How to Turn a 486 66MHz Computer into a Red Hat Linux Firewall NAT MachineThis mini-HOWTO describes how I turned my old 486 66MHZ computer into a firewall and NAT machine. I have given all the computers on my LAN access to the Internet through an old 486 66MHz computer that I have set up to run a firewall and Network Address Translation (NAT). In the Linux community, firewall and NAT have been a common item. They typically go by the names firewall and IP masquerading. What we are doing is using the ipchains built into the Linux kernel to create a firewall to protect your computer(s) from marauders on the Internet. We are also using ipchains to do Network Address Translation (NAT). When the ipchains script is set to forward traffic from the LAN to the Internet and vice versa, the rest of the Internet thinks you have a single machine. The NAT capabilities of ipchains allows you to masquerade as many machines as your firewall machine can reasonably handle. If you have an office with 100 computers that need simple email and world wide web connectivity then you could use a 486 or early Pentium to give them all access on one high speed Internet account. How you service 100 email accounts for your staff I will leave for another mini-HOWTO. You could read other HOWTO's and figure it out yourself instead, that is the great flexibility of Linux. 1. The firewall machineHere are the specifications of my firewall machine: Compaq Prolinea MT 4/66 486 66MHz 32 MB RAM 330 MB HDD 4x CDROM Floppy AOpen ALN-101 ISA 10baseT (x2) The most important parts (other than a working computer) are the two ethernet cards (ALN-101). The ALN-101 10baseT ethernet cards are NE clones and use the ne.o driver. I have included all of the NAT specific hardware configuration at the end of this document in Appendix A. I have also installed the same system on a 386 33MHz computer that has 16MB RAM and a 150MB HDD. It works without any noticeable speed difference compared to the 486 66MHz. I will call the firewall machine bilbo and the computers on the LAN frodo, merry and pippin. On bilbo, I used a base install of Red Hat Linux 6.2 with the "Networked Workstation" option also selected. To achieve this, I did a fresh install from the CD. When the option came to select Install Gnome, KDE, Server, or Custom I selected Custom. 2. Installing Red Hat Linux 6.2The first few install settings are keyboard, language, ... (add more later). The next few options are fairly straight forward (if you have installed Red Hat Linux many time before). When asked to partition your hard drive you need to make at least two partitions, a swap partition and at least one other partition to hold all of your applications and data. If you hard drive has one partition or more partitions than you will want then you will need to delete them and create new ones. If you have no partitions then you will need to create them. I will use the 330MB HDD as the basis of the partitioning steps but substitute your HDD size and everything should work out (within reason; it will not be easy to install Red Hat Linux 6.2 on a HDD that is smaller that 100MB. The simplest partitioning scheme, that will work for the firewall system, will have a a swap and a system partition. Red Hat provides Disk Druid to manipulate partitions and it has an easy to use GUI. Click the Add button and a dialog pops up to allow you to select the size of the partition. Add a 32MB partition and set it to be the swap under the "Partition Type" menu. Now add the second partition with the "Grow to fill disk?" option selected and under "Mount Point" select / (the root partition will be mounted here). Disk Druid likes to juggle partitions around so it doesn't matter in which order you select them. If you want absolute and potentially confusing control over where your partitions go use fdisk (you select fdisk with a check box on the previous menu, the "Install" menu). You will then be asked to choose which partitions to format and whether you want to check for bad blocks. (add more later) The next menu lets you decide where to install lilo (add more later). The next menu lets you configure the networking on your system. You could enter the relevant LAN configuration here but I will be adding it manually after the install is complete. The next menu gets you to configure the time zone information by having you choose which time zone you are in. You then have to enter the password for the root user and are able to create user accounts. Create at least one user account. For security reasons you do not want to allow remote login to bilbo (or any machine) from a network connection. The default is to not give root network login. When you are prompted with the authentification menu, make sure that MD5 and shadow passwords are selected. Also make sure that NIS is not selected. NIS has too many security problems to allow it on bilbo. Now we can select the packages to install. De-select all of the packages. Select the Networked Workstation