If you are unfamiliar with how TCP/IP packet filters work, the following should give you a decent start. Please understand that if you don't understand what is being described below, you should probably do a little research on how TCP/IP works.
Think of a IPCHAINS or IPFWADM rule set like the following:
DENY:
If you TELNET to a box that "denies" TELNET traffic, your TELNET client will just sit there and try for a period to connect to that remote host. Ultimately, the TELNET request will eventually timeout.
REJECT:
If you TELNET to a box that "rejects" TELNET traffic, your TELNET request traffic will be met with an ICMP message telling the originator that the traffic was rejected. This is the normal behavior for a machine that does not SUPPORT telnet server access in the first place (like stock versions of MS Windows9x, NT, etc.).
If someone connects to your server and you REJECT their traffic, it seems to them as if your computer cannot serve, say, TELNET connections. If you DENY the traffic, then their TELNET traffic just dies and their TELNET client eventually times out.
So? With REJECT, a hacker doesn't know if your machine CAN or CAN NOT run a TELNET server. With DENY, a hacker will always KNOW that you are filtering them. I feel that a firewall using REJECTs make your box look "simpler" and thus less interesting to attack.
So , lets explain how a packet firewall works with an example:
Say you have a TELNET packet (port 23) from the Internet that wants to reach your Linux box
FYI: Some ideas of possible packet firewall rules can include:
Then let the packet IN though the packet firewall. If not matched, the packet is either REJECTED or DENIED. You can also log the fact that this packet was killed.
Once the reply TELNET traffic is generated, the actual return traffic will be returned on a HIGH PORT ( port > 1024 ) and NOT on port 23.
If you don't understand this, please read up on TCP/IP fundamentals since this discussion is out of the scope of TrinityOS.
For this example, lets say the return TELNET traffic is on port 3200. Now, this return port 3200 traffic is then sent to the OUTPUT filter of the EXTERNAL NIC card.
NOTE: This is is what a "router" does on a basic level.
+-------------------------------+
| Linux TCP/IP stack |
|_______________________________|
| (3) Telnetd Server |
{PORT 23} |_______________________________| (Port 3200)
(2) +--->| Input: Forward: Output: |-------------+ (4)
| +-------------------------------+ |
| |
| |
+------------+ | +------------+ |
| Input | | | Output |<--+
| Rule | | | Rule | ^
{PORT 23} | | | | | |
(1) +-IN--->| P a s s ? |---+ +--------------| P a s s ? | |
| | or | | | or | |
^ |Deny/Reject?| | (5) |Deny/Reject?| |
--------- +------------+ | +------+-----+ |
*Send* | | | |
--------- v Check if packet v |
Remote Dump Packet No +---- needs to be Dump Packet |
Internet (possibly log it) | forwarded (possibly log it) |
site | | |
--------- | (6) | Yes |
*Received* | | |
--------- | v |
^ | +--------------+ +---------------^------+
| {PORT 3200} | | Forward | | Write the packet for |
(7) +-----------------------------+ | Rule | | the destination |
| | | network address |
| | | |
Dump Packet <------|Don't Forward?| | Possibly re-write the|
(possibly log it) | | |SRC addresses for MASQ|
| Forward? | +----------------------+
| or | ^
|FWD & MASQ it |-----------------------+
+--------------+
Basically, IP MASQ's main mechanism works when an INTERNAL machine initiates traffic to the outside world. External machines on the Internet CAN directly communicate to an internal machine(s) with the aid of PORTFWing but this is better explained in the IP Masquerade HOWTO. PORTFW support IS included in the TrinityOS firewall ruleset but for a full explination, again, please see the IP Masqerade HOWTO.
Anyway, when an internal machine (for now, in that diagram in the URL above, think of the "Remote Internet Site" on the left with your internal machine. If this diagram confuses you, just skip it and read through this example..
1. Say the internal machine trys to TELNET to some server out on the Internet.
For this explict example, this example is:
Source src IP: 192.160.0.10
src port: 3200
dst port: 23
Linux : src IP: 111.222.212.222
External src port: 64000
dst port: 23
Destination: dest IP: 222.020.222.111
dst port: 23
2. The MASQ server receives this request from the MASQed PC over the Internal
interface and it hits the Input firewall. Here, the input firewall can
either accept the packet or deny it. For this example, assume it will be
ACCEPTed.
3. Now, if the packet was also allowed through the OUTPUT firewall, the
TELNET would be finally forwarded through the MASQ server unchanged
except...
3M. Notice that src port IP address of the TELNET is a private RFC1918 address?
These addresses aren't routable on the Internet so it must be changed to
a public address. To be able to track this change, the SRC port address
will be changed as well.
The changes in IP address and port number is IP MASQ in action! What Masq
basically does is RECORDs the traffic type (for this example, 23, TELNET),
where the traffic is going (DST IP address, 222.020.222.111) and the
original SRC port (SRC port 3200) from the MASQed client. It takes all
this information and puts it into a MASQUERADE table.
It then will re-send this TELNET traffic out on its EXTERNAL NIC but it
will also alter the packet. It will both re-addresses the Source IP address
(SRC IP) with the MASQ server's own external IP address and change the
source port (SRC port) to something in the range of 61000-64096. So, the
packet would now look something like:
Source: SRC IP: 111.222.212.222
SRC port: 64000
Destination: DST IP: 222.020.222.111
DST port: 23
4. When the response comes back from that remote TELNET server, the Linux
MASQ server will recognise that this traffic as coming back from a server
that is in the MASQ table. It would then take the packet and first verify
that it should be allowed through the INPUT section of the firewall.
Next, it would then replace the destination IP address (DST IP) with the
correct FINAL IP address of original internal TELNET client and also change
the original SRC port address back to 3200.
The returning packet now looks like:
Source: DST IP: 222.020.222.111
DST port: 23
Destination: SRC IP: 192.160.0.10
SRC port 3200
Get it?
If you want another explination of how MASQ works, I wrote a semi-comprehensive
article about it in the August 1999 version of Linux Magazine. You can get an
online version of it at:
http://www.linux-mag.com/1999-08/guru_01.html
Now, I want to quickly comment on the use of HIGH TCP/IP ports and what is the difference between a PACKET firewall and a STATEFULLY INSPECTED firewall. Though you might let port 23 OUT of your Linux box (TELNET), if you don't also allow ports 1024-65535 back INTO your Linux box, TELNET won't work.
Now you might be thinking that letting in ALL high ports back into your Linux box is a BAD thing. You know what? YOU'RE RIGHT!
Realistically, it would be nice to only allow in only the return HIGH ports that you need. This is what the "-k" option in IPFWADM or "! -y" is for IPCHAINS. The problem is, IPFWADM and IPCHAINS aren't smart enough yet to understand all TCP/IP programs such like TELNET, WWW, SSH, etc. So, some programs you can lock down the high ports with the "-k" or "! -y" options while other programs will have to be configured to allow all 1024-65535 ports in.
Bummer huh? So your next question should be "Do others firewalls have this problem?" NO! Why? Because they use a technology called "Stateful Inspection".
Stateful firewalls actually listen to ALL network traffic step-by-step to make sure that everything is going 100% correctly.
Analogy:
Packet firewall: A packet firewall only checks for source and destination IP addresses and port numbers. Kinda like a strainer for different colored marbles (if one exists).
Stateful Firewall: A stateful firewall not only checks for source and destination IP addresses and port numbers, but it also LISTENS to all TCP/IP communications to make sure that all of the "communications" are following all procedures. Think of it as a realtime grammer and spell checker for "languages" like TELNET, WWW, etc. Hackers try to re-write the "language" to try to break into it, crash it, etc. A stateful firewall will see a given TCP/IP connection running a "language" like TELNET doing weird stuff that it shouldn't be doing and then it simply drops that weird packet. Much better huh?
So your next question should be: "I want a statefully inspected firewall for Linux and NOT a packet firewall. Where do I get one?!?!"
Well.. it now exists in IPTABLES under the 2.4.x kernels. This is a huge step for for Linux. Unfortunately, if you also need to use IP Masquerading (NAT), the MASQ support for some protocols under the 2.4.x kernel isn't on par with the 2.2.x kernel set. If you don't use IPMASQ, then then IPTABLES is a great solution. It should also be noted that non-IPMASQ users can still use their IPCHAINS rulesets under 2.4.x kernels with the aid of the ipchains.o kernel module.
For now, TrinityOS only covers IPCHAINS and an older IPFWADM ruleset. A IPTABLES ruleset is under developement but is a slow project as it is an entire rewrite and will offer far more features.
Once you setup one of the firewalls shown below, you might have some problems getting running or your might be getting strange new messages on the console. What do these messages mean?
In the below rule sets, any lines that either DENY or REJECT any traffic also have a "-o" to LOG this firewall hit to the SYSLOG messages file found either in:
Redhat: /var/log Slackware: /var/adm
If you look at one of these firewall logs, you would see something like:
The kernel logs this information looking like:
IPCHAINS:
Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23
L=44 S=0x00 I=54054 F=0x0040 T=254
IPFWADM:
Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633
100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254
There is a LOT of information in this just one line. Let break out this example so refer back to the original firewall hit as you read this. Please note that this example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users.
