1 |
#!/bin/sh |
2 |
# |
3 |
# firewall This script sets up firewall rules. |
4 |
# |
5 |
# chkconfig: 2345 09 91 |
6 |
# description: Sets up or removes firewall rules. |
7 |
# |
8 |
# Firewall rules for a firewall between a private internal network and the |
9 |
# Internet. |
10 |
# |
11 |
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may |
12 |
# be distributed under the terms of the GNU General Public License, version |
13 |
# 2 or any later version. |
14 |
|
15 |
# Interface to Internet |
16 |
EXTIF=ppp0 |
17 |
|
18 |
# Internal network address. For stand-alone machines, delete this and |
19 |
# all the "forward" rules. |
20 |
INTERNAL=192.168.2.0/24 |
21 |
|
22 |
# Wildcard address |
23 |
ANY=0.0.0.0/0 |
24 |
|
25 |
# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. |
26 |
|
27 |
. /etc/rc.d/init.d/functions |
28 |
|
29 |
### For details, see the man page ipchains(1) and |
30 |
### /usr/share/doc/HOWTO/IPCHAINS-HOWTO -- David. |
31 |
|
32 |
case "$1" in |
33 |
start) |
34 |
echo -n "Setting up firewall rules" |
35 |
|
36 |
# Turn on forwarding to silence warnings... |
37 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
38 |
|
39 |
# Set default policies; clear all rules |
40 |
ipchains -P input ACCEPT |
41 |
ipchains -P output ACCEPT |
42 |
ipchains -P forward DENY |
43 |
|
44 |
ipchains -F forward |
45 |
ipchains -F input |
46 |
ipchains -F output |
47 |
|
48 |
### Spoof protection: Drop obviously suspect packets ### |
49 |
|
50 |
# Drop packets claiming to be from unroutable addresses |
51 |
ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY |
52 |
ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY |
53 |
ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY |
54 |
|
55 |
# Drop packets wanting to go to unroutable addresses |
56 |
ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY |
57 |
ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY |
58 |
ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY |
59 |
|
60 |
### External access to services on this machine ### |
61 |
|
62 |
# Reject identd packets without logging |
63 |
ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT |
64 |
|
65 |
# Allow access to sendmail -- log connection attempts |
66 |
#ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT |
67 |
#ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT |
68 |
|
69 |
# Allow access to ssh -- we run ssh on port 23 because of |
70 |
# a stupid client firewall at one place we work. |
71 |
#ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT |
72 |
#ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT |
73 |
|
74 |
# Deny all other TCP connection attempts on the external interface |
75 |
ipchains -A input -l -i $EXTIF -p tcp -y -j DENY |
76 |
|
77 |
# Deny TCP and UDP packets to privileged ports |
78 |
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY |
79 |
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY |
80 |
|
81 |
### FORWARD rules only apply if you have an internal LAN gatewaying |
82 |
### through this computer. |
83 |
# Allow DNS queries |
84 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ |
85 |
|
86 |
# Allow internal users to browse web (http and https) |
87 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ |
88 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ |
89 |
|
90 |
# Allow internal users to read news |
91 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ |
92 |
|
93 |
# Allow internal users to access POP and IMAP services on mail server |
94 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ |
95 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ |
96 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ |
97 |
|
98 |
# Allow internal users to access external FTP servers |
99 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ |
100 |
|
101 |
# Allow internal users to access external Telnet and SSH servers |
102 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ |
103 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ |
104 |
|
105 |
# Allow unprivileged ports --> unprivileged ports for passive FTP |
106 |
ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ |
107 |
|
108 |
# A catch-all rule for logging purposes |
109 |
ipchains -A forward -s $ANY -d $ANY -l -j DENY |
110 |
|
111 |
# Turn on forwarding |
112 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
113 |
|
114 |
echo_success |
115 |
echo "" |
116 |
;; |
117 |
|
118 |
stop) |
119 |
echo -n "Shutting down firewall rules" |
120 |
# Turn off forwarding |
121 |
echo 0 > /proc/sys/net/ipv4/ip_forward |
122 |
|
123 |
# Set default policies; clear all rules |
124 |
ipchains -P input ACCEPT |
125 |
ipchains -P output ACCEPT |
126 |
ipchains -P forward DENY |
127 |
|
128 |
ipchains -F forward |
129 |
ipchains -F input |
130 |
ipchains -F output |
131 |
echo_success |
132 |
echo "" |
133 |
;; |
134 |
|
135 |
*) |
136 |
echo "Usage: firewall {start|stop}" |
137 |
exit 1 |
138 |
esac |
139 |
|
140 |
exit 0 |