only. Also select the "Select individual packages" check box. The next menu will allow us to see most of the rpm packages that can be installed with Red Hat Linux. The base packages are not shown since the system will not run without them. You should now deselect any packages that are not needed for the firewall. Remove the lpr, ghostscript, all fonts, XFree86-xfs, XFree86-lib, libpng, chkfontpath, rhs-printfilters, yp, nfs, etc. The installation will tell you if there are any unresolved dependencies for the packages being installed. It is easiest if you allow them to be installed, but make a note of them and the packages that required them. Since we did not install XFree86 we will not be presented with the X configuration menu. The next menu is the "Are you really sure you want to do this" menu. If you have not deleted, created or formatted any partitions in the previous steps, you can cancel your installation without making any changes to the computer. You can abort the installation by giving one of the following three-finger salutes: CTRL-ALT-DEL if you are installing in text mode and CTRL-ALT-BKSP if you are installing in GUI mode. If you did delete, create or format partitions then your system has been irreversibly changed (unless you are a real "low level guru") and so you should just select next and let the system install the packages. The next menu will show you the progress of the installation. You will be able to see the progress of the whole installation as well as the installation of each package. This will take between ten minutes and one hour depending on the processor speed, the speed of your CDROM and the number of packages you are installing. After the package installation is complete, you will be prompted to insert a blank floppy to create a boot diskette. You can use a floppy with data on it but the data will be erased. I recommend that you make a boot disk now rather than later. It is not too difficult to make a boot disk but it does take quite a bit of time hunt down and digest the information to create a boot floppy. The last menu you will see congratulates you, gives you a web site to check for errata (http://www.redhat.com/errata) and tells you to reboot the system by clicking on exit. Take the new boot floppy out before the machine reboots. This allows you to see if lilo installed on the hard drive correctly. 3. Post installation configurationThe post installation configuration includes - basic security configuration - installing OpenSSH for communication - configure the network cards - install the firewall - removing unwanted packages - turning off unwanted services Basic Security ConfigurationThere are a few changes that need to be made before the system can be considered moderately secure. - remove all remote access as root - remove all general access to su (only specific users allowed) - remove unnecessary user and groups Where root can log on to your machine from is controlled in the /etc/securetty file. The default is access from local terminals (ttyx) only, no remote access. Do not add any pseudoterminals (ttyp). Give only selected user access to su. This is done by including them in the "wheel" group in the /etc/group file and then making su only accessible to members of group wheel. In /etc/group change wheel:x:10:root to wheel:x:10:root,fred,wilma Change the group that su belongs to from root to wheel chgrp wheel /bin/su and run the following command on su chmod 4750 /bin/su This changes the access permission bits of su to set the user ID. It also gives root read/write/exectute (rwx) permission and group wheel members rx permission. The /etc/passwd file contains many users that are not needed on bilbo so they should have their shell set to /bin/false or be removed. An example of a minimal passwd file is root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/bin/false nobody:x:99:99:Nobody:/:/bin/false Make a copy of the password file before you make these changes. If you have some problems you can always copy the original back. Install OpenSSHIt is easiest to install OpenSSH from the rpms so that is what I did. Go to the OpenSSH web site at http://www.openssh.com/portable.html to download the files you will need. You will need the client, the server and the basic packages as well as the OpenSSL package. openssh-2.1.0p3-1.i386.rpm openssh-clients-2.1.0p3-1.i386.rpm openssh-server-2.1.0p3-1.i386.rpm openssl-0.9.5a-1.i386.rpm Install the packages using the rpm -Uvh command line rpm -Uvh openssh-2.1.0p3-1.i386.rpm \ openssh-clients-2.1.0p3-1.i386.rpm \ openssh-server-2.1.0p3-1.i386.rpm \ openssl-0.9.5a-1.i386.rpm Remember that the backslash (\) is the line continuation operator and that bash sees this as one long line. Now log in as root and configure ssh for use in your LAN. Configuring the ssh server daemon: In the /etc/ssh/sshd_config file change "PermitRootLogin yes" to no; include "Protocol 2,1" to make ssh2 the default protocol; make sure X11Forwarding is set to no. Configuring the ssh client: In the /etc/ssh/ssh_config file use
