#!/bin/sh # # /etc/rc.d/rc.firewall-ipchains-stronger: An example of a Stronger IPCHAINS # firewall ruleset for 2.2 kernels # FWVER=0.75s # # Log: # 0.75s - Updated the commands for dynamically addresses machines and # to point to an expanded FAQ section for more information # # 0.74s - renamed from rc.firewall-2.2-stronger to # rc.firewall-ipchains-stronger to better reflect that this ruleset can # can run on different major kernel versions # - removed unused SED variable # 0.73s - Added additional comments to make PORTFW configs more obvious # 0.72s - #ed out the rule that would allow all traffic destined for the # MASQ server itself to be accepted. Use the OPTIONAL INPUT # section to only allow explicit services. # - Fixed an INTLAN rule that was allowing traffic from ANY IP address # instead of the proper INTIP IP address only. This aligns the # IPCHAINS ruleset with the IPTABLES and IPFWADM ruleset examples # 0.71s - ruleset now uses modprobe instead of insmod # 0.70s - Added missing execution variables # - fixed a missing -p tcp for the commented HTTPd section # 0.65s - Added comments HTTPd rules to the INPUT and OUTPUT section # - Added a comment where to insert IPPORTFW commands # 0.60s - Changed the EXTIP command to work on NON-English distros # - Updated the CASE of some of the script variables # echo -e "\nLoading rc.firewall-ipchains-stronger : version $FWVER..\n" # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPCHAINS=/sbin/ipchains LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe GREP=/bin/grep AWK=/bin/awk IFCONFIG=/sbin/ifconfig PATH=/sbin:/bin:/usr/sbin:/usr/bin # Global variables # ---------------- # ALL PPP and DHCP users must set this for the correct EXTERNAL and # INTERNAL interfaces names. Examples: eth0, ppp0, ippp0, etc. # See more info about this below. # EXTIF="ppp0" INTIF="eth0" # The INTERNAL IP address # INTIP="192.168.0.1/32" INTNET="192.168.0.0/24" echo " Internal IP: $INTIP" echo " Internal Network: $INTNET" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented from loading. # Needed to initially load modules # $DEPMOD -a # Supports the proper masquerading of FTP file transfers using the PORT method # $MODPROBE ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # $MODPROBE ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #$MODPROBE ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. These modules are # for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #$MODPROBE ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #$MODPROBE ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #$MODPROBE ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #$MODPROBE ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmentation since it is disabled by default # in 2.2.x kernels # # This used as a compile-time option but the behavior was changed # in 2.2.12. It should also be noted that some distributions have # removed this option from the /proc table. If this entry isn't # present in your /proc, don't worry about it. # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making life with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you configured it to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vulnerabilities. # #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose # Specify your Static IP address here. # # If you have a DYNAMIC IP address, you need to make this ruleset recognize # your IP address everytime you get a new IP. To do this, enable the # following one-line script. (Please note that the different single and # double quote characters MATTER). # # # DHCP users (Cablemodem and DSL ) users: # --------------------------------------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc) # on the lines for "ppp-ip" and "EXTIP". # # DHCP and PPP users: The remote DHCP or PPP server can and will change # IP addresses on you over time. To deal with this, users should configure # their DHCP or PPP client to re-run the rc.firewall-* ruleset everytime # the IP address is changed. Please see the "masq-and-dyn-addr" FAQ entry # in the IPMASQ howto for full details on how to do this. # # # Determine the external IP automatically: # ---------------------------------------- # # The following line will determine your external IP address. This # line is somewhat complex and confusing but it will also work for # all NON-English Linux distributions. # # Make sure the EXTIF variable above is set to reflect the name # of your Internet connection # EXTIP="`$IFCONFIG $EXTIF | $AWK \ /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) # $IPCHAINS -M -S 7200 10 60 ############################################################################# # Incoming, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # $IPCHAINS -F input $IPCHAINS -P input REJECT # local interface, local machines, going anywhere is valid # $IPCHAINS -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # $IPCHAINS -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT # remote interface, any source, going to the MASQ servers IP address is valid # # ENABLE this line if you want ALL Internet traffic to connect to your # the various servers running on the MASQ server. This includes # web servers, ssh servers, dns servers, etc. # # I DON'T recommend you enable this rule. Instead, only enable specific # access to select server ports under the "OPTIONAL INPUT Section". # An example of enabling HTTP (WWW) has been given below: # # #$IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT # loopback interface is valid. # $IPCHAINS -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # ----- Begin OPTIONAL INPUT Section ----- # # HTTPd - Enable the following lines if you either run a WWW server on # the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to # an internal WWW server # #$IPCHAINS -A input -i $EXTIF -p tcp -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT # # ----- End OPTIONAL INPUT Section ----- # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. # $IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ############################################################################# # Outgoing, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # $IPCHAINS -F output $IPCHAINS -P output REJECT # local interface, MASQ server source going to the local net is valid # $IPCHAINS -A output -i $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # $IPCHAINS -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT # outgoing from local net on remote interface, stuffed masquerading, deny # $IPCHAINS -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT # anything else outgoing on remote interface is valid # $IPCHAINS -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid. # $IPCHAINS -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # ----- Begin OPTIONAL OUTPUT Section ----- # # HTTPd - Enable the following lines if you either run a WWW server on # the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to # an internal WWW server # #$IPCHAINS -A output -i $EXTIF -p tcp -s $EXTIP 80 -d 0.0.0.0/0 -j ACCEPT # # ----- End OPTIONAL OUTPUT Section ----- # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # $IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ############################################################################# # Forwarding, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # $IPCHAINS -F forward $IPCHAINS -P forward DENY # ----- Begin OPTIONAL FORWARD Section ----- # # Put PORTFW commands here # # ----- End OPTIONAL FORWARD Section ----- # Masquerade from local net on local interface to anywhere. # $IPCHAINS -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ # # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. # $