[kernel] bug#109: firewall script using iptables
None
X-PA-RISC Linux-PR-Message: report 109
X-PA-RISC Linux-PR-Package: kernel
X-Loop: daniel_frazier@hp.com
Received: via spool by 109-bugs@bugs.parisc-linux.org id=B109.98765263318383
(code B ref 109); Thu, 19 Apr 2001 04:03:01 GMT
Date: Wed, 18 Apr 2001 21:51:04 -0600
From: Grant Grundler <grundler@puffin.external.hp.com>
Message-Id: <200104190351.VAA21420@puffin.external.hp.com>
To: 109@bugs.parisc-linux.org
#!/bin/bash
add()
{
echo `basename $0` $*
iptables -D $* >/dev/null 2>&1
iptables -A $*
}
#LOCAL_IP=puffin
LOCAL_IP=a500
OUTSIDE_NET=0/0
OUTSIDE_IF=eth0
DNS_NET1=156.153.255.234
DNS_NET2=156.153.255.202
NTP_NET=clock.isc.org
PRIVATE_NET=192.168.0.20
firewall()
{
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F INPUT
#add INPUT -i $OUTSIDE_IF
# Look for possible source-routed packet attacks (should we log this?)
add INPUT -i $OUTSIDE_IF -j LOG -s localhost
add INPUT -i $OUTSIDE_IF -j DROP -s localhost
add INPUT -i $OUTSIDE_IF -j LOG -s $LOCAL_IP
add INPUT -i $OUTSIDE_IF -j DROP -s $LOCAL_IP
# Trust these interfaces - all are connected to a private subnet
add INPUT -i eth1 -j ACCEPT
add INPUT -i eth2 -j ACCEPT
add INPUT -i eth3 -j ACCEPT
# Trust these IP addresses to do anything
add INPUT -s localhost -j ACCEPT
add INPUT -s $LOCAL_IP -j ACCEPT
add INPUT -s $PRIVATE_NET -j ACCEPT
# MJT no longer exists
#add INPUT -s puffinpa.external.hp.com -j ACCEPT
####################### TCP Section ###############################
# Accept ssh, http, smtp, and ident connections from anywhere.
add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport 22 # ssh
add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport http
add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport smtp
add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport ident
# add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport cvs
# FTP server
add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport ftp
add INPUT -j ACCEPT -p tcp --syn -d $OUTSIDE_NET --dport ftp-data
# Passive ftp.
add INPUT -j ACCEPT -p tcp --dport 1024:5999
add INPUT -j ACCEPT -p tcp --dport 6010:
# DNS server access.
add INPUT -j ACCEPT -p tcp -d $OUTSIDE_NET -s $DNS_NET1 --dport domain
add INPUT -j ACCEPT -p tcp -d $OUTSIDE_NET -s $DNS_NET2 --dport domain
# NTP time server
add INPUT -j ACCEPT -p udp -d $OUTSIDE_NET -s $NTP_NET --dport ntp
# MJT not using this server anymore
#add INPUT -j ACCEPT -p udp -s finch.cc.ukans.edu --dport ntp -d $OUTSIDE_NET
# Deny all other "external" TCP connections
add INPUT -s ! $LOCAL_IP -j LOG -p tcp --syn
add INPUT -s ! $LOCAL_IP -j DROP -p tcp --syn
# But accept all other "external" TCP non-connections
add INPUT -s ! $LOCAL_IP -j ACCEPT -p tcp
####################### UDP Section ###############################
# Allow these services from specific hosts.
add INPUT -j ACCEPT -p udp -d $OUTSIDE_NET -s $DNS_NET1 --dport domain
add INPUT -j ACCEPT -p udp -d $OUTSIDE_NET -s $DNS_NET2 --dport domain
#add INPUT -j ACCEPT -p udp -d $OUTSIDE_NET -s $NTP_NET --dport ntp
####################### ICMP Section ###############################
add INPUT -j ACCEPT -p icmp
# I hate MS-Windows! Don't log the mindless machines
add INPUT -p udp --dport 137 -j DROP
add INPUT -p udp --dport 138 -j DROP
# Deny but don't log these -- they're from a misbehaving machines
add INPUT -s 192.6.38.18 -p udp -j DROP
add INPUT -s 192.6.38.19 -p udp -j DROP
# A biggie -- deny anything else not from the local network
add INPUT -s ! $LOCAL_IP -j LOG
add INPUT -s ! $LOCAL_IP -j DROP
# These are simply for monitoring
iptables -F OUTPUT
add OUTPUT -s $OUTSIDE_NET
add OUTPUT -s localhost
add OUTPUT -s $LOCAL_IP
add OUTPUT -s $PRIVATE_NET
# QOS
# add OUTPUT -p tcp --dport www -t 0x01 0x10
# add OUTPUT -p tcp --dport telnet -t 0x01 0x10
# add OUTPUT -p tcp --dport ftp -t 0x01 0x10
# Set ftp-data for maximum throughput
# add OUTPUT -p tcp --dport ftp-data -t 0x01 0x08
}
antispoof()
{
# Turn on Source Address Verification and get spoof protection on
# all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
}
# added ipmasq() per http://linuxdocs.org/HOWTOs/IPTABLES-HOWTO-3.html#ss3.1
# - ggg
ipmasq()
{
# firewall() already DROP's everything
#iptables -P FORWARD DROP
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "WARN:" $0 ": ip_forward not configured in kernel?"
fi
add FORWARD -i eth0 -j MASQ
}
case "$1" in
start)
echo -n "Starting firewall (iptables):"
firewall
echo "."
# echo -n "Starting IP spoof protection:"
# antispoof
# echo "."
# echo -n "Starting IP Masquerading:"
# ipmasq
echo "."
;;
stop)
# Open up the firewall
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# And flush any existing rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
;;
restart)
firewall
# antispoof
# ipmasq
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac
exit 0