS queries
84 ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ
85
86 # Allow internal users to browse web (http and https)
87 ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ
88 ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ
89
90 # Allow internal users to read news
91 ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ
92
93 # Allow internal users to access POP and IMAP services on mail server
94 ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ
95 ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ
96 ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ
97
98 # Allow internal users to access external FTP servers
99 ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ
100
101 # Allow internal users to access external Telnet and SSH servers
102 ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ
103 ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ
104
105 # Allow unprivileged ports --> unprivileged ports for passive FTP
106 ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ
107
108 # A catch-all rule for logging purposes
109 ipchains -A forward -s $ANY -d $ANY -l -j DENY
110
111 # Turn on forwarding
112 echo 1 > /proc/sys/net/ipv4/ip_forward
113
114 echo_success
115 echo ""
116 ;;
117
118 stop)
119 echo -n "Shutting down firewall rules"
120 # Turn off forwarding
121 echo 0 > /proc/sys/net/ipv4/ip_forward
122
123 # Set default policies; clear all rules
124 ipchains -P input ACCEPT
125 ipchains -P output ACCEPT
126 ipchains -P forward DENY
127
128 ipchains -F forward
129 ipchains -F input
130 ipchains -F output
131 echo_success
132 echo ""
133 ;;
134
135 *)
136 echo "Usage: firewall {start|stop}"
137 exit 1
138 esac
139
140 exit 0

Properties

Name Value
svn:eol-style native
svn:executable *

  ViewVC Help
Powered by ViewVC 1.1.30