Host *
ForwardAgent no
ForwardX11 no
FallBackToRsh no
Protocol 2,1
This will allow you to log on to bilbo over the network with a regular user account. On your other computers in the LAN the settings can be the same or you can change X11Forwarding to yes. This will allow you to run GUI programs remotely via ssh tunneling of the X11 protocols. Configure the network cardsThe network cards have to be manually configured since they are ISA. The In /etc/modules.conf you should have alias eth0 ne alias eth1 ne options ne io=0x260,0x280 irq=11,10 This tells the kernel's module loader to load the ne driver for both ethernet cards using their appropriate IO and IRQ numbers. The following information also has to be entered in the the ifcfg-eth0 and ifcfg-eth1 files in the /etc/sysconfig/network-scripts/ directory #file: /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" IPADDR="192.168.1.1" BOOTPROTO="none" NETWORK="192.168.1.0" ONBOOT="yes" BROADCAST="192.168.1.255" This tells the system that ethernet card 0 will have the IP address 192.168.1.1 on the network 192.168.1.0 where the broadcast is 192.168.1.255 and that it should be started on boot. This is the card that will be connected to the LAN. #file: /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE="eth1" IPADDR="22.101.121.10" BOOTPROTO="none" NETMASK="255.255.255.128" ONBOOT="yes" This tells the system that ethernet card 1 will have the IP address 22.101.131.10 with the netmask 255.255.255.128 and that it should be started on boot. This is the card that will be connected to the cable modem. You will also need to put the following information in the network file in the /etc/sysconfig/ directory #file: /etc/sysconfig/network-scripts/network NETWORKING="yes" HOSTNAME="bilbo.hobbiton.home" GATEWAY="22.101.2.1" GATEWAYDEV="eth1" This tells the system that this computer's name is bilbo.hobbiton.home, that the gateway computer's IP address is 22.101.2.1 and that the gateway device is eth1. Now all you need to do is restart the network services. You should shut down eth1 (or your external card) until you are ready to start the firewall. You restart and stop these services by bash# /etc/rc.d/init.d/network restart bash# /sbin/ifdown eth1 This will ensure that the changes take effect. Now you have a firewall computer with no firewall installed. Install the firewallBuilding a firewall is not a simple task. Lucky for me and you, though, there are some very good books out there on how to do it. The quickest way that I found was to use the book Linux Firewalls: ISBN 0-7357-0900-9 by Robert L. Ziegler to build one. His book lays out a complete firewall under Red Hat Linux 6.x using ipchains. For a comprehensive review of Internet security get the book Building Internet Firewalls 2nd Ed.: ISBN 1-56592-871-7 by Elizabeth D. Zwicky, Simon Cooper, & D. Brent Chapman. The firewall script can be downloaded from the authors web site in both ipchains and ipfwadm format. The firewall script I used is a modified version of MR Ziegler's and is included in Appendix D. I run the firewall script using the runlevel startup method provided by in Red Hat Linux. I switched bilbo to runlevel 2. This is done by modifying the inittab file from id:3:initdefault: to id:2:initdefault: Now you can modify /etc/rc.d/rc2.d/ and still have /etc/rc.d/rc3.d/ to fall back on if you should have any problems. I created a symbolic link from /etc/rc.d/rc2.d/S15firewall to /etc/rc.d/init.d/firewall to start the firewall on boot. This will start after the network is up since the network is started as S10network. It would be better for the firewall to start before the network since you are vulnerable to attack for the time it takes the firewall to load. This is possible if you have a static IP address assigned to you by your ISP and if you do not have any names in your firewall that require DNS lookup. If you use dhcp to get your network information or require DNS lookup in your firewall, you will need to start your network before your firewall. Removing unwanted packagesTurning off processes and daemons is a good way to reclaim your computers processing power, not only an exercise in security. This machine is being dedicated to firewall and NAT duties, therefore, many applications that are running after installation are a waste of RAM, CPU cycles and HDD space. Let's not forget the many single floppy disk Linux distributions out there that can accomplish what I am doing with 113MB of HDD space. Some packages that should not be installed on bilbo are: telnet, telnet daemon, lpr, ghostscript, all fonts, XFree86-xfs, XFree86-lib, libpng, chkfontpath, rhs-printfilters, yp, nfs, rsh, etc. To uninstall lpr after installation, as root, run rpm -e lpr This will uninstall lpr or complain about dependencies and then fail. If you still don't want it you can use the --force switch with the same command or you can uninstall the dependent packages as well.
e.g.