NOTE: To understand all the various port numbers, protocol numbers, etc., I recommend you to go to the TOP URL in Section 5 and get all of the various documents from the IANA and put them in /etc/iana.
- This firewall "hit" occurred on: "Feb 23 07:37:01"
- This hit was on the "RoadRunner" computer.
- This hit occurred on the "IP" or TCP/IP protocol
- This hit came IN to ("fw-in") the firewall
* Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD
- This hit was then "rejECTED".
* Other logs can say "deny" or "accept"
- This firewall hit was on the "eth0" interface (Internet link)
- This hit was a "TCP" packet
- This hit came from IP address "12.75.147.174" on return port "1633".
- This hit was addressed to "100.200.0.212" to port "23" or TELNET.
* If you don't know that port 23 is for TELNET, look at your
/etc/services file to see what other ports are used for.
- This packet was "44" bytes long
- This packet did NOT have any "Type of Service" (TOS) set
--Don't worry if you don't understand this; not required to know
* divide this by 4 to get the Type of Service for ipchains users
- This packet had the "IP ID" number of "18"
--Don't worry if you don't understand this; not required to know
- This packet had a 16bit fragment offset including any TCP/IP packet
flags of "0x0000"
--Don't worry if you don't understand this; not required to know
* A value that started with "0x2..." or "0x3..." means the "More
Fragments" bit was set so more fragmented packet will be coming in
to complete this one BIG packet.
* A value which started with "0x4..." or "0x5..." means that the
"Don't Fragment" bit is set.
* Any other values is the Fragment offset (divided by 8) to be later
used to recombinw into the original LARGE packet
- This packet had a TimeToLive (TTL) of 20.
* Every hop over the Internet will subtract (1) from this number. Usually,
packets will start with a number of (255) and if that number ever reaches
(0), it means that realistically the packet was lost and will be deleted.
So, with basic understanding now, lets get either your MASQing or NON-MASQing Network up!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ ++
++ NOTE: TrinityOS covers both IPCHAINS and IPFWADM firewall rule sets. ++
++ -------------------------------------------------------------- ++
++ ++
++ ** Please note that the IPCHAINS ruleset is VASTLY more secure and ++
++ and powerful when compared to the IPFWADM ruleset. Due to the ++
++ power and maintinance of IPCHAINS compared to IPFWADM, I recommend ++
++ that any user that MUST run a 2.0.x kernel, that they patch their ++
++ kernel to support IPCHAINS and use this newer ruleset ++
++ ++
++ In the future, I will be replacing ALL rule sets with a modular ++
++ system so all Secured IPs will be configured via a seperate file ++
++ This will let users update their main firewall rule sets to newer ++
++ verions without ANY manual customization for their environment. ++
++ ++
++ This new system is already designed but I need to finish it up. ++
++ ++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- First, you need to make sure you have either the "ipchains" or "ipfwadm" or firewall programs. To check, run the commmand "whereis ipfwadm" or "whereis ipchains". If its there, you're set. If not, download it from the URL in Section 5
* VERY IMPORTANT:
- Next, create the file /etc/rc.d/rc.firewall
Slackware Users: DELETE the module info in the following IPFWADM rule set and put it in the /etc/rc.d/rc.modules file instead
- NOTE: If you don't plan to use some of these modules, comment or un-comment the various lines (I've already commented out cuseeme, irc, quake, and vdolive).
Edit the following file to use the proper configuration below depending if you are running a 2.2.x+ kernel (IPCHAINS) or a <2.0.x kernel (IPFWADM).
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
The simple (WEAK) firewall rule set for IPCHAINS or IPFWADM :
--
#!/bin/sh
# Simple firewall rule set for both IPCHAINS and IPFWADM
# v3.00
echo "Enabling IP MASQ, MASQ timeouts, MASQ modules and simple firewalling"
#Load the MASQ modules
#BSDComp
/sbin/modprobe bsd_comp
#
echo Loading MASQ modules
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
# NOTE: Though Real Audio will work without this module, the data
# will be coming in TCP mode vs. UDP mode. With this
# module, you can enable UDP mode and possibly clean up
# any "glitches" in the sound stream
/sbin/modprobe ip_masq_raudio
# Finished with MASQ modules
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
echo "Enabling IP Masqurading.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#Note: Redhat users can enable this also by turning the
# flag forward flag on in /etc/sysconfig/network
#
# Change the forward line to
# FORWARD_IPV4=true
#--------------------------------------------------------------------------
# NOTE: The following simple IPFWADM and IPCHAINS rule set is purely to
# *test* IP MASQ functionality.
#
# Though this rule set will work for
# ALL users, it WILL NOT give you any good protection from lusers
# (security crackers, etc) out on the Internet. Trust me, now that
# you are using a UNIX box, you need all the protection you can get!
# Once you can confirm that is MASQ working properly, I *HIGHLY*
# recommend that you -delete- this simple rc.firewall script and
# replace it with the strong IPCHAINS or IPFWADM rule sets shown
# later in this section!
#---------------------------------------------------------------------
#2.2.x+ kernels with IPCHAINS ONLY
#
echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)"
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT
echo " - Flushing any old rule sets"
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# 2.0.x kernels and IPFWADM users ONLY
#
#echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)"
#/sbin/ipfwadm -I -p accept
#/sbin/ipfwadm -O -p accpet
#/sbin/ipfwadm -F -p reject
#echo " - Flushing any old rule sets"
#/sbin/ipfwadm -I -f
#/sbin/ipfwadm -O -f
#/sbin/ipfwadm -F -f
echo "Extending MASQ timeouts.."
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
# IPCHAINS
/sbin/ipchains -M -S 7200 10 60
#
# IPFWADM
#/sbin/ipfwadm -M -s 7200 10 60
echo "Enable IP Masq.."
#
#IPCHAINS
ipchains -A forward -s 192.168.0.0/24 -j MASQ
#
#IPFWADM
#/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 -W eth0
echo "rc.firewall done."
----
Next, append this to the end of the "/etc/rc.d/rc.local" file
All distributions:
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
- Finally, make the rc.firewall file ROOT executable ONLY
chmod 700 /etc/rc.d/rc.firewall
That's it. Go ahead and run the new ruleset by typing in /etc/rc.d/rc.firewall and make sure that the Linux box can still access the Internet both by IP address and DNS names. For Masquerade users, also make sure that INTERNAL masqed PCs can access the Internet by both methods. If things do NOT work for you, please see Section 5 of the IP Masquerade HOWTO at http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/. This document will help you troubleshoot any issues.
Once you confirm that IP-MASQ works ok, it is *HIGHLY* recommended to replace the above WEAK rule sets with one of the below STRONG rule sets.
############################################################################# # MASQ rc.firewall # # # # - There are -3- rule sets listed below: # # # # 1. Strong rc.firewall rule set for IPCHAINS w/ and w/o MASQ support # # for single, dual, and even three NIC configurations. # # # # ^^ This is current the ONLY rule set that is maintained ^^ # # # # 2. Strong rc.firewall rule set for IPFWADM w/ MASQ support # # # # 3. Strong rc.firewall rule set for IPFWADM w/o MASQ support for # # single NIC Linux boxes. # # # # - As mentioned above, once you have confirmed that the initial MASQ # # functionality, You *SHOULD* either create your own strong firewall # # rule set or use the following TrinityOS firewall rule set. # # # #############################################################################
*** If you aren't running MASQ, check out the other firewall rule set that follows after this one. ***
NOTE: You will have to edit this to allow machines you care about into your machine. All of this is well commented though.
NOTE #2: Even if you aren't running MASQ, you should modify these rule sets to suit your needs and APPLY them!!! You DO need some protection from the Internet!
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
or you can just get the file here: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/etc/rc.d/
It is HIGHLY recommended that you get the rc.firewall and the other TrinityOS scripts from the TrinityOS-Security archive (URL above) as it will help avoid typos, etc. *** Do NOT try to cut and paste the various scripts via a web browser into a text editor. If you do this, you will most likely find that the resulting scripts will have formatting errors (thus syntax errors) and also most likely every line will have ^M characters at the end of it which will abnormally terminate the script trying to be run. -----------------------------------------------------------------------------
+------------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPCHAINS RULE SET for | | 2.4.x, 2.2.x, and patched 2.0.x. kernels | +------------------------------------------------------------------+
CRITICAL NOTE:
/etc/rc.d/rc.firewall
<TrinityOS rule set START>
#!/bin/sh
# ------------------------------------------------------------------------------
FWVER="v4.21-123nic"
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# You may use this file for private or internal commercial use ONLY.
