New Page 1

#!/bin/sh

# rc.firewall

echo "Starting firewalling... "

#----------------------------------------------------------

EXTERNAL_INTERFACE="eth0" # Internet connection interface

LOOPBACK_INTERFACE="lo" # Loopback interface

CLIENT_LAN_INTERFACE="eth1" # Internal interface #1

IPADDR="192.156.234.253" # External IP address

CLIENT_LAN="172.20.0.0/16" # Internal Private class B

CLIENT_LAN_IPADDR="172.20.20.1" # Internal interface address

ANYWHERE="any/0" # match any IP address

LOOPBACK="127.0.0.0/8" # reserved loopback address range

CLASS_A="10.0.0.0/8" # class A private networks

CLASS_B="172.16.0.0/12" # class B private networks

CLASS_C="192.168.0.0/16" # class C private networks

CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses

CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses

BROADCAST_SRC="0.0.0.0" # broadcast source address

BROADCAST_DEST="255.255.255.255" # broadcast destination address

PRIVPORTS="0:1023" # Wellknown, privileged port range

UNPRIVPORTS="1024:65535" # unprivileged port range

TRACEROUTE_SRC_PORTS="32769:65535"

TRACEROUTE_DEST_PORTS="33434:33523"

#----------------------------------------------------------

# SSH starts at 1023 and works down to 513 for

# each additional simultaneous incoming connection.

SSH_PORTS="1020:1023" # (TCP) 4 simultaneous connections

#----------------------------------------------------------

# Flush everything

/sbin/ipchains -F

# Set the default policy to deny

/sbin/ipchains -P input DENY

/sbin/ipchains -P output REJECT

/sbin/ipchains -P forward REJECT

# Set masquerade timeout to 10 hours for TCP connections.

/sbin/ipchains -M -S 36000 0 0

# Disallow Fragmented Packets

/sbin/ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY

# Enable TCP SYN Cookie Protection

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Enable IP spoofing protection

# turn on source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $f

done

# Disable ICMP Redirect Acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $f

done

# Disable source routed packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

# these modules are necessary to masquerade their respective services.

/sbin/modprobe ip_masq_ftp.o

/sbin/modprobe ip_masq_raudio.o

#-----------------------------------------------------------------------

# LOOPBACK

echo "setting loopback"

/sbin/ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT

/sbin/ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# --------------------------------------------------------------------

# Refuse any connections from problem sites

# /etc/rc.d/rc.firewall.blocked contains a list of

# ipchains -A input -i $EXTERNAL_INTERFACE -s <address/mask> -j DENY

# rules to block all access.

# Refuse packets claiming to be from the banned list

if [ -f /etc/rc.d/rc.firewall.blocked ]; then

. /etc/rc.d/rc.firewall.blocked

# --------------------------------------------------------------------

# SPOOFING & BAD ADDRESSES

# Refuse spoofed packets.

# Ignore blatantly illegal source addresses.

# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from

# the external interface's IP address

ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

# Refuse packets claiming to be to or from a Class B private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

# Refuse packets claiming to be to or from a Class C private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

# Refuse packets claiming to be from the loopback interface

ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY

ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

# Refuse malformed broadcast packets

ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses

# Multicast is only illegal as a source address.

# Multicast uses UDP

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \

-j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \

-j REJECT -l

# Refuse Class E reserved IP addresses

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \

-j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \

-j REJECT

# Refuse addresses defined as reserved by the IANA.

# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*

# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

# 65: 01000001 - /3 includes 64 - need 65-79 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

# 80: 01010000 - /4 masks 80-95

ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96: 01100000 - /4 masks 96-111

ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

# 126: 01111110 - /3 includes 127 - need 112-126 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

# 217: 11011001 - /5 includes 216 - need 217-219 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

# 223: 11011111 - /6 masks 220-223

ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

#-----------------------------------------------------------------------

# ICMP

# allow outgoing pings to anywhere

#/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 8 -d $ANYWHERE -j ACCEPT -l

#/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 0 -d $IPADDR -j ACCEPT

#-----------------------------------------------------------------------

# TELNET (23) - Allowing Outgoing Client Access to Remote Sites

echo "Allow outbound Telnet"

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $ANYWHERE 23 -j ACCEPT -l

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 23 -d $IPADDR $UNPRIVPORTS -j ACCEPT

#-----------------------------------------------------------------------

# SSH client (22) - Allowing Client Access to Remote SSH Servers

echo "Allow outbound SSH to remote servers"

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $ANYWHERE 22 -j ACCEPT

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 22 -d $IPADDR $UNPRIVPORTS -j ACCEPT

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $SSH_PORTS -d $ANYWHERE 22 -j ACCEPT

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 22 -d $IPADDR $SSH_PORTS -j ACCEPT

#-----------------------------------------------------------------------

# FTP (20, 21) - Allowing outgoing Client Access to Remote FTP Servers

echo "Enable FTP"

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $ANYWHERE 21 -j ACCEPT -l

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 21 -d $IPADDR $UNPRIVPORTS -j ACCEPT

# Normal Port Mode FTP Data Channels

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 20 -d $IPADDR $UNPRIVPORTS -j ACCEPT -l

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR $UNPRIVPORTS -d $ANYWHERE 20 -j ACCEPT

# Passive Mode FTP Data Channels

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -j ACCEPT -l

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS -d $IPADDR $UNPRIVPORTS -j ACCEPT

#-----------------------------------------------------------------------

# HTTP (80) - accessing Remote Web Sites as a client

echo "Enable HTTP access to remote web sites"

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT -l

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 80 -d $IPADDR $UNPRIVPORTS -j ACCEPT -l

#-----------------------------------------------------------------------

# HTTPS (443) - accessing Remote Web Sites Ocer SSL as a client

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR \

$UNPRIVPORTS -d $ANYWHERE 443 -j ACCEPT

/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE \

443 -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------

# Unlimited traffic within the local network

# All internal machines have access to the firewall.

echo "Enable traffic to internal interface"

/sbin/ipchains -A input -i $CLIENT_LAN_INTERFACE -s $CLIENT_LAN -j ACCEPT

/sbin/ipchains -A output -i $CLIENT_LAN_INTERFACE -d $CLIENT_LAN -j ACCEPT

# ------------------------------------------------------------

## Outbound masquerading

# don't masq internal-internal traffic

#/sbin/ipchains -A forward -s 172.20.0.0/16 -d 172.20.0.0/16 -j ACCEPT

# masquerade all internal IP's going outside

echo "Turn on masquerading"

/sbin/ipchains -A forward -i $EXTERNAL_INTERFACE -s $CLIENT_LAN -j MASQ

## Load Modules to handle special protocols

#/sbin/insmod ip_masq_ftp

## Deny everything else

#/sbin/ipchains -P my-chains input DENY

## Log anything which does not match the above rules

/sbin/ipchains -A forward -l

# ------------------------------------------------------------

echo "done setting rules."

Please read the disclaimer.