bash# rpm -e lpr
error: removing these packages would break dependencies:
lpr >= 0.17 is needed by rhs-printfilters-1.63-1
lpr >= 0.16 is needed by printtool-3.44-1
bash# rpm -e --force lpr or bash# rpm -e lpr rhs-printfilters printtool Continue until you have removed all the packages that you want. If you did your job well your system should have the minimum of packages installed and it still runs. Turning off unwanted servicesI turned off many services by simply not installing the inetd daemon. This is the daemon that acts as the eyes and ears for many programs such as telnet, ftp, talk, etc. In the /etc/rc.d/rc2.d/ directory you should only have K60atd -> ../init.d/atd K75netfs -> ../init.d/netfs K92ipchains -> ../init.d/ipchains S10network -> ../init.d/network S15firewall -> ../init.d/firewall S20random -> ../init.d/random S30syslog -> ../init.d/syslog S40crond -> ../init.d/crond S55sshd -> ../init.d/sshd S75keytable -> ../init.d/keytable S99local -> ../rc.local This allows for an increase in security because risky services are not started. This also allows for an decrease in system load by reducing overall system usage. You can usually turn off services that are installed via their startup scripts in /etc/rc.d/init.d with the following command line /etc/rc.d/init.d/gpm stop and keep them from restarting upon reboot by deleting their link from the /etc/rc.d/rc2.d/ directory. An example of the minimum of processes and services running on the firewall machine are given in Appendix B. Appendix A - Hardware and software configurationsConfiguration files: The Domain Name Server (DNS) is set in the resolve.conf file. e.g. #file: /etc/resolve.conf nameserver 22.101.131.57 nameserver 22.101.131.58 Turning on packet forwarding: Packet forwarding can be enabled from the command line using bash# echo 1 > /proc/sys/net/ipv4/ip_forward but it is reset to 0 on reboot. A persistent solution is to modify the file /etc/sysctl.conf as seen below #file: /etc/sysctl.conf # Disables packet forwarding net.ipv4.ip_forward = 0 # default ... #line deleted for brevity Change to 1 to allow packet forwarding (available upon reboot) ... net.ipv4.ip_forward = 1 ... Ethernet card configuration: Here are the files that need to be filled in for the ethernet cards to work #file: /etc/sysconfig/network-scripts/network NETWORKING="yes" HOSTNAME="bilbo.hobbiton.home" FORWARD="yes" GATEWAY="22.101.2.1" GATEWAYDEV="eth1" #file: /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" IPADDR="192.168.1.1" BOOTPROTO="none" NETWORK="192.168.1.0" ONBOOT="yes" BROADCAST="192.168.1.255" #file: /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE="eth1" IPADDR="22.101.121.10" BOOTPROTO="none" NETMASK="255.255.255.128" ONBOOT="yes"
bash# ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:DF:C0:5E:33
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2887420 errors:0 dropped:0 overruns:0 frame:0
TX packets:4700628 errors:0 dropped:0 overruns:0 carrier:0
collisions:371 txqueuelen:100
Interrupt:11 Base address:0x260
eth1 Link encap:Ethernet HWaddr 00:60:67:25:50:90
inet addr:22.101.121.10 Bcast:22.101.121.127 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4698234 errors:0 dropped:0 overruns:0 frame:0
TX packets:2868672 errors:0 dropped:0 overruns:0 carrier:0
collisions:881 txqueuelen:100
Interrupt:10 Base address:0x280
Appendix B - Processes running on bilboThere should be as few processes running on your firewall machine as possible. bash# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.2 1120 64 ? S Feb13 0:05 init [2] root 2 0.0 0.0 0 0 ? SW Feb13 0:00 [kflushd] root 3 0.0 0.0 0 0 ? SW Feb13 0:00 [kupdate] root 4 0.0 0.0 0 0 ? SW Feb13 0:00 [kpiod] root 5 0.0 0.0 0 0 ? SW Feb13 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW< Feb13 0:00 [mdrecoveryd] root 540 0.0 1.0 1168 332 ? S Feb13 0:01 syslogd -m 0 root 549 0.0 0.5 1436 172 ? S Feb13 0:03 klogd root 563 0.0 0.4 1328 124 ? S Feb13 0:00 crond root 573 0.0 1.3 2268 420 ? S Feb13 0:48 /usr/sbin/sshd root 614 0.0 0.0 1092 0 tty1 SW Feb13 0:00 [mingetty] root 615 0.0 0.0 1092 0 tty2 SW Feb13 0:00 [mingetty] root 616 0.0 0.0 1092 0 tty3 SW Feb13 0:00 [mingetty] Appendix C - Creating a boot floppy after installationCreating a boot floppyInsert a blank high density double sided floppy disk (1440KB) into the floppy drive and run the following commands (this works for the first floppy device under /dev/fd0, if the floppy drive you use is the second use /dev/fd1) bash# fdformat /dev/fd0H1440 bash# mkfs.ext2 /dev/fd0 This will format the disk and create the ext2 file system on the floppy. Mount the floppy (e.g. bash# mount -t ext2 /dev/fd0 /mnt/floppy) and erase the lost+found directory (it only takes up space on a floppy). Copy the following files from the /boot directory onto the floppy boot.b lilo.conf map vmlinuz-2.2.14-5.0 Edit the lilo.conf file to contain the following
