#!/bin/bash # # functions - This file contains the functions used by rc.firewall # # Copyright (C) 2001 Curt Rebelein, Junior # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Library General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Library General Public License for more details. # # You should have received a copy of the GNU Library General Public # License along with this library; if not, write to the # Free Software Foundation, Inc., 59 Temple Place - Suite 330, # Boston, MA 02111-1307, USA #################################################### ### function that applies the rules @ start time ### #################################################### start() { flushchains # let's get rid of the old stuff policies # set up our policies loopbackrules # rules for the lo interface refusenetworks # spoof protection basically tosrules # set up special TOS rules procrules # get the proc files to our liking dnsrules icmprules #tracerouterules socksrules windowrules # open and X windows stuff nfsrules authrules emailrules # POP, SMTP, ICMP, etc... newsrules telnetrules sshrules ftprules #snmprules wwwrules proxyrules fingerrules whoisrules waisrules dhcprules #printrules #timerules #problemsites # set up special rules for problem sites #transproxy # set up special rules for transparent proxy lanaccess #hostrules # this will allow host-to-host communication (needed for things like ICQ) ipmasq # this is where we will do ipmasq stuff logrules # want to log everything else? } ############################## ### functions for flushing ### ############################## flushall() { # get rid of it all flushpolicies flushchains } flushpolicies() { # delete user made chains, flush and zero the chains $IPC -P input ACCEPT $IPC -P output ACCEPT $IPC -P forward ACCEPT } # end flushpolicies flushchains() { # delete user made chains, flush and zero the chains $IPC -F $IPC -Z $IPC -X } # end flushchains ######################################## ### functions that set up the chains ### ######################################## policies() { # set default policies $IPC -P input DENY $IPC -P output REJECT $IPC -P forward REJECT } # end policies loopbackrules() { # unlimited traffic for loopback $IPC -A input -i $LOIF -j ACCEPT $IPC -A output -i $LOIF -j ACCEPT } # end loopbackrules refusenetworks() { # refuse spoofed packets pretending to be from $EXTIP on $EXTIF $IPC -A input -i $EXTIF -s $EXTIP -j DENY -l # refuse spoofed packets pretending to be from $INTIP on $INTIF $IPC -A input -i $INTIF -s $INTIP -j DENY -l # refuse packets from (or claiming to be from) a class a private network $IPC -A input -s $CLASS_A -j DENY $IPC -A input -d $CLASS_A -j DENY $IPC -A output -s $CLASS_A -j DENY $IPC -A output -d $CLASS_A -j DENY $IPC -A input -s $CLASS_A -j DENY $IPC -A input -d $CLASS_A -j DENY $IPC -A output -s $CLASS_A -j DENY $IPC -A output -d $CLASS_A -j DENY # refuse packets from (or claiming to be from) a class b private network #$IPC -A input -s $CLASS_B -j DENY -l #$IPC -A input -d $CLASS_B -j DENY #$IPC -A output -s $CLASS_B -j DENY -l #$IPC -A output -d $CLASS_B -j DENY # refuse packets from (or claiming to be from) a class c private network #$IPC -A input -s $CLASS_C -j DENY #$IPC -A input -d $CLASS_C -j DENY #$IPC -A output -s $CLASS_C -j DENY #$IPC -A output -d $CLASS_C -j DENY # allow this on the interal interface for my internal LAN $IPC -A input -i $EXTIF -s $CLASS_C -j DENY $IPC -A input -i $EXTIF -d $CLASS_C -j DENY $IPC -A output -i $EXTIF -s $CLASS_C -j DENY $IPC -A output -i $EXTIF -d $CLASS_C -j DENY # refuse packets claiming to be from $LOIP $IPC -A input -d $LOIP -j DENY -l $IPC -A output -d $LOIP -j DENY # refuse malformed broadcast packets $IPC -A input -i $EXTIF -s $BC_DEST -j DENY #$IPC -A input -d $BC_SRC -j DENY # refuse class d multicast addresses $IPC -A input -s $CLASS_D_MC -j DENY -l $IPC -A output -s $CLASS_D_MC -j REJECT -l # deny outgoing class d multicast $IPC -A output -d $CLASS_D_MC -j REJECT -l # deny incoming class d muticast $IPC -A input -d $CLASS_D_MC -j REJECT -l # refuse class e reserved IP addresses $IPC -A input -s $CLASS_E_RN -j DENY -l # refuse IANA reserved addresses $IPC -A input -s 1.0.0.0/8 -j DENY -l $IPC -A input -s 2.0.0.0/8 -j DENY -l $IPC -A input -s 5.0.0.0/8 -j DENY -l $IPC -A input -s 7.0.0.0/8 -j DENY -l $IPC -A input -s 23.0.0.0/8 -j DENY -l $IPC -A input -s 27.0.0.0/8 -j DENY -l $IPC -A input -s 31.0.0.0/8 -j DENY -l $IPC -A input -s 37.0.0.0/8 -j DENY -l $IPC -A input -s 39.0.0.0/8 -j DENY -l $IPC -A input -s 41.0.0.0/8 -j DENY -l $IPC -A input -s 42.0.0.0/8 -j DENY -l $IPC -A input -s 58.0.0.0/8 -j DENY -l $IPC -A input -s 59.0.0.0/8 -j DENY -l $IPC -A input -s 60.0.0.0/8 -j DENY -l $IPC -A input -s 67.0.0.0/8 -j DENY -l $IPC -A input -s 68.0.0.0/8 -j DENY -l $IPC -A input -s 69.0.0.0/8 -j DENY -l $IPC -A input -s 70.0.0.0/8 -j DENY -l $IPC -A input -s 71.0.0.0/8 -j DENY -l $IPC -A input -s 72.0.0.0/8 -j DENY -l $IPC -A input -s 73.0.0.0/8 -j DENY -l $IPC -A input -s 74.0.0.0/8 -j DENY -l $IPC -A input -s 75.0.0.0/8 -j DENY -l $IPC -A input -s 76.0.0.0/8 -j DENY -l $IPC -A input -s 77.0.0.0/8 -j DENY -l $IPC -A input -s 78.0.0.0/8 -j DENY -l $IPC -A input -s 79.0.0.0/8 -j DENY -l # /4 masks 80-95 $IPC -A input -s 80.0.0.0/4 -j DENY -l # /4 masks 96-111 $IPC -A input -s 96.0.0.0/4 -j DENY -l $IPC -A input -s 112.0.0.0/8 -j DENY -l $IPC -A input -s 113.0.0.0/8 -j DENY -l $IPC -A input -s 114.0.0.0/8 -j DENY -l $IPC -A input -s 115.0.0.0/8 -j DENY -l $IPC -A input -s 116.0.0.0/8 -j DENY -l $IPC -A input -s 117.0.0.0/8 -j DENY -l $IPC -A input -s 118.0.0.0/8 -j DENY -l $IPC -A input -s 119.0.0.0/8 -j DENY -l $IPC -A input -s 120.0.0.0/8 -j DENY -l $IPC -A input -s 121.0.0.0/8 -j DENY -l $IPC -A input -s 122.0.0.0/8 -j DENY -l $IPC -A input -s 123.0.0.0/8 -j DENY -l $IPC -A input -s 124.0.0.0/8 -j DENY -l $IPC -A input -s 125.0.0.0/8 -j DENY -l $IPC -A input -s 126.0.0.0/8 -j DENY -l $IPC -A input -s 197.0.0.0/8 -j DENY -l $IPC -A input -s 219.0.0.0/8 -j DENY -l # /6 masks 220-223 $IPC -A input -s 220.0.0.0/6 -j DENY -l } # end refusenetworks tosrules() { # TOS name Value # Minimum Delay 0x01 0x10 # Maximum Throughput 0x01 0x08 # Maximum Reliability 0x01 0x04 # Maximum Cost 0x01 0x02 # ssh and telnet get "minimum delay" $IPC -I output -p tcp -d $ANYWHERE 22 -t 0x01 0x10 $IPC -I output -p tcp -d $ANYWHERE 23 -t 0x01 0x10 # ftp gets "maximum throughput" $IPC -I output -p tcp -d $ANYWHERE 21 -t 0x01 0x08 } # end tosrules procrules() { # enable SYN cookie protection # no such file??? #echo 1 > /proc/sys/net/ipv4/tcp_syncookies # set up IP spoofing protection # turn on source address verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # enable ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward } # end procrules dnsrules() { # allow dns lookups to $NS[1-3] for LOOPHOST in $NS; do # for the common udp lookups $IPC -A output -i $EXTIF -p udp -s $EXTIP $UNPRIVPORTS -d $LOOPHOST 53 -j ACCEPT $IPC -A input -i $EXTIF -p udp -s $LOOPHOST 53 -d $EXTIP $UNPRIVPORTS -j ACCEPT # for the rare tcp occations $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $LOOPHOST 53 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $LOOPHOST 53 -d $EXTIP $UNPRIVPORTS -j ACCEPT done # we have a local dns server (if this is done the above loop is not needed, obviously) $IPC -A output -i $EXTIF -p udp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 53 -j ACCEPT $IPC -A input -i $EXTIF -p udp -s $ANYWHERE 53 -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 53 -j ACCEPT $IPC -A input -i $EXTIF -p tcp -s $ANYWHERE 53 -d $EXTIP $UNPRIVPORTS -j ACCEPT } # end dnsrules icmprules() { # accept ICMP source quench (ICMP type 4) $IPC -A input -p icmp -s $ANYWHERE 4 -d $EXTIP -j ACCEPT $IPC -A output -p icmp -s $ANYWHERE 4 -d $EXTIP -j ACCEPT # accept ICMP parameter problem (ICMP type 12) $IPC -A input -p icmp -s $EXTIP 12 -d $ANYWHERE -j ACCEPT $IPC -A output -p icmp -s $EXTIP 12 -d $ANYWHERE -j ACCEPT # accept ICMP destination unreachable error (ICMP type 3) $IPC -A input -p icmp -s $EXTIP 3 -d $ANYWHERE -j ACCEPT $IPC -A output -p icmp -s $EXTIP 3 -d $ANYWHERE -j ACCEPT # accept ICMP time exceeded status (ICMP type 11) $IPC -A input -p icmp -s $ANYWHERE 11 -d $EXTIP -j ACCEPT $IPC -A output -p icmp -s $EXTIP 11 -d $ANYWHERE -j ACCEPT # allow ICMP ping from here $IPC -A output -p icmp -s $EXTIP 8 -d $ANYWHERE -j ACCEPT $IPC -A input -p icmp -s $ANYWHERE 0 -d $EXTIP -j ACCEPT # allow ping from $SAFEEXT for LOOPHOST in $SAFEEXT; do $IPC -A input -i $EXTIF -p icmp -s $LOOPHOST 8 -d $EXTIP -j ACCEPT $IPC -A output -i $EXTIF -p icmp -s $EXTIP 0 -d $LOOPHOST -j ACCEPT done # allow ping from $SAFEINT for LOOPHOST in $SAFEINT; do $IPC -A input -i $INTIF -p icmp -s $LOOPHOST 8 -d $INTIP -j ACCEPT $IPC -A output -i $INTIF -p icmp -s $INTIP 0 -d $LOOPHOST -j ACCEPT done # block smurf attack $IPC -A input -p icmp -d $BC_DEST -j DENY -l $IPC -A output -p icmp -d $BC_DEST -j REJECT -l # block smurf attack -- network mask $IPC -A input -p icmp -d $EXTMASK -j DENY -l $IPC -A output -p icmp -d $EXTMASK -j REJECT -l # block smurf attack -- network addresses $IPC -A input -p icmp -d $EXTNET -j DENY -l $IPC -A output -p icmp -d $EXTNET -j REJECT -l } # end icmprules tracerouterules() { # enable outgoing traceroute $IPC -A output -i $EXTIF -p udp -s $EXTIP 32769:65535 -d $ANYWHERE 33434:33523 -j ACCEPT # allow incoming traceroute from $SAFEEXT for LOOPHOST in $SAFEEXT; do $IPC -A input -i $EXTIF -p udp -s $LOOPHOST 32769:65535 -d $EXTIP 33434:33523 -j ACCEPT done } # end tracerouterules socksrules() { # disallow SOCKS server connections (tcp port 1080) $IPC -A output -p tcp -y -s $EXTIP -d $ANYWHERE 1080 -j REJECT -l $IPC -A input -p tcp -y -d $EXTIP 1080 -j DENY -l } # end socksrules windowrules() { # disallow open window connections (tcp port 2000) $IPC -A output -p tcp -y -s $EXTIP -d $ANYWHERE 2000 -j REJECT # disallow x window connections (tcp ports 6000:6063) # extablishing remote connection $IPC -A output -p tcp -y -s $EXTIP -d $ANYWHERE 6000:6063 -j REJECT # incoming connection request $IPC -A input -p tcp -y -d $EXTIP 6000:6063 -j DENY -l } # end windowrules nfsrules() { # disallow NFS (udp/tcp port 2049) $IPC -A input -p udp -d $EXTIP 2049 -j DENY -l $IPC -A input -p tcp -y -d $EXTIP 2049 -j DENY -l $IPC -A output -p tcp -y -d $ANYWHERE 2049 -j DENY -l } # end nfsrules authrules() { # accept incoming AUTH requests $IPC -A input -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTIP 113 -j ACCEPT $IPC -A output -p tcp ! -y -s $EXTIP 113 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT } # end authrules emailrules() { # allow me to relay email through my ISP's mail server $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $SMTP_GW 25 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $SMTP_GW 25 -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow me to send email from my mail server $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 25 -j ACCEPT $IPC -A input -i $EXTIF -p tcp -s $ANYWHERE 25 -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow my mail server to receive mail #$IPC -A input -i $EXTIF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTIP 25 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp -s $EXTIP 25 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # allow me to retrieve my POP mail $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $POP_SERVER 110 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $POP_SERVER 110 -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow me to retrieve my IMAP mail $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $IMAP_SERVER 143 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $IMAP_SERVER 143 -d $EXTIP $UNPRIVPORTS -j ACCEPT # i want to host a pop server #$IPC -A input -i $EXTIF -p tcp -s $UNPRIVPORTS -d $EXTIP 110 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp -s $EXTIP 110 -d $UNPRIVPORTS -j ACCEPT # i want to host a imap server #$IPC -A input -i $EXTIF -p tcp -s $UNPRIVPORTS -d $EXTIP 143 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp -s $EXTIP 143 -d $UNPRIVPORTS -j ACCEPT } # end emailrules newsrules() { # i want to read and post news $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $NEWS_SERVER 119 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $NEWS_SERVER 119 -d $EXTIP $UNPRIVPORTS -j ACCEPT # i want to host a news server #$IPC -A input -i $EXTIF -p tcp -s $UNPRIVPORTS -d $EXTIP 119 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 119 -d $UNPRIVPORTS -j ACCEPT # allow peer news feeds for a local usenet server #$IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d 119 -j ACCEPT #$IPC -A input -i $EXTIF -p tcp ! -y -s 119 -d $EXTIP $UNPRIVPORTS -j ACCEPT } # end newsrules telnetrules() { # allow outgoing telnet $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 23 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 23 -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow incoming telnet from $SAFEEXT #for LOOPHOST in $SAFEEXT; do # $IPC -A input -i $EXTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $EXTIP 23 -j ACCEPT # $IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 23 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT #done } # end telnetrules sshrules() { ### external ### # allow outgoing ssh with ssh2 $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 22 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 22 -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $INTIF -p tcp -s $INTIP $UNPRIVPORTS -d $INTNET 22 -j ACCEPT $IPC -A input -i $INTIF -p tcp ! -y -s $INTNET 22 -d $INTIP $UNPRIVPORTS -j ACCEPT # allow outgoing ssh with ssh1 and ssh2 #$IPC -A output -i $EXTIF -p tcp -s $EXTIP -d $ANYWHERE 22 -j ACCEPT #$IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 22 -d $EXTIP -j ACCEPT #$IPC -A output -i $INTIF -p tcp -s $INTIP -d $INTNET 22 -j ACCEPT #$IPC -A input -i $INTIF -p tcp ! -y -s $INTNET 22 -d $INTIP -j ACCEPT # allow incoming ssh from $SAFEEXT with ssh2 for LOOPHOST in $SAFEEXT; do $IPC -A output -i $EXTIF -p tcp -s $EXTIP 22 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT $IPC -A input -i $EXTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $EXTIP 22 -j ACCEPT done # allow incoming ssh from $SAFEEXT with ssh1 and ssh2 #for LOOPHOST in $SAFEEXT; do # $IPC -A output -i $EXTIF -p tcp -s $EXTIP 22 -d $LOOPHOST -j ACCEPT # $IPC -A input -i $EXTIF -p tcp -s $LOOPHOST -d $EXTIP 22 -j ACCEPT #done ### internal ### # allow incoming ssh from $SAFEINT with ssh2 for LOOPHOST in $SAFEINT; do $IPC -A output -i $INTIF -p tcp -s $INTIP 22 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT $IPC -A input -i $INTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $INTIP 22 -j ACCEPT done # allow incoming ssh from $SAFEINT with ssh1 and ssh2 #for LOOPHOST in $SAFEINT; do # $IPC -A output -i $INTIF -p tcp -s $INTIP 22 -d $LOOPHOST -j ACCEPT # $IPC -A input -i $INTIF -p tcp -s $LOOPHOST -d $INTIP 22 -j ACCEPT #done } # end sshrules ftprules() { # allow outgoing ftp # allow outgoing requests $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 21 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 21 -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow normal port mode $IPC -A input -i $EXTIF -p tcp -s $ANYWHERE 20 -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 20 -j ACCEPT # allow passive mode (used by newer web browsers, this will OPEN all $UNPRIVPORTS) $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow access to my ftp server # allow incoming connections $IPC -A input -i $EXTIF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTIP 21 -j ACCEPT $IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 21 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # allow normal port mode $IPC -A output -i $EXTIF -p tcp -s $EXTIP 20 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS -d $EXTIP 20 -j ACCEPT # allow passive mode (used by newer web browsers) $IPC -A input -i $EXTIF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -j ACCEPT } # end ftprules snmprules() { $IPC -A input -i $EXTIF -p udp -s hemi.rebby.com 161 -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $EXTIF -p udp -s $EXTIP $UNPRIVPORTS -d hemi.rebby.com 161 -j ACCEPT $IPC -A input -i $EXTIF -p udp -s cp.rebby.com 161 -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $EXTIF -p udp -s $EXTIP $UNPRIVPORTS -d cp.rebby.com 161 -j ACCEPT $IPC -A input -i $EXTIF -p udp -s switch.rebby.duluth.mn.us 161 -d $EXTIP $UNPRIVPORTS -j ACCEPT $IPC -A output -i $EXTIF -p udp -s $EXTIP $UNPRIVPORTS -d switch.rebby.duluth.mn.us 161 -j ACCEPT } # end snmprules wwwrules() { # i want to access the web $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 80 -d $EXTIP $UNPRIVPORTS -j ACCEPT # ssl too? $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 443 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 443 -d $EXTIP $UNPRIVPORTS -j ACCEPT # i want to be a web server for everybody #$IPC -A input -i $EXTIF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 80 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # ssl too? #$IPC -A input -i $EXTIF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTIP 443 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 443 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # i want to be a web server for $SAFEEXT only (i host mrtg here) for LOOPHOST in $SAFEEXT; do $IPC -A input -i $EXTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT $IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 80 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT # ssl too? #$IPC -A input -i $EXTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $EXTIP 443 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 443 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT done # i want to be a web server for $SAFEINT too (i host mrtg here) for LOOPHOST in $SAFEINT; do $IPC -A input -i $INTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $INTIP 80 -j ACCEPT $IPC -A output -i $INTIF -p tcp ! -y -s $INTIP 80 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT # ssl too? #$IPC -A input -i $INTIF -p tcp -s $LOOPHOST $UNPRIVPORTS -d $INTIP 443 -j ACCEPT #$IPC -A output -i $INTIF -p tcp ! -y -s $INTIP 443 -d $LOOPHOST $UNPRIVPORTS -j ACCEPT done } # end wwwrules proxyrules() { # i want to get to my proxy server $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $PROXY_SERVER $PROXY_PORT -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $PROXY_SERVER $PROXY_PORT -d $EXTIP $UNPRIVPORTS -j ACCEPT } # end proxyrules fingerrules() { # i want to finger remote hosts $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 79 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 79 -d $EXTIP $UNPRIVPORTS -j ACCEPT # allow others access to my finger server (why would anybody what this?) #$IPC -A input -i $EXTIF -p tcp -s $UNPRIVPORTS -d $EXTIP 79 -j ACCEPT #$IPC -A output -i $EXTIF -p tcp ! -y -s $EXTIP 79 -d $UNPRIVPORTS -j ACCEPT } # end fingerrules whoisrules() { # i want to whois $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 43 -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE 43 -d $EXTIP $UNPRIVPORTS -j ACCEPT } # end whoisrules waisrules() { # allow remote WAIS $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE 210 -j ACCEPT $IPC -A input -i $EXTIF -p tcp -s $ANYWHERE 210 -d $EXTIP $UNPRIVPORTS -j ACCEPT } # end waisrules dhcprules() { # i need access to my ISP's DHCP server $IPC -A output -i $EXTIF -p udp -s $BC_SRC -d $BC_DEST 68 -j ACCEPT -l $IPC -A input -i $EXTIF -p udp -s $BC_SRC -d $BC_DEST 67 -j ACCEPT -l $IPC -A output -i $EXTIF -p udp -s $EXTIP 68 -d $DHCP_SERVER 67 -j ACCEPT -l $IPC -A input -i $EXTIF -p udp -s $DHCP_SERVER 67 -d $EXTIP 68 -j ACCEPT -l # i serve as a dhcp server for $INTNET # (these rules are part of the lanaccess() rules) } # end dhcprules printrules() { # i need access to my tcp printer $IPC -A output -i $EXTIF -p tcp -s $EXTIP 1020 -d 515 -j ACCEPT $IPC -A input -i $EXTIF -p tcp -s 515 -d $EXTIP 1020 -j ACCEPT } # end printrules timerules() { # i need access to a time server $IPC -A output -i $EXTIF -p udp -s $EXTIP $UNPRIVPORTS -d 123 -j ACCEPT $IPC -A input -i $EXTIF -p udp -s 123 -d $EXTIP $UNPRIVPORTS -j ACCEPT } # end timerules problemsites() { # deny access to problem sites if [ -f /etc/sysconfig/firewall/blocked ]; then . /etc/sysconfig/firewall/blocked fi } # end problemsites transproxy() { # set up transparent proxy if [ -f /etc/sysconfig/firewall/proxy ]; then . /etc/sysconfig/firewall/proxy fi } # end transproxy lanaccess() { # first setup the internal user chains $IPC -N IN-INT $IPC -N OUT-INT # now dump all the traffic from $INTNET that is left to the internal rules $IPC -A input -i $INTIF -s $INTNET -d $ANYWHERE -j IN-INT $IPC -A output -i $INTIF -s $ANYWHERE -d $INTNET -j OUT-INT # allow internal dhcp $IPC -A OUT-INT -i $INTIF -p udp -s $INTIP 67 -d $INTNET 68 -j ACCEPT $IPC -A IN-INT -i $INTIF -p udp -s $INTNET 68 -d $INTIP 67 -j ACCEPT $IPC -A OUT-INT -i $INTIF -p udp -s $BC_SRC -d $BC_DEST 67 -j ACCEPT -l $IPC -A IN-INT -i $INTIF -p udp -s $BC_SRC -d $BC_DEST 68 -j ACCEPT -l # allow dns lookups to the name server on $INTIP $IPC -A OUT-INT -i $INTIF -p udp -s $INTIP 53 -d $INTNET $UNPRIVPORTS -j ACCEPT $IPC -A IN-INT -i $INTIF -p udp -s $INTNET $UNPRIVPORTS -d $INTIP 53 -j ACCEPT $IPC -A OUT-INT -i $INTIF -p tcp -s $INTIP 53 -d $INTNET $UNPRIVPORTS -j ACCEPT $IPC -A IN-INT -i $INTIF -p tcp -s $INTNET $UNPRIVPORTS -d $INTIP 53 -j ACCEPT # allow outgoing ftp to $INTFTP # allow outgoing requests $IPC -A OUT-INT -i $INTIF -p tcp -s $INTIP $UNPRIVPORTS -d $INTFTP 21 -j ACCEPT $IPC -A IN-INT -i $INTIF -p tcp ! -y -s $INTFTP 21 -d $INTIP $UNPRIVPORTS -j ACCEPT # allow normal port mode $IPC -A IN-INT -i $INTIF -p tcp -s $INTFTP 20 -d $INTIP $UNPRIVPORTS -j ACCEPT $IPC -A OUT-INT -i $INTIF -p tcp ! -y -s $INTIP $UNPRIVPORTS -d $INTFTP 20 -j ACCEPT # allow passive mode (used by newer web browsers, this will OPEN all $UNPRIVPORTS) $IPC -A OUT-INT -i $INTIF -p tcp -s $INTIP $UNPRIVPORTS -d $INTFTP $UNPRIVPORTS -j ACCEPT $IPC -A IN-INT -i $INTIF -p tcp ! -y -s $INTFTP $UNPRIVPORTS -d $INTIP $UNPRIVPORTS -j ACCEPT # don't let the users on $UNREGINT relay off our mail server $IPC -A IN-INT -i $INTIF -p tcp -s $UNREGINT $UNPRIVPORTS -d $INTIP 25 -j DENY $IPC -A OUT-INT -i $INTIF -p tcp -s $INTIP 25 -d $UNREGINT $UNPRIVPORTS -j DENY # allow other users to relay off of our mail server on $INTIP #$IPC -A IN-INT -i $INTIF -p tcp -s $INTNET $UNPRIVPORTS -d $INTIP 25 -j ACCEPT #$IPC -A OUT-INT -i $INTIF -p tcp -s $INTIP 25 -d $INTNET $UNPRIVPORTS -j ACCEPT # deny all other access to $INTIP $IPC -A IN-INT -i $INTIF -p tcp -s $INTNET -d $INTIP -j DENY $IPC -A IN-INT -i $INTIF -p udp -s $INTNET -d $INTIP -j DENY # redirect www traffic on $UNREGINT to our webserver $IPC -A IN-INT -i $INTIF -p tcp -s $UNREGINT -d $ANYWHERE 80 -j REDIRECT 80 # deny all other traffic from $UNREGINT $IPC -A IN-INT -i $INTIF -s $UNREGINT -d $ANYWHERE -j DENY -l # add the internal hosts addinthosts 192.168.1.2:10 # add hosts 192.168.1.2 - 192.168.1.10 #addinthosts 192.168.1.200:205 # add hosts 192.168.1.200 - 192.168.1.205 } # end lanaccess hostrules() { # allow host to host communications on $EXTIP (this will open all $UNPRIVPORTS but things like ICQ will not work w/out this) $IPC -A output -i $EXTIF -p tcp -s $EXTIP $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -j ACCEPT $IPC -A input -i $EXTIF -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS -d $EXTIP $UNPRIVPORTS -j ACCEPT } ipmasq() { # first set up the ip-masq modules $DEPMOD -a $MODPROBE ip_masq_ftp # set up ip masq $IPC -M -S 7200 10 160 # set up ip-masq $IPC -A forward -i $EXTIF -s $INTNET -j MASQ $IPC -A forward -i $INTIF -s $INTNET -j MASQ } # end lanaccess logrules() { # log denied incoming packets (logs could get huge) $IPC -A input -i $EXTIF -p tcp -d $EXTIP 0:65535 -j DENY -l $IPC -A input -i $EXTIF -p udp -d $EXTIP 0:65535 -j DENY -l $IPC -A input -i $INTIF -p tcp -d $EXTIP 0:65535 -j DENY -l $IPC -A input -i $INTIF -p udp -d $EXTIP 0:65535 -j DENY -l } # end logrules ###################### ### help functions ### ###################### help() { # display a limited help to the user /bin/echo -e "Usage: rc.firewall [OPTION]\nSimple script for firewalling.\n" /bin/echo " -help display this help file" /bin/echo " -flush flush the rules and policies" /bin/echo -e " -start start the firewall\n" /bin/echo -e "Report bugs to ." } #################### ### subfunctions ### #################### addinthosts() { # this adds internal hosts # first get data from ARGS ($1) INTHOSTNET=`echo $1 | /usr/bin/cut -d \. -f 1,2,3` INTSTARTHOST=`echo $1 | /usr/bin/cut -d \. -f 4 | cut -d : -f 1` INTENDHOST=`echo $1 | /usr/bin/cut -d \. -f 4 | cut -d : -f 2` HOST=$INTSTARTHOST # start loop while [ $HOST -lt $(($INTENDHOST + 1)) ]; do # allow input and output from each host for monitoring reasons #$IPC -A IN-INT -i $INTIF -p tcp -s $INTHOSTNET.$HOST/32 $UNPRIVPORTS -d $ANYWHERE -j ACCEPT #$IPC -A OUT-INT -i $INTIF -p tcp -s $ANYWHERE -d $INTHOSTNET.$HOST/32 $UNPRIVPORTS -j ACCEPT $IPC -A IN-INT -i $INTIF -p tcp -s $INTHOSTNET.$HOST/32 -d $ANYWHERE -j ACCEPT $IPC -A OUT-INT -i $INTIF -p tcp -s $ANYWHERE -d $INTHOSTNET.$HOST/32 -j ACCEPT let HOST+=1 done # end loop } # we're done!!! :-)