#
# Any duplication and/or use of this file or its contents for direct
# commercial (commercial being for profit) applications and/or
# written publications (be it for profit OR free) must be granted
# by written permission from David Ranch. Basically, just ASK me..
# I'm a pretty easy going guy but DON'T assume anything. Ok?
#
# Sorry for the harsh language here but the TrinityOS ruleset has been
# taken advantage of recently.
#
# --
# Summary:
#
# The TrinityOS ruleset is a comprehensive IPCHAINS ruleset that
# supports filtering for 1, 2, and 3 network interfaces. This allows
# for strong filtering for simple one interface PPP users, two interface
# MASQ users, and even three interface MASQ users with a DMZ segment. In
# addition to all this, TrinityOS allows to explictly filter various types of
# traffic including ICMP, known trojan horse traffic, etc.
#
# NOTE: The current 4.00 firewall version requires that the INTIF
# (internal) interface be configured to then allow for the INT2IF
# (DMZ network) to function. If there is enough requests, I can
# rework the ruleset to let INTIF and INT2IF load independantly.
#
# ------------------------------------------------------------------------------
# You can get this file at:
#
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos
# ------------------------------------------------------------------------------
#
# Personal Changes:
#
# Put any of your own version notes HERE. Its a good idea to document
# what you've changed.
#
# ------------------------------------------------------------------------------
#
# TrinityOS Rule Set History:
#
# 04/16/05 - 4.21
# - Updated the bogon list to reflect changed bogon listing and
# added output Multicast and NFS traffic filters
# 01/29/03 - 4.20
# - The INT2BROAD variable was missing for the DMZ configuration
# but the proper setting was being automatically used regardless.
#
# 01/13/03 - 4.10
# - The latter half of the OUTPUT section was using $UNIVERSE/0
# instead of $UNIVERSE which was already set to 0.0.0.0/0.
# This was a harmless typo and didn't hurt anything but was
# incorrect
#
# 12/30/01 - 4.05
# - Somehow ip_forward was getting set to "0" instead of "1"
# - Added comments when a 2.4.x kernel is found that running
# IPCHAINS emulation is NOT recommended due to poor MASQ
# support. It is recommended to run a native IPTABLES ruleset
# under 2.4.x kernels.
#
# 12/01/01 - 4.03
# - Added an echo statement to let things run if you dont use
# DHCP
# - Added filters for the SubSeven trojan
# - Added comments to let peopel know that NOT having the
# ip_dynaddr or ip_defrag option is ok
#
# 11/09/01 - 4.02
# - Disabled external DNSd and SMTPd server options as per the
# default.
# - Added comments and #ed out DHCPd for eth1 (input and output)
# - split up the SSHd and DNSd enable/disable area for eth1
# - #ed out SSHd and DNSd access (output) per the correct default
#
# 10/04/01 - 4.01f
# - added ipchains check for 2.4.x kernels
# - make sure that dhcpc is really enabled by default
# - Added a logger line to send final result to SYSLOG
#
# 09/06/01 - v4.01
# - Fixed some syntax issues with left/right parens
# - replaced all the bash -n if..thens with string checks since
# it seems that bash doesnt know what to do with non-initialized
# vars
# - ** check for all foo entries
#
# 09/03/01 - v4.00
#
# - Changed the DMZ section to now allow full SSH connectivity between
# the DMZ and internal NICs.
# - Moved the INPUT DMZ-specific ALLOW/REJECT section to be below the
# input SECUREHOST section
# - Updated and rearranged the debug logging section
# - Added #ed out support for the H.323 IPMASQ module
# - Added PPTP support for MASQed clients
#
# 06/20/01 - v3.85
# - The IPCHAINS ruleset now can support single interface machines
# for those users who just want a firewall but aren't MASQing, etc.
# - To enable this new feature, the INTIF variable (internal interface)
# needs to be set but left EMPTY. With this set, the other INTIF
# sections will be disabled via IF..THEN checks.
#
# 03/20/01 - v3.83d-3NIC
#
# - Added 3rd NIC (eth2) for DMZ applications like 802.11b wireless networks
#
# eth0 = Internet [ public IP ]
# eth1 = internal trusted net [ 192.168.0.x ]
# eth2 = DMZ wireless network (not trusted) [ 192.168.10.x ]
#
# This DMZ interface can ONLY do the following globally
# - DHCP, DNS, internet WWW, internet FTP
# - SSH (to the internet and devices on the INT interface
# (eth1)
# - ping machines on the Internet AND devices on eth1
#
# This interface CANNOT
# - accept FTP
# - SSH any hosts on eth1
#
# The reason that I implimented this DMZ setup is for wireless networks.
# Ultimately, the 802.11b WEP encryption spec is flawed and can be completely
# sniffed within a matter of hours. Because of this, you should ONLY allow
# encrypted streams: SSH, IPSEC, and maybe PPTP.
#
# v3.83d - 03/06/01
# - Fixed a typo (stray #) where the RFC1918 10.x.x.x network was
# NOT being filtered in the OUTPUT section
#
# v3.83c - 01/27/01
# - Fixed a wrong output netmask for NET-TEST-B being a /12 instead
# of a /16. But, this really doesn't matter as I have disabled
# the filtering of reserved IP space as ARIN constantly is releasing
# this address space to the public without any form of notification.
# See the update for v3.83a
#
# v3.83b - 01/06/01
# - Fixed a missing ".0" in the Reserved-7 filters for the 72.0.0
# networks
#
# v3.83a - 11/09/00
# - Deleted all non RFC1918 address filtering. It seems that many of the
# addresses that the IANA reports as "reserved" are actually in use.
#
# - Removed all rc.firewall history motes from v3.60 and older to
# the TrinityOS-old-updates.wri (URL is above)
#
# v3.82 - 10/28/00
# - Updated the port range for Xwindows filtering
#
# v3.81 - 10/15/00
# - Crap! Last subnet error in the Reserved-8 IANA section. Please
# change the subnet mask on 68.0.0.0 to a /6!
#
# v3.80 - 10/13/00
# - Updated the version since this really is a big update
#
# -----------------------------------------------------------------------------
# All changes older than version 3.80 have been moved to the archives available
# at:
#
# <"http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri">
#------------------------------------------------------------------------------
#--------------------------------------------------------------------
# This configuration assumes the following (DSL / Cablemodem setup):
#
# 1) The external interface is running on "eth0"
# 2) The external IP address is dynamically or statically assigned
# 3) The optional internal interface is "eth1"
# 4) The internal network is addressed within the private
# 192.168.0.x TCP/IP addressing scheme per RFC1918A
# 5) The optional DMZ network is on eth2
#
# ****
# NOTE: All 2.2.x Linux kernels prior to 2.2.16 have TCP exploit that
# **** that when combined with tools like Sendmail can leed to a ROOT
# compromise. In addition to this, all kernels less than 2.2.11 have
# a fragmentation bug that renders all strong IPCHAINS rule sets void.
# It is CRITICAL that users upgrade the Linux kernel to at least a
# 2.2.16+ kernel for proper firewall and system security.
#
#--------------------------------------------------------------------
#********************************************************************
# Initializing
#********************************************************************
echo -e "\n\nLoading TrinityOS IPCHAINS Firewall $FWVER"
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Variables
#--------------------------------------------------------------------
# The loopback interface and address
#
LOOPBACKIF="lo"
LOOPBACKIP="127.0.0.1"
# External interface device.
#
# NOTE: PPP and SLIP users will want to replace this interface
# with the correct modem interface such as "ppp0" or "sl0"
#
# For users that might have multiple PPP interfaces, you can
# try the following code. You will need to call the firewall
# from /etc/ppp/ip-up script with a "$1" appended at the end.
#
#if [ "x$1" != "x" ]; then
# EXTIF=$1
#else
# EXTIF="ippp0"
#fi
#
EXTIF="eth0"
# Make sure the external interface is up
if ! /sbin/ifconfig | grep $EXTIF > /dev/null; then
echo -e "\n\nExternal interface is DOWN. Aborting."
exit 1;
fi
echo External Interface: $EXTIF
# IP address of the external interface
#
# *
# * If you get a DYNAMIC IP address (regardless if you use PPP
# * with a modem or DHCP with Ethernet), you *MUST* make this firewall
# * rule set understand your new IP address everytime you get a new
# * IP address. To do this, enable the following one-line script.
# *
#
# (Please note that the different single and double quote characters MATTER).
#
# NOTE: Red Hat v6.0 users who run DHCP to get TCP/IP addresses
# (Cablemodems, DSL, etc) will need to install and use a different
# DHCP client than the stock client called "pump". Redhat 6.2+
# comes with a newer version of "pump" that CAN run scripts upon
# lease bringup, renew, etc. but older versions are broken.
#
# The reason for this whole issue is the old "pump" doesn't support the
# ability to run scripts run when DHCP gets an IP address.
# Specifically, DHCP doles out IP addresses to its clients for
# limited amounts of time; this is called a "lease".
# When a DHCP "lease" expires, the client will query the DHCP
# server for a "lease renewal". Though the DHCP client will
# usually get back its original IP address in the renewal, this
# is NOT always guaranteed. With this understood, if your DHCP
# client receives a different IP address than the IPCHAINS
# firewall was configured for, the firewall will block ALL
# network access in and out of the Linux server because that
# is what it was configured to do.
#
# As mentioned above, the key to solve this problem is to use a
# DHCP client program, such like DHCPcd found in Section 5, that
# can re-run the /etc/rc.d/rc.firewall rule set once a new TCP/IP
# address is set. The new rule set will then make the required
# changes to the rule sets to allow network traffic from and to
# your new TCP/IP address.
#
# With the dhcpcd program, it will need to be executed with a
# specific command line option to have the firewall rule set
# re-run upon every DHCP lease renew (please note the -c syntax
# is depreciated in newer DHCPcd clients). Please see the
# DHCPcd section in TrinityOS for full details on how to edit
# the /sbin/ifup file.
#
#
# Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace
# the pipelines with your correct TCP/IP address, broadcast address, and
# external gateway, respectively.
#
# e.g.: EXTIP="100.200.0.212"
#
EXTIP=`/sbin/ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP of $EXTIF ... DHCP or PPP problem?"