boot=/dev/fd0
map=/mnt/floppy/map
install=/mnt/floppy/boot.b
timeout=50
prompt
image=/mnt/floppy/vmlinuz-2.2.14-5.0
label=linux
root=/dev/hda1
This tells lilo to boot off of the floppy using the map, boot.b and vmlinuz files found on the floppy disk. Now run lilo to make the floppy bootable e.g. bash# lilo -v -C /mnt/floppy/lilo.conf This tells lilo to be verbose (-v) and to use the specified lilo.conf (-C) file. Your floppy will now boot your machine as long as your root (/) directory is on device hda1 (change it if it is different). Appendix D - The firewall script
#!/bin/sh
# Source function library.
. /etc/rc.d/init.d/functions
echo -n "Starting Firewall: "
# ====================================================================
# ====================================================================
# Originally from Linux Firewalls: ISBN 0-7357-0900-9
# by Robert L. Ziegler available at
# http://www.linux-firewall-tools.com/ftp/firewall/rc.firewall.ipchains
# I have included some extra ipchains that are commented out.
# This gives me future options without my having to type them
# in later. Find them by searching for either of the phrases:
# PETAR'S MODIFICATIONS:
# or
# NOT IMPLEMENTED
# They are in the lines:
# # # # PETAR'S MODIFICATIONS:
# and
# # # # NOT IMPLEMENTED
# The ipchains that are commented out all have "# # # "
# in front of them, so they should be easy to find. The
# "# # # " is nine columns long. To implement any of the
# commented ipchains, search for the pattern of "# # # "
# and remove it. Of course I have not triple checked any of
# those sections ;-). Some of them also need IP addresses
# before they can be turned on.
# ====================================================================
# ====================================================================
# Use variables to store addresses for ease of use
# ______________________________________________________________________
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Replace the IP addresses below with those provided by your ISP
EXTERNAL_INTERFACE="eth1" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
LAN_INTERFACE_1="eth0" # internal LAN interface
IPADDR="22.101.121.10" # your IP address
LAN_1="192.168.1.0/24" # whatever (private) range you use
LAN_IPADDR_1="192.168.1.1" # your internal interface address
TRUSTED_FROM_LAN_1="192.168.1.2" # the machine on the LAN that I trust
TRUSTED_FROM_LAN_2="192.168.1.11" # the machine on the LAN that I trust
ANYWHERE="any/0" # match any IP address
MY_ISP="22.101.121.0/24" # ISP & NOC address range
NAMESERVER_1="22.101.131.57" # Primary DNS
NAMESERVER_2="22.101.131.58" # and this is DNS 2
SMTP_SERVER="any/0" # external mail server
SMTP_GATEWAY="22.101.91.97" # external mail relay
POP_SERVER="22.101.91.98" # external pop server, if any
NEWS_SERVER="22.101.91.99" # external news server, if any
WEB_PROXY_SERVER="22.101.91.1" # ISP web proxy server, if any
WEB_PROXY_PORT="8080" # ISP web proxy port, if any
# typically 8008 or 8080
# Replace the IP addresses above with those provided by your ISP
# ______________________________________________________________________
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # wellknown, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# --------------------------------------------------------------------
# EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS
# YOU SUPPORT.
# X Windows port allocation begins at 6000 and increments
# for each additional server running from 6000 to 6063.
XWINDOW_PORTS="6000:6003" # (TCP) X windows, allow 4
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1020:1023" # 4 simultaneous connections
# --------------------------------------------------------------------
SOCKS_PORT="1080" # (TCP) socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
NFS_PORT="2049" # (TCP/UDP) NFS
# --------------------------------------------------------------------
# Flush any existing rules from all chains
ipchains -F
# Set the default policy to deny
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# Set masquerade timeout to 10 hours for TCP connections.
ipchains -M -S 36000 0 0
# Disallow Fragmented Packets
ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# --------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# --------------------------------------------------------------------
# Refuse any connections from problem sites
# This is our black hole
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s <address/mask> -j DENY
# rules to block all access from offending sites.
# Refuse packets claiming to be from the banned list
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# --------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from
# the external interface's IP address. The -l (dash ell)
# makes the ipchain log any encounter in /var/log/messages
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
# Refuse malformed broadcast packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses
# Multicast is only illegal as a source address.
# Multicast uses UDP
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j REJECT -l
# Refuse Class E reserved IP addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
-j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
-j REJECT
# Refuse addresses defined as reserved by the IANA.
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
# 65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
# 80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96: 01100000 - /4 masks 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
# 126: 01111110 - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
# 217: 11011001 - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
# 223: 11011111 - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# --------------------------------------------------------------------
# ICMP
# (4) Source_Quench
# incoming & outgoing requests to slow down (flow control)
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
# (12) Parameter_Problem
# incoming & outgoing error messages
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
# (3) Dest_Unreachable, Service_Unavailable
# incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT
# (11) Time_Exceeded
# incoming & outgoing time out conditions,
# also intermediate TTL response to traceroutes
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# allow outgoing pings to anywhere
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
# --------------------------------------------------------------------
# UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Open Windows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $OPENWINDOWS_PORT -j REJECT
# Open Windows incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $OPENWINDOWS_PORT -j DENY
# X Windows: establishing a remote connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $XWINDOW_PORTS -j REJECT
# X Windows: incoming connection attempt
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $XWINDOW_PORTS -j DENY -l
# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $SOCKS_PORT -j REJECT -l
# SOCKS incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $SOCKS_PORT -j DENY
# NFS: TCP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-d $ANYWHERE $NFS_PORT -j REJECT -l
# NFS: UDP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $NFS_PORT -j DENY -l
# NFS incoming request (normal UDP mode)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $ANYWHERE $NFS_PORT -j REJECT -l
# --------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers
# vary by supplier. Using them is less error prone and more
# meaningful.
# --------------------------------------------------------------------
# Required Services
# DNS client modes (53)
# ---------------------
# For the primary and secondary DNS's
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# PETAR'S MODIFICATIONS:
# IS THIS CORRECT? IS IT UDP FOR DNS_2 OR IS IT TCP?
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # PETAR'S MODIFICATIONS:
# # # # NOT IMPLEMENTED
# # # # DNS server modes (53)
# # # # ---------------------
# # #
# # # # DNS caching & forwarding nameserver
# # # # -----------------------------------
# # #
# # # # server to server query or response
# # # # Caching only name server uses UDP, not TCP
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# # # -s $IPADDR 53 \
# # # -d $NAMESERVER_1 53 -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# # # -s $NAMESERVER_1 53 \
# # # -d $IPADDR 53 -j ACCEPT
# # #
# # # # DNS full nameserver
# # # # -------------------
# # #
# # # # client to server DNS transaction
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# # # -s <my.dns.clients> $UNPRIVPORTS \
# # # -d $IPADDR 53 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# # # -s $IPADDR 53 \
# # # -d <my.dns.clients> $UNPRIVPORTS -j ACCEPT
# # #
# # # # peer-to-peer server DNS transaction
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# # # -s <my.dns.clients> 53 \