exit 1
fi
echo External IP: $EXTIP
# Broadcast address of the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP netmask enclosed in double
# quotes.
#
# e.g.: EXTBROAD="100.200.0.255"
#
EXTBROAD=`/sbin/ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3 }'`
echo External broadcast: $EXTBROAD
# Gateway for the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP default gateway or "next hop
# address".
#
# e.g.: DGW="100.200.0.1"
#
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
# Internal interface device.
#
# ** READ ME:
#
# If you don't have any other interfaces than say eth0, delete the
# word "eth1" below. i.e. make it read:
#
# INTIF=""
#
INTIF=""
if [ "$INTIF" != "" ]; then
echo "Internal Interface: $INTIF"
else
echo -e "Internal Interface: None\n** MASQ and DMZ support disabled**"
fi
if [ "$INTIF" != "" ]; then
# IP address on the internal interface
#
# ** READ ME:
#
# If you don't have any other interfaces, delete the address
# "192.168.0.1" but leave the rest. i.e. INTIP=""
#
INTIP=""
echo Internal IP: $INTIP
fi
if [ "$INTIF" != "" ]; then
# IP network address of the internal network
#
# ** READ ME:
#
# If you don't have any other interfaces, delete the address
# "192.168.0.0/24" but leave the rest. i.e. INTLAN=""
#
INTLAN=""
echo Internal LAN: $INTLAN
fi
echo " --- "
#Do not remove this check as the ruleset currently requires the INTIF
#interface to exist for the INT2IF interface to properly function.
#
if [ "$INTIF" != "" ]; then
# DMZ interface device.
#
# ** READ ME:
#
# If you don't have any other interfaces than say eth0, delete the
# word "eth2" below. i.e. make it read:
#
# INT2IF=""
#
#INT2IF="eth2"
INT2IF=""
if [ "$INT2IF" != "" ]; then
echo "DMZ network interface: $INT2IF"
else
echo -e "DMZ Interface: None\n **DMZ support disabled**"
fi
if [ "$INT2IF" != "" ]; then
# IP address on the DMZ interface
#
# If you don't have any other interfaces, delete the address
# "192.168.10.1" but leave the rest. i.e. INT2IP=""
#
INT2IP=""
echo "DMZ interface IP: $INT2IP"
fi
if [ "$INT2IF" != "" ]; then
# IP network address of the DMZ network
#
# If you don't have any other interfaces, delete the address
# "192.168.10.0/24" but leave the rest. i.e. INT2LAN=""
#
INT2LAN=""
echo DMZ network subnet: $INT2LAN
fi
if [ "$INT2IF" != "" ]; then
# IP network broadcast of the DMZ network
#
# If you don't have any other interfaces, delete the address
# "192.168.10.255" but leave the rest. i.e. INT2BROAD=""
#
INT2BROAD=""
echo DMZ network broadcast: $INT2BROAD
fi
fi
echo " --- "
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# IP Mask for broadcast transmissions
BROADCAST="255.255.255.255"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINDOWS_PORTS="6000:6063"
# The TCP/IP addresses of a specifically allowed EXTERNAL hosts
#
# NOTE: If you want to allow in an ENTIRE NETWORK, let the
# last octet of the network be a .0 and add the netmask.
# e.g.:
# SECUREHOST="200.244.0.0/26"
#
# Disabled by default.
#
#SECUREHOST="200.211.0.40"
#echo Secure Host1 IP: $SECUREHOST
#SECUREHOST2="200.211.0.41"
#echo Secure Host2 IP: $SECUREHOST2
#SECUREHOST3="200.244.0.42"
#echo Secure Host3 IP: $SECUREHOST3
#SECUREHOST4="200.244.0.43"
#echo Secure Host4 IP: $SECUREHOST4
#SECUREHOST5="200.244.0.44"
#echo Secure Host4 IP: $SECUREHOST5
# The TCP/IP addresses of a specifically allowed DMZ hosts
#
# NOTE: If you want to allow in an ENTIRE NETWORK, let the
# last octet of the network be a .0 and add the netmask.
# e.g.:
# DMZHOST1="192.168.10.10"
#
# Disabled by default.
#
#DMZHOST1="192.168.10.10"
#echo DMZ Secure Host1 IP: $DMZHOST1
#DMZHOST2="192.168.10.20"
#echo DMZ Secure Host2 IP: $DMZHOST2
# IP Port Forwarded Addresses
#
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# To enable portfw, you need to un-# out and edit the lines above for one or
# more SECUREHOSTs. You then need to un-# out the PORTFW in the FORWARD
# sections of later in the rule set.
#
# If you want to simply portfw one explicit host, it should be configured via a
# SECUREHOST option above. If this PORTFW'ed port should be available for ALL
# hosts on the Inet, it should be opened up in the INPUT section much like for
# HTTP, Sendmail, etc.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation.
#
# Disabled by default.
#
#PORTFWIP1="192.168.0.20"
#echo PortFW1 IP: $PORTFWIP1
#PORTFWIP2="192.168.0.20"
#echo PortFW2 IP: $PORTFWIP2
#PORTFWIP3="192.168.0.20"
#echo PortFW3 IP: $PORTFWIP3
# TCP/IP addresses of INTENRAL hosts network allowed to directly
# connect to the Linux server. All internal hosts are allowed
# per default.
#
# Disabled by default
#HOST1IP="192.168.0.10"
#echo Internal Host 1 IP: $HOST1IP
#HOST2IP="192.168.0.11"
#echo Internal Host 2 IP: $HOST2IP
# Logging state.
#
# Uncomment the " " line and comment the "-l" (please note is this a
# lower case "L" and NOT a numerial one) line if you want to
# disable logging of some of more important the IPCHAINS rule sets.
#
# The output of this logging can be found in the /var/log/messages
# file. It is recommended that you leave this setting enabled.
# If you need to reduce some of the logging, edit the rule sets and
# delete the "$LOGGING" syntax from the rule set that you aren't
# interested in.
#
# LOGGING=" "
echo "Logging is: ENABLED"
LOGGING="-l"
echo " --- "
#Verify that IPCHAINS is loaded for 2.4.x kernels
#
if [ -n "`/bin/uname -a | awk {'print $3'} | grep 2.4`" ]; then
echo "Running 2.4.x kernel"
echo " - Please note that running IPCHAINS emulation under a 2.4.x"
echo " is NOT recommended as various MASQ modules such as FTP, etc"
echo " will no longer function. To regain this functionality, you"
echo -e " MUST run a native IPTABLES ruleset.\n"
if [ -z "`/sbin/lsmod | grep ipchains`" ]; then
echo "loading ipchains.o"
/sbin/insmod ipchains
else
echo " ipchains.o already loaded."
fi
fi
echo " --- "
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Debugging Section
#--------------------------------------------------------------------
# If you are having problems with the firewall, uncomment the lines
# below and then re-run the firewall to make sure that the firewall
# is not giving any errors, etc. The output of this debugging
# script will be in a file called /tmp/rc.firewall.dump
#--------------------------------------------------------------------
#
#echo " - Debugging."
#echo Loopback IP: $LOOPBACKIP > /tmp/rc.firewall.dump
#echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $EXTIF >> /tmp/rc.firewall.dump
#echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump
#echo External interface default gateway: $EXTGW >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump
#echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump
#echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo DMZ interface name: $INT2IF >> /tmp/rc.firewall.dump
#echo DMZ interface IP: $INT2IP >> /tmp/rc.firewall.dump
#echo DMZ LAN address: $INT2LAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secured host: $SECUREHOST >> /tmp/rc.firewall.dump
#echo External secured host #2: $SECUREHOST2 >> /tmp/rc.firewall.dump
#echo External secured host #3: $SECUREHOST3 >> /tmp/rc.firewall.dump
#echo External secured host #4: $SECUREHOST4 >> /tmp/rc.firewall.dump
#echo External secured host #4: $SECUREHOST5 >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo DMZ secured host #1: $DMZHOST1 >> /tmp/rc.firewall.dump >> /tmp/rc.firewall.dump
#echo DMZ secured host #2: $DMZHOST2 >> /tmp/rc.firewall.dump >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#--------------------------------------------------------------------
# General
#--------------------------------------------------------------------
# Performs general processing such as setting the multicast route
# and DHCP address hacking.
#
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable multicast
# on their networks, it will be very common in a few more years. Check out
# www.mbone.com for more detail.
#
# Adding this feature is OPTIONAL.
#
# Disabled by default.
#echo " - Adding multicast route."