# # # -d $IPADDR 53 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# # # -s $IPADDR 53 \
# # # -d <my.dns.clients> 53 -j ACCEPT
# # #
# # # # Zone Transfers
# # # # due to the potential danger of zone transfers,
# # # # only allow TCP traffic to specific secondaries.
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s <my.dns.secondaries> $UNPRIVPORTS \
# # # -d $IPADDR 53 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 53 \
# # # -d <my.dns.secondaries> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # NOT IMPLEMENTED
# # # # AUTH server (113)
# # # # -----------------
# # # # Accepting Incoming AUTH Requests
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 113 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 113 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# OR
# Rejecting Incoming AUTH Requests
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR 113 -j REJECT
# --------------------------------------------------------------------
# TCP services on selected ports
# Sending Mail through a remote SMTP gateway (25)
# -----------------------------------------------
# SMTP client to an ISP account without a local server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_GATEWAY 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_GATEWAY 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# OR
# Sending Mail through a local SMTP server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # NOT IMPLEMENTED
# # # # Receiving Mail as a Local SMTP server (25)
# # # # ------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 25 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 25 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# POP (110) - Retrieving Mail as a POP Client
# -------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # NOT IMPLEMENTED
# # # # POP (110) - Hosting a POP Server for Remote Clients
# # # # ---------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s <my.pop.clients> $UNPRIVPORTS \
# # # -d $IPADDR 110 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 110 \
# # # -d <my.pop.clients> $UNPRIVPORTS -j ACCEPT
# # #
# # # # --------------------------------------------------------------------
# # #
# # # # IMAP (143) - Retrieving Mail as an IMAP Client
# # # # ----------------------------------------------
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $IPADDR $UNPRIVPORTS \
# # # -d <my.imap.server> 143 -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s <my.imap.server> 143 \
# # # -d $IPADDR $UNPRIVPORTS -j ACCEPT
# # #
# # # # IMAP (143) - Hosting an IMAP Server for Remote Clients
# # # # ------------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s <my.imap.clients> $UNPRIVPORTS \
# # # -d $IPADDR 143 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 143 \
# # # -d <my.imap.clients> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# NNTP (119) - Reading and Posting News as a Usenet Client
# --------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # NOT IMPLEMENTED
# # # # NNTP (119) - Hosting a Usenet News Server for Remote Clients
# # # # ------------------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s <my.news.clients> $UNPRIVPORTS \
# # # -d $IPADDR 119 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 119 \
# # # -d <my.news.clients> $UNPRIVPORTS -j ACCEPT
# # #
# # # # NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server
# # # # ---------------------------------------------------------------
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $IPADDR $UNPRIVPORTS \
# # # -d <my.news.feed> 119 -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s <my.news.feed> 119 \
# # # -d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# TELNET (23) - Allowing Outgoing Client Access to Remote Sites
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 23 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TELNET (23) - Allowing Incoming Access to My Local Server
# ---------------------------------------------------------
# ONLY ALLOW IT FROM TRUSTED INTERNAL COMPUTERS
# ---------------------------------------------
ipchains -A input -i $LAN_INTERFACE_1 -p tcp \
-s $TRUSTED_FROM_LAN_1 $UNPRIVPORTS \
-d $LAN_IPADDR 23 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 -p tcp \
-s $LAN_IPADDR 23 \
-d $TRUSTED_FROM_LAN_1 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $LAN_INTERFACE_1 -p tcp \
-s $TRUSTED_FROM_LAN_2 $UNPRIVPORTS \
-d $LAN_IPADDR 23 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 -p tcp \
-s $LAN_IPADDR 23 \
-d $TRUSTED_FROM_LAN_2 $UNPRIVPORTS -j ACCEPT
# # # # NOT IMPLEMENTED (EVER ???)
# # # # TELNET (23) - Allowing Incoming Access to Your Local Server
# # # # -----------------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 23 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 23 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# # #
# # # # --------------------------------------------------------------------
# # # # PETAR'S MODIFICATIONS:
# # # # NOT IMPLEMENTED
# # # # SSH client (22) - Allowing Client Access to Remote SSH Servers
# # # # --------------------------------------------------------------
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $IPADDR $UNPRIVPORTS \
# # # -d $ANYWHERE 22 -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $ANYWHERE 22 \
# # # -d $IPADDR $UNPRIVPORTS -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $IPADDR $SSH_PORTS \
# # # -d $ANYWHERE 22 -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $ANYWHERE 22 \
# # # -d $IPADDR $SSH_PORTS -j ACCEPT
# # #
# SSH (22) - Allowing Remote Client Access to Your Local SSH Server
# -----------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# --------------------------------------------------------------------
# FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
# --------------------------------------------------------------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channels
# DANGER WILL ROBINSON, DANGER WILL ROBINSON (a.k.a. Bill Mummy)
# NORMAL PORT MODE DOES NOT WORK FROM THE INTERNAL (PRIVATE)
# NETWORK, BUT IT DOES WORK FROM THE FIREWALL MACHINE ITSELF
# requires all NATed ftp trafic to use passive mode (default in
# web browsers)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# Passive Mode FTP Data Channels
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPIRVPORTS -j ACCEPT
# # # # PETAR'S MODIFICATIONS
# # # # NOT IMPLEMENTED
# # # # FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
# # # # ----------------------------------------------------------------
# # #
# # # # incoming request
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 21 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 21 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# # #
# # # # Normal Port Mode FTP Data Channel Responses
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $IPADDR 20 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 20 -j ACCEPT
# # #
# # # # Passive Mode FTP Data Channel Responses
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR $UNPRIVPORTS -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR $UNPRIVPORTS \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP (80) - Accessing Remote Web Sites as a Client
# --------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # PETAR'S MODIFICATIONS:
# # # # NOT IMPLEMENTED
# # # # HTTP (80) - Allowing Remote Access to a Local Web Server
# # # # --------------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 80 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 80 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # PETAR'S MODIFICATIONS:
# # # # NOT IMPLEMENTED
# # # # HTTPS (443) - Allowing Remote Access to a Local SSL Web Server
# # # # --------------------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s $ANYWHERE $UNPRIVPORTS \
# # # -d $IPADDR 443 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 443 \
# # # -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP Proxy client (8008/8080)
# -----------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $WEB_PROXY_SERVER $WEB_PROXY_PORT \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# FINGER (79) - Accessing Remote finger Servers as a Client
# ---------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # # # PETAR'S MODIFICATIONS:
# # # # NOT IMPLEMENTED
# # # # FINGER (79) - Allowing Remote Client Access to a Local finger Server
# # # # --------------------------------------------------------------------
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# # # -s <my.finger.clients> $UNPRIVPORTS \
# # # -d $IPADDR 79 -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# # # -s $IPADDR 79 \
# # # -d <my.finger.clients> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# Gopher client (70)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 70 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 70 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WAIS client (210)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 210 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 210 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# UDP accept only on selected ports
# TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
# -----------------------------------------------------
# Enabling Outgoing traceroute Requests
# -------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# incoming query from the ISP.
# All others are denied by default.
# ---------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP 32769:65535 \
-d $IPADDR 33434:33523 -j ACCEPT
# --------------------------------------------------------------------
# # # # PETAR'S MODIFICATIONS:
# # # # NOT IMPLEMENTED
# # # # NTP (123) - Accessing Remote Network Time Servers
# # # # -------------------------------------------------
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# # # -s $IPADDR $UNPRIVPORTS \
# # # -d <my.time.provider> 123 -j ACCEPT
# # #
# # # # REPLACE <my.time.provider> WITH IP ADDRESS OF
# # # # <my.time.provider>
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# # # -s <my.time.provider> 123 \
# # # -d $IPADDR $UNPRIVPORTS -j ACCEPT
# # #
# # # ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# # # -s $IPADDR 123 \
# # # -d <my.time.provider> 123 -j ACCEPT
# # #
# # # ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# # # -s <my.time.provider> 123 \
# # # -d $IPADDR 123 -j ACCEPT
# --------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
# Change this to restrict specific LAN clients
ipchains -A input -i $LAN_INTERFACE_1 \
-s $LAN_1 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 \
-d $LAN_1 -j ACCEPT
# --------------------------------------------------------------------
# Masquerade internal traffic.
# This allows packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# All internal traffic is masqueraded externally.
# Change this to restrict specific LAN clients
# e.g. if a user is using icq to transfer GB of MP3s you could cut out
# the icq traffic (which it is not allowed now)
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ
# --------------------------------------------------------------------
# This is one of the functions provided in /etc/rc.d/init.d/functions it
# gives a nice green [OK] when the firewall script has reached this point
success "firewall startup"
echo
exit 0
(C) 2001 Petar Knezevich Disclaimer Every attempt has been made to ensure that the information presented in this mini-HOWTO is safe and accurate. However, this information is given without any warranty, either expressed or implied, as to its suitability for a particular use. It is generally considered a GoodThing(TM) to make backups of your system files before changing system configurations and/or files. I suggest you take this precaution "just in case". |