#/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $EXTIF
# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
echo " - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "2" > $file
done
# Comment the following out of you are not using a dynamic address
#
# Please note that some kernels dont have this enabled.
# If this option gives an error, you can safely ignore it.
#
echo " - Enabling dynamic TCP/IP address hacking."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable TCP SYN Cookie protection:
#
echo " - Enable TCP SYN Cookie protection"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Ensure that various ICMP sanity settings are there
#
echo " - Enable ICMP sanity settings"
# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ICMP Re-directs
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $file
done
#
# Ensure that source-routed packets are dropped
# - If you are running IPROUTE2, this will need to be DISABLED
#
echo " - Ensure that source-routed packets are dropped "
for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $file
done
# Log spoofed, source-routed, and redirect packets
#
echo " - Log spoofed, source-routed, and redirect packets "
for file in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $file
done
#--------------------------------------------------------------------
# Type of Service (TOS) Settings
#--------------------------------------------------------------------
# Though very FEW ISPs do anything with the TOS bits, I thought you'd
# like to see it. In theory, you can tell the Internet how to handle
# your traffic, be it sensitive to delay, throughput, etc.
#
# -t 0x01 0x10 = Minimum Delay
# -t 0x01 0x08 = Maximum Throughput
# -t 0x01 0x04 = Maximum Reliability
# -t 0x01 0x02 = Minimum Cost
#
# Example:
#
# Settings for FTP, SSH, and TELNET
# /sbin/ipchains -A output -p tcp -d 0/0 21:23 -t 0x01 0x10
#
# Settings for WWW
# /sbin/ipchains -A output -p tcp -d 0/0 80 -t 0x01 0x10
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ] && [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Masquerading Timeouts
#--------------------------------------------------------------------
# Set timeout values for masq sessions (seconds).
#
# Item #1 - 2 hrs timeout for TCP session timeouts
# Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# Item #3 - 60 sec timeout for UDP traffic
#
# Note to ICQ users: You might want to set the UDP timeout to something
# like 160.
#
echo " - Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 10 60
fi
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ]; then
#--------------------------------------------------------------------
# Masq Modules
#--------------------------------------------------------------------
# Most TCP/IP-enabled applications work fine behind a Linux IP
# Masquerade server. But, some applications need a special
# module to get their traffic in and out properly.
#
# Note: Some applications do NOT work well though a IP Masquerade server
# without special helper modules such as H.323-based programs.
# Please the IP-MASQ HOWTO for more details.
#
# Note #2: Only uncomment the modules that you REQUIRE to be loaded.
# The FTP module is loaded by default.
#--------------------------------------------------------------------
echo " - Loading masquerading modules."
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_vdolive
# If you downloaded and compiled the ICQ module from Section 5, use it
#/sbin/modprobe ip_masq_icq
# If you downloaded and compiled the H.323 module from Section 5, use it
#/sbin/modprobe ip_masq_h323
# If you downloaded and compiled the PPTP module from Section 5, use it
#/sbin/insmod ip_masq_pptp
fi
#--------------------------------------------------------------------
# Default Policies
#--------------------------------------------------------------------
# Set all default policies to REJECT and flush all old rules.
#--------------------------------------------------------------------
# Change default policies to REJECT.
#
# We want to only EXPLICTITLY allow what traffic is allowed IN and OUT of the
# firewall. All other traffic will be implicitly blocked.
#
echo " - Set default policies to REJECT"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
echo " - Flushing all old rules and setting all default policies to REJECT "
# Flush all old rule sets
#
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#********************************************************************
# Input Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Input Rules:"
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Incoming Traffic on the Internal LAN
#--------------------------------------------------------------------
# This section controls the INPUT traffic allowed to flow within the internal
# LAN. This means that all input traffic on the local network is valid. If
# you want to change this default setting and only allow certain types of
# traffic within your internal network, you will need to comment this following
# line and configure individual ACCEPT lines for each TCP/IP address you want
# to let through. A few example ACCEPT lines are provided below for
# demonstration purposes.
#
# Sometimes it is useful to allow TCP connections in one direction but not the
# other. For example, you might want to allow connections to an external HTTP
# server but not connections from that server. The naive approach would be to
# block TCP packets coming from the server. However, the better approach is to
# use the -y flag which will block only the packets used to request a
# connection.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic on the internal LAN."
# DHCP Server.
#
# If you have configured a DHCP server on the Linux machine to serve IP
# addresses to the internal network, you will need to enable this section.
#
# This is an example of how to let input traffic flow through the local
# LAN if we have rejected all prior requests above.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Disabled by default
#echo " Optional parameter: DHCPd server"
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# DMZ DHCPd - If we don't have a DMZ interface, dont do things for it
# #
# if [ "$INT2IF" != "" ]; then
# #DMZ network
# echo " Optional parameter: Second INT2IF DHCPd server"
# /sbin/ipchains -A input -j ACCEPT -i $INT2IF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# /sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# fi
#--------------------------------------------------------------------
# Explicit Access from Internal LAN Hosts
#--------------------------------------------------------------------
# This section is provided as an example of how to allow only SPECIFIC
# hosts on the internal LAN to access services on the firewall server.
# Many people might feel that this is extreme but many system attacks
# occur from the INTERNAL networks.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this rule set to work, you must first comment out the
# generic allow lines just above the final ALLOW HIGH PORTS at the END
# of this section. That one line provides full access to the internal
# LAN by all internal hosts. You will then need to enable the lines
# below to allow any access at all.
#--------------------------------------------------------------------
#echo " - Setting input filters for specific internal hosts."
# First allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
# This allows the ruleset to run if you use STATIC IPs and dont
# enable DHCP
echo "." > /dev/null
# End of the INTIF loop
fi
#--------------------------------------------------------------------
# Incoming Traffic from the External Interface
#--------------------------------------------------------------------
# This rule set will control specific traffic that is allowed in from
# the external interface.
#--------------------------------------------------------------------
#
echo " - Setting input filters for traffic from the external interface."
# DHCP Clients.
#
# If you get a dynamic IP address for your ADSL or Cablemodem connection, you
# will need to enable these lines.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
# FTP: Allow external users to connect to the Linux server ITSELF for
# PORT-style FTP services. This will NOT work for PASV FTP transfers.
#
# Disabled by default.
# echo " Optional parameter: FTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data
# IRCd: Allow external users to connect to the Linux server ITSELF for
# IRC services.
#
# Make sure ircd is defined in /etc/services
#
# Disabled by default.
# echo " Optional parameter: IRC server"
# /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ircd
# HTTP: Allow external users to connect to the Linux server ITSELF for HTTP services.
#
# Disabled by default.
# echo " Optional parameter: HTTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http
# HTTPS: Allow external users to connect to the Linux server ITSELF for HTTPS services.
#
# Disabled by default.
# echo " Optional parameter: HTTPS server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP https
# Advanced ICMP: Some users prefer that their UNIX box NOT ping, etc.
# This is easy enough to do but be sure you know what you
# are doing.
#
# There is an EXCELLENT paper on ICMP filtereing available at:
#
# http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
#
#
# NOTE: When setting a FIREWALL to REJECT ICMP traffic, the resulting
# reply traffic is automatically discarded per the RFCs
#
# NOTE2: For a full list of all supported major and minor ICMP codes, run:
# /sbin/ipchains -h icmp
#
# MOST are Disabled by default.
#
#
# Do NOT reply to ECHO REPLYs (type 0) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP ECHO-REPLY inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type echo-reply $LOGGING
#
# Do NOT reply to TCP/UDP TRACEROUTE requests from the Internet (some find
# this useful)
#
# echo " Optional parameter: TCP/UDP TRACEROUTE inbound filtered"
#
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 33434 $LOGGING
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 33434 $LOGGING
#
# Do NOT reply to TRACEROUTE requests from the Internet (MS clients use
# ICMP ECHO and not TCP/UDP - some find this useful )
#
# echo " Optional parameter: ICMP TRACEROUTE [for MS] inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to DESTINATION-UNREACHABLE (type 3) from the Internet (this
# is NOT a good idea - if you must do this then filter out the specific
# SUB-options such as PROTOCOL-UNREACHABLE in the OUTBOUND direction)
#
# echo " Optional parameter: ICMP DESTINATION-UNREACHABLE inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to SOURCEQUENCH (type 4) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP SOURCEQUENCH inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type source-quench $LOGGING
#
# Do NOT reply to ANY form of REDIRECT packets (type 5) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP REDIRECT inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type redirect $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP REDIRECT inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type redirect $LOGGING
fi
# Do NOT allow PING requests (type 8) from the Internet (some find this
# useful)
#
# echo " Optional parameter: ICMP ECHO inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type echo-request $LOGGING
#
# Do NOT reply to TTL-EXPIRED packets (type 11) from the Internet (this is
# NOT a good idea - do it OUTBOUND)
#
# echo " Optional parameter: ICMP TTL-EXPIRED inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type time-exceeded $LOGGING
#
# Do NOT reply to PARAMETER-PROBLEM packets (type 12) (this is NOT a good
# idea - filter this on OUTBOUND)
#
# echo " Optional parameter: ICMP PARAMETER-PROBLEM inbound filtered"
# /sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type parameter-problem $LOGGING
#
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP TIMESTAMP inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type timestamp-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP TIMESTAMP inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type timestamp-reply $LOGGING
fi
# ICMP INFORMATION (type 15 and 16) packet filtering is NOT supported by
# either LINUX or IPCHAINS (no big deal)
#
# Do NOT reply to ICMP ADDRESS MASK packets (type 17 and 18) (this can
# help stop OS fingerprinting)
#
echo " Optional parameter: ICMP ADDRESS-MASK inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type address-mask-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP ADDRESS-MASK inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type address-mask-reply $LOGGING
fi
# General ICMP: Allow ICMP packets from all external TCP/IP addresses.
#
# NOTE: Disabling ICMP packets via the firewall rule set can do far more
# than just stop people from pinging your machine. Many aspects of
# TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal
# Masq'ed computers might not work.
#
# If you feel compelled to do ICMP filtering, do it by uncommenting your
# desired traffic types from the section ABOVE and NOT here.
#
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP
# DMZ ICMP - If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p icmp -s $INT2LAN -d $INTLAN
fi
# NNTP: Allow external computers to connect to the Linux server ITSELF
# for NNTP (news) services.
#
# Disabled by default.
# echo " Optional parameter: NNTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP nntp
# NTP: Allow external computers to connect to the Linux server ITSELF for
# NTP (time) updates
#
# NOTE: Some NTP clients require TCP traffic. Others require UDP.
# Your pick!
#
# Disabled by default.
# echo " Optional parameter: NTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP ntp
# TELNET: Allow external computers to connect to the Linux server ITSELF for
# TELNET access.
#
# Disabled by default.
# echo " Optional parameter: TELNET server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet
# SSH server: Allow external computers to connect to the Linux server ITSELF
# for SSH access.
#
# Disabled by default.
echo " Optional parameter: SSH server"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh
#--------------------------------------------------------------------
# Specific Input Rejections on the EXTERNAL interface
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want into
# the system.
#--------------------------------------------------------------------
echo " - Reject specific inputs."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# RFC1918 and IANA Reserved Address space Bogon filtering
#
# Filter all external traffic coming from either RESERVED or non-routed
# address space.
#
# See ftp://ftp.iana.org/assignments/ipv4-address-space for up to date
# results.
#
# Please run "whois IANA*@arin.net" and with a careful eye
# "whois RESERVED*@arin.net" for more info.
#
# -------------------------------------------------------------------
# NOTE *1*: Please notice that ALL IANA Reserved Address filters
# (except for the Class-D and Class-E networks) have
# been disabled as is seems that the IANA is releasing IP
# address space without updating their tables. There is
# the email list called "bogon-announce" which you can
# subscribe to here:
# http://www.cymru.com/Bogons/
#
# Note2: The bogon list changes ALL the time. Unless you subscribe
# to the above bogon list AND update your firewall when things
# change, you will be blackholing traffic.
#
# Note3: that the address schemes from whois are silently using CLASSFULL
# masks
#
# Note4: Some ISPs use RFC1918 addresses for internal addressing of
# customers and keeping status on equipment. Some customers of
# General Instruments SURFboard cable modems might have similar
# issues.
#
# -------------------------------------------------------------------
# Reserved-1
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 0.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-9
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 1.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-2
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 2.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 5.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-7
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 7.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-10 and RFC1918 (10.x.x.x)
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
fi
# Reserved-23
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 23.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-27
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 27.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-31
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 31.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-36
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 36.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-37
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 37.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-39
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 39.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-42
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 42.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-74 and 75
# 74.0.0.0 - 75.55.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 74.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-76 though 79
# 76.0.0.0 - 79.55.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 76.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 89
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 89.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 90
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 90.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 91
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 91.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 92 though 95
# 92.0.0.0 - 95.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 92.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 96 though 111
# 96.0.0.0 - 111.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 96.0.0.0/4 -d $UNIVERSE $LOGGING
# Reserved 112 though 119
# 112.0.0.0 - 119.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 112.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved 120 though 123
# 120.0.0.0 - 123.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 120.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-127 127.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 127.0.0.0/8 -d $UNIVERSE $LOGGING
# BLACKHOLE3
#
# Disabled due to the fact that ALL reverse DNS functions (regardless of the
# address) will stop working properly. If you have a good explination of
# why this is, I would love to hear it.
#
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 128.9.64.26/32 -d $UNIVERSE $LOGGING
# Includes NET-TEST-B
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 128.66.0.0/16 -d $UNIVERSE $LOGGING
# IANA-BBLK-RESERVED and RFC1918 (172.16-31.0.0)
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
fi
# Reserved-173
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 173.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-174 through 175
# 174.0.0.0 - 175.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 174.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-176 through 183
# 176.0.0.0 - 183.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 176.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved-184 through 187
# 184.0.0.0 - 187.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 184.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-189
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 189.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-190
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 190.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-4
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 191.255.0.0/16 -d $UNIVERSE $LOGGING
# ROOT-NS-LAB - 192.0.0.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.0.0/24 -d $UNIVERSE $LOGGING
# NET-ROOTS-NS-LIVE - 192.0.1.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.1.0/24 -d $UNIVERSE $LOGGING
# NET-TEST - 192.0.2.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.2.0/24 -d $UNIVERSE $LOGGING
# RFC1918
#foo
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE $LOGGING
# RESERVED-13
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 197.0.0.0/16 -d $UNIVERSE $LOGGING
# Reserved-197
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 197.0.0.0/8 -d $UNIVERSE $LOGGING
# RESERVED-14
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 201.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 223.255.255.0/24 -d $UNIVERSE $LOGGING
# Reserved-223
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 223.0.0.0/24 -d $UNIVERSE $LOGGING
#Future use for Class-E:
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
#Future use for Class-F:
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
fi
# -----------------
# Special Filtering
# -----------------
# Multicast: Silently drop all multicast traffic for those users who
# find this traffic filling up their logs.
#
# Disabled by default.
# echo " Optional parameter: Ignore MULTICAST"
# /sbin/ipchains -A input -j REJECT -i $EXTIF -s $UNIVERSE -d 224.0.0.0/4
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 2049
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 2049 -d $INT2IP
fi
# SMB and CIFS: Reject SMB and CIFS traffic FROM and TO external machines.
#
# NOTE: SMB (Win 3.x, 9x, NT) and CIFS (Win2k) is one of the biggest
# security issues an administrator will face. Do NOT enable SMB/CIFS
# traffic to flow over the Internet or any non-trusted networks
# unless you know exactly what you are doing. If you NEED this
# functionality, please use a IPSEC or PPTP VPN
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
# Ports: 137 TCP/UDP (NetBIOS name service)
# 138 UDP (NetBIOS datagram service) - TCP filtered just in case
# 139 TCP (NetBIOS session service) - UDP filtered just in case
# 445 TCP/UDP (MS CIFS in Win2k)
echo " - Silently rejecting SMB and CIFS traffic on the external interface."
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 139 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 445 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 445 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 137 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 137 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 138 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 138 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 139 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 139 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 445 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 445 -d $INT2IP
fi
#--------------------------------------------------------------------
# Incoming Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control input traffic for all interfaces. This is
# usually used for what could be considered as public services.
#--------------------------------------------------------------------
echo " - Setting input filters for public services [all interfaces]."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
# Traffic TO your machine and FROM your machine
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
# BOOTP/DHCP: Reject all stray bootp traffic.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc
# DNS: If you are running an authoritative DNS server, you must open
# up the DNS ports on all interfaces to allow lookups. If you are
# running a caching DNS server, you will need to at least open the DNS
# ports to internal interfaces.
#
# It is recommend to secure DNS by restricting zone transfers and split
# DNS servers as documented in Step 4.
#
# Disabled by default.
#echo " Optional parameter: DNS server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain
#/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain
# RIP: Reject all stray RIP traffic. Many improperly configured
# networks propagate network routing protocols to the edge of the
# network. The follow line will allow you explicitly filter it here
# without logging to SYSLOG.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route
# SMTP: If this server is an authoritative SMTP email server, you must
# allow SMTP traffic to all interfaces.
#
# Disabled by default.
#echo " Optional parameter: SMTP server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE smtp
# SQUID Proxy w/ JunkBuster
#
# If you are using Squid w/ Junkbuster enabled [Banner filtering], you will
# need to enable the following lines to do the IPCHAINS port redirection to
# port 3128. This also assumes that you have Squid properly configured and
# running.
#
# Disabled by default.
#echo " Optional parameter: SQUID transparent proxy"
#/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -p tcp -d $LOOPBACKIP/32 www
#
# If we don't have an internal interface, dont do things for it
#
#if [ "$INTIF" != "" ]; then
# /sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $INTLAN -d $INTIP/32 www
# /sbin/ipchains -A input -j REDIRECT 3128 -i $INTIF -p tcp -s $INTLAN -d $INTLAN www $LOGGING
#fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
# DMZ network - Enable this section if you have a wireless segment
#
# Enabled by default if INT2IF is valid
echo " Optional parameter: DMZ segment - SSH"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $INT2LAN ssh -d $UNIVERSE
# Enabled by default if INT2IF is valid
echo " Optional parameter: DMZ segment - DNS"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $INT2LAN -d $UNIVERSE domain
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p udp -s $INT2LAN -d $UNIVERSE domain
#Enable this option if you want ALL DMZ machines to access all network services
# on all interfaces. The alternative is allow host by host access in the
# DMZ SecureHOST section below
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INT2IF -s $INT2LAN -d $UNIVERSE
fi
#--------------------------------------------------------------------
# Specific Input Rejections from ANY interface
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
#echo " - Reject traffic for specific domains."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#Do not allow ANY internal hosts to be able to reach the following sites:
#
#Disabled by default.
#The Doubleclick example will filter ALL types of traffic to the given
# class-C networks including WWW, SMTP(email, etc traffic. If you
# want a slightly less restrictive example, see the AOL example.
#
#Doubleclick.net and .com is renowned for their WWW ad banners
#
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 63.160.54.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 128.11.92.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.206.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.207.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.208.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.210.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.178.112.160/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.253.104.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.10.202.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.203.243.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.211.225.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.228.86.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 209.67.38.0/24
#This is required to complete the if..then loop
echo "." > /dev/null
fi
#AOL.com is renowned for their users sending SPAM to millions of people on
# the Inet. Though you might want to filter email from them, you
# might want to still be able to go look at some of their their
# WWW pages. This example ONLY filters EMAIL and nothing else.
#
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE 25 -d 152.163.159.0/24
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE 25 -d 205.188.157.0/24
#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# This controls external access from specific external hosts (secure hosts).
# This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a
# secure host INTO the firewall. In addition to these input rules, we must also
# explicitly allow the traffic from the remote host to get out. See the rules
# in the output section for more details
#
# Disabled as default.
#--------------------------------------------------------------------
echo " - SECUREHOST: Setting input filters for explicit hosts."
# The secure host section
if [ "$SECUREHOST" != "" ]; then
echo " * Allowing $SECUREHOST INPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh
fi
if [ "$SECUREHOST2" != "" ]; then
echo " * Allowing $SECUREHOST2 INPUT for ftp, ftp-data, ssh, www, telnet, imap"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP telnet
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP www
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP imap
fi
if [ "$SECUREHOST3" != "" ]; then
echo " * Allowing $SECUREHOST3 INPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP www
fi
if [ "$SECUREHOST4" != "" ]; then
echo " * Allowing $SECUREHOST4 INPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP www
fi
if [ "$SECUREHOST5" != "" ]; then
echo " * Allowing $SECUREHOST5 INPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP www
fi
if [ "$SECUREHOST6" != "" ]; then
echo " * Allowing $SECUREHOST6 INPUT for ftp, ftp-data, ssh, pop-3, and telnet"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP pop-3
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP telnet
fi
echo " - DMZ-SECUREHOST: Setting input filters for explicit hosts."
# If we don't have a DMZ interface, dont do things for it
#
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST1" != "" ] ); then
#DMZ SecureHost
#
echo " * Allowing $DMZHOST1 INPUT for ssh to the Linux server and the INET"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $INT2IP ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $INTLAN ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $UNIVERSE
fi
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST2" != "" ] ); then
echo " * Allowing $DMZHOST2 INPUT for ssh to the Linux server and the INET"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $INT2IP ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $INTLAN ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $UNIVERSE
fi
if [ "$INT2IF" != "" ]; then
#DMZ network - this is where most of the wireless filtering occurs
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INT2LAN -d $INTLAN $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INT2LAN -d $INT2LAN $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Allow ALL internal interfaces to access the Inet
# ------------------------------------------------
# Local interface, local machines, going anywhere is valid.
#
# The main reason why this is at the BOTTOM of the INPUT section is to
# make sure that all required DENY/REJECT firewall lines are hit before
# allowing all internal traffic. If you DON'T want to allow ALL internal
# traffic to get out to the Internet, put a "#" in the
# front of the line below and un-#ed out the lines at the top of this
# section to allow only specific internal HOSTS to get out.
#
# Comment this line out if you want to only allow specific traffic on the
# internal network.
/sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
fi
# Loopback interface is valid.
#
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# HIGH PORTS:
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
# SYN bit set. In other words, this means that any traffic that is
# trying to initiate traffic to your server on a HIGH port will be
# rejected.
#
# The only HIGH port traffic that will be accepted is either return
# traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
# SYN filtering. Because of this, we must specifically allow it in.
#
echo " - Enabling all input REPLY [TCP/UDP] traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
#DMZ network and removed FTP as it is insecure
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $INT2IP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $INT2IP $UNPRIVPORTS
fi
#--------------------------------------------------------------------
# Catch All INPUT Rule
#--------------------------------------------------------------------
#
echo " - Final input catch all rule."
# All other incoming is denied and logged.
/sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Output Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Output Rules:"
#--------------------------------------------------------------------
# Outgoing Traffic on the Internal LAN
#--------------------------------------------------------------------
# This rule set provides policies for traffic that is going out on the internal
# LAN.
#
# In this example, all traffic is allowed out. Therefore there is no
# requirement to implement individual filters. However, as with the input
# section above, examples are given for demonstrative purposes. It is also
# noted that the same rules, outlined above, apply regarding the order of the
# filtering rules.
#--------------------------------------------------------------------
echo " - Setting output filters for traffic on the internal LAN."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Local interface, any source going to local net is valid.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
fi
# Loopback interface is valid.
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# DHCP: If you have configured a DHCP server on this Linux machine, you
# will need to enable the following rule set.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
echo " Optional parameter: DHCPd server"
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
#If you DISABLE the lines above, you need this following line to
#let the if..then statement run without failing out
echo "." > /dev/null
fi
# DMZ DHCP server - If we don't have a DMZ interface, dont do things for it
#
# Disabled by default
#
# if [ "$INT2IF" != "" ]; then
# /sbin/ipchains -A output -j ACCEPT -i $INT2IF -p udp -s $INT2IP/32 bootps -d $BROADCAST/0 bootpc
# /sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP/32 bootps -d $BROADCAST/0 bootpc
# fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# HTTP: The following is an example of how to allow HTTP traffic to an
# intranet WWW server without allowing access from the external
# network.
#
# Disabled by default.
# echo " Optional parameter: WWW server"
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN
# APC PowerChute for Linux: The following is needed for APCs PowerChute
# software for Linux. The way it works is that it broadcasts the
# private network looking for the upsd daemon.
#
# Disabled by default.
#echo " Optional parameter: UPSd server"
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 -d $BROADCAST 5456
#This is required to complete the if..then loop if it is empty
echo "." > /dev/null
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Explicit Output from Internal LAN Hosts
#--------------------------------------------------------------------
# The following rule sets only allow SPECIFIC hosts on the internal LAN to
# access services on this firewall server itself. Many people might feel that
# this is extreme but many system attacks occur from the INTERNAL network as
# well.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this rule set to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " - Setting output filters for specific internal hosts."
# First host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
#This is required to complete the if..then loop if it is empty
echo "." > /dev/null
fi
#--------------------------------------------------------------------
# Outgoing Traffic on the External Interface
#--------------------------------------------------------------------
# This rule set will control what traffic can go out on the external interface.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic to the external interface."
# DHCP Client: If your Linux server is connected via DSL or a Cablemodem
# connection and you get dynamic DHCP addresses, you will need to
# enable the following rule sets.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps
# FTP: Allow FTP traffic (the Linux server is a FTP server)
#
# Disabled by default.
# echo " Optional parameter: FTP server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE
# IRCd: Allow IRC traffic (the Linux server is a IRC server)
#
# Make sure ircd is defined in /etc/services
#
# Disabled by default
# echo " Optional parameter: IRC server"
# /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ircd -d $UNIVERSE
# HTTP: Allow HTTP traffic (the Linux server is a WWW server)
#
# Disabled by default
# echo " Optional parameter: WWW server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE
# HTTPS: Allow HTTPS traffic (the Linux server is a WWW server)
#
# Disabled by default
# echo " Optional parameter: HTTPS server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP https -d $UNIVERSE
# NTP: Allow NTP updates (the Linux server is a NTP server)
#
# NOTE: Some NTP clients require TCP traffic. Others require UDP.
# Your pick!
#
# Disabled by default
# echo " Optional parameter: NTP server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP ntp -d $UNIVERSE
# TELNET: Allow telnet traffic (the Linux server is a TELNET server)
#
# Disabled by default
# echo " Optional parameter: TELNET server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE
# SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server)
#
# Disabled by default
#
# echo " Optional parameter: SSH server"
# /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE
#--------------------------------------------------------------------
# Outgoing Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control output traffic for all interfaces. This is
# usually used for what could be considered as public services. It
# is noted that we provide a few rejection rule sets as examples but
# these are not required due to the overall REJECT statement above.
#--------------------------------------------------------------------
echo " - Setting output filters for public services on all interfaces."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
# Traffic TO your machine and FROM your machine
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
# DNS: If you your Linux server is an authoritative DNS server, you must
# enable this rule set
#
# Disabled by default
#echo " Optional parameter: DNS server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE
# Advanced ICMP: Some users prefer that their UNIX box NOT ping, etc.
# This is easy enough to do but be sure you know what you
# are doing.
#
# There is an EXCELLENT paper on ICMP filtereing available at:
#
# http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
#
#
# NOTE: When setting a FIREWALL to REJECT ICMP traffic, the resulting
# reply traffic is automatically discarded per the RFCs
#
# NOTE2: For a full list of all supported major and minor ICMP codes, run:
# /sbin/ipchains -h icmp
#
# MOST are Disabled by default.
#
#
# Do NOT reply to ICMP ECHO REPLYs (type 0) requests from the Internet
# (some find this useful)
#
# echo " Optional parameter: ICMP ECHO REPLY outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-reply
#
# Do NOT reply to TCP/UDP TRACEROUTE requests from the Internet (some find
# this useful)
#
# echo " Optional parameter: TCP/UDP TRACEROUTE outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 33434 $LOGGING
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 33434 $LOGGING
#
# Do NOT reply to TRACEROUTE requests from the Internet (MS clients use
# ICMP ECHOs instead of TCP/UDP - some find this useful )
#
# echo " Optional parameter: ICMP TRACEROUTE [MS] outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-request $LOGGING
#
# Do NOT reply to DESTINATION-UNREACHABLE (type 3) from the Internet (this
# is NOT a good idea - if you must do this then filter out the specific
# SUB-options such as PROTOCOL-UNREACHABLE in the OUTBOUND direction)
#
# echo " Optional parameter: ICMP DESTINATION-UNREACHABLE output filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to SOURCEQUENCH (type 4) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP SOURCEQUENCH outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type source-quench $LOGGING
#
# Do NOT reply to ANY form of ICMP REDIRECT packets (type 5) (this can
# help stop OS fingerprinting)
#
echo " Optional parameter: ICMP REDIRECT outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type redirect $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type redirect $LOGGING
fi
# Do NOT allow PING requests (type 8) from the Internet (some find this
# useful)
#
# echo " Optional parameter: ICMP ECHO outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-request $LOGGING
#
# Do NOT reply to TTL-EXPIRED packets (type 11) from the Internet (this
# is NOT a good idea - do it OUTBOUND)
#
echo " Optional parameter: ICMP TTL-EXPIRED outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type ttl-zero-during-reassembly $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type ttl-zero-during-reassembly $LOGGING
fi
# Do NOT reply to PARAMETER-PROBLEM packets (type 12) (this is NOT a good
# idea - filter this on OUTBOUND)
#
echo " Optional parameter: ICMP PARAMETER-PROBLEM outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type parameter-problem $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type parameter-problem $LOGGING
fi
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP TIMESTAMP outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type timestamp-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type timestamp-reply $LOGGING
fi
# ICMP INFORMATION (type 15 and 16) packet filtering is NOT supported by
# either LINUX or IPCHAINS (no big deal)
#
# Do NOT reply to ICMP ADDRESS MASK packets (type 17 and 18) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP ADDRESS-MASK outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type address-mask-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type address-mask-reply $LOGGING
fi
# General ICMP: Allow ICMP traffic out
#
# NOTE: Disabling ICMP packets via the firewall rule set can do far
# more than just stop people from pinging your machine. Many aspects
# of TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal Masq'ed
# computers might not work.
#
# If you feel compelled to do ICMP filtering, do it by uncommenting your
# desired traffic types from the section ABOVE and NOT here.
#
/sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE
# NNTP: This allows NNTP-based news out.
#
# Disabled by default
# echo " Optional parameter: NNTP server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE
# SMTP: If the Linux servers is either an authoritative SMTP server or
# relay, you must allow this rule set.
#
# Disabled by default
#echo " Optional parameter: SMTP server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE
#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
# This controls output to specific external hosts [secure hosts]. This example
# implementation allows ssh and pop-3 protocols out to the secure host. In
# addition to these rules, we must also explicitly allow the traffic in from
# the remote host. See the input rules above to see this take place.
#
# Disabled by default.
#--------------------------------------------------------------------
echo " - SECUREHOST: Setting output filters for explicit hosts."
# The secure host
#
if [ "$SECUREHOST" != "" ]; then
echo " * Allowing $SECUREHOST OUTPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST $UNPRIVPORTS
fi
if [ "$SECUREHOST2" != "" ]; then
echo " * Allowing $SECUREHOST2 OUTPUT for ftp, ftp-data, ssh, telnet, imap, and www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST2 $UNPRIVPORT
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST2 $UNPRIVPORT
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP imap -d $SECUREHOST2 $UNPRIVPORT
fi
if [ "$SECUREHOST3" != "" ]; then
echo " * Allowing $SECUREHOST3 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST3 $UNPRIVPORTS
fi
if [ "$SECUREHOST4" != "" ]; then
echo " * Allowing $SECUREHOST4 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST4 $UNPRIVPORTS
fi
if [ "$SECUREHOST5" != "" ]; then
echo " * Allowing $SECUREHOST5 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST5 $UNPRIVPORTS
fi
echo " - DMZ-SECUREHOST: Setting output filters for explicit hosts."
# If we don't have a DMZ interface, dont do things for it
#
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST1" != "" ] ); then
echo " * Allowing $DMZHOST1 OUTPUT for ssh, ftp"
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP ftp -d $DMZHOST1 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN ssh -d $DMZHOST1 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN $UNPRIVPORTS -d $DMZHOST1 ssh
fi
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST2" != "" ] ); then
echo " * Allowing $DMZHOST2 OUTPUT for ssh, ftp"
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP ftp -d $DMZHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN $UNPRIVPORTS -d $DMZHOST2 ssh
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN ssh -d $DMZHOST2 $UNPRIVPORTS
fi
#--------------------------------------------------------------------
# Specific Output Rejections
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
echo " - Reject specific outputs."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Reject outgoing traffic to the local net from the remote interface,
# stuffed routing; deny & log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $UNIVERSE -d $INTLAN $LOGGING
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Reject outgoing traffic from the local net from the external interface,
# stuffed masquerading, deny and log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
#DMZ network - block all outgoing DMZ traffic unless allowed somewhere above
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# RFC1918 and IANA Reserved Address space Bogon filtering
#
# Filter all external traffic coming from either RESERVED or non-routed
# address space.
#
# See ftp://ftp.iana.org/assignments/ipv4-address-space for up to date
# results.
#
# Please run "whois IANA*@arin.net" and with a careful eye
# "whois RESERVED*@arin.net" for more info.
#
# -------------------------------------------------------------------
# NOTE *1*: Please notice that ALL IANA Reserved Address filters
# (except for the Class-D and Class-E networks) have
# been disabled as is seems that the IANA is releasing IP
# address space without updating their tables. There is
# the email list called "bogon-announce" which you can
# subscribe to here:
# http://www.cymru.com/Bogons/
#
# Note2: The bogon list changes ALL the time. Unless you subscribe
# to the above bogon list AND update your firewall when things
# change, you will be blackholing traffic.
#
# Note3: that the address schemes from whois are silently using CLASSFULL
# masks
#
# Note4: Some ISPs use RFC1918 addresses for internal addressing of
# customers and keeping status on equipment. Some customers of
# General Instruments SURFboard cable modems might have similar
# issues.
#
# -------------------------------------------------------------------
# Reserved-1
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 0.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-9
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 1.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-2
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 2.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 5.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-7
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 7.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-10 and RFC1918 (10.x.x.x)
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
fi
# Reserved-23
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 23.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-27
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 27.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-31
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 31.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-36
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 36.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-37
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 37.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-39
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 39.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-42
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 42.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-74 and 75
# 74.0.0.0 - 75.55.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 74.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-76 though 79
# 76.0.0.0 - 79.55.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 76.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 89
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 89.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 90
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 90.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 91
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 91.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 92 though 95
# 92.0.0.0 - 95.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 92.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 96 though 111
# 96.0.0.0 - 111.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 96.0.0.0/4 -d $UNIVERSE $LOGGING
# Reserved 112 though 119
# 112.0.0.0 - 119.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 112.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved 120 though 123
# 120.0.0.0 - 123.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 120.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-127 127.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 127.0.0.0/8 -d $UNIVERSE $LOGGING
# BLACKHOLE3
#
# Disabled due to the fact that ALL reverse DNS functions (regardless of the
# address) will stop working properly. If you have a good explination of
# why this is, I would love to hear it.
#
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 128.9.64.26/32 -d $UNIVERSE $LOGGING
# Includes NET-TEST-B
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 128.66.0.0/16 -d $UNIVERSE $LOGGING
# IANA-BBLK-RESERVED and RFC1918 (172.16-31.0.0)
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
fi
# Reserved-173
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 173.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-174 through 175
# 174.0.0.0 - 175.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 174.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-176 through 183
# 176.0.0.0 - 183.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 176.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved-184 through 187
# 184.0.0.0 - 187.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 184.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-189
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 189.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-190
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 190.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-4
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 191.255.0.0/16 -d $UNIVERSE $LOGGING
# ROOT-NS-LAB - 192.0.0.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.0.0/24 -d $UNIVERSE $LOGGING
# NET-ROOTS-NS-LIVE - 192.0.1.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.1.0/24 -d $UNIVERSE $LOGGING
# NET-TEST - 192.0.2.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.2.0/24 -d $UNIVERSE $LOGGING
# RFC1918
#foo
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -s $UNIVERSE -d $INT2LAN
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $UNIVERSE -d 192.168.0.0/16 $LOGGING
fi
# RESERVED-13
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 197.0.0.0/16 -d $UNIVERSE $LOGGING
# Reserved-197
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 197.0.0.0/8 -d $UNIVERSE $LOGGING
# RESERVED-14
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 201.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 223.255.255.0/24 -d $UNIVERSE $LOGGING
# Reserved-223
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 223.0.0.0/24 -d $UNIVERSE $LOGGING
#Future use for Class-E:
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
#Future use for Class-F:
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
fi
# -----------------
# Special Filtering
# -----------------
# Multicast: Silently drop all multicast traffic for those users who
# find this traffic filling up their logs.
#
# Disabled by default.
# echo " Optional parameter: Ignore MULTICAST"
# /sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d 224.0.0.0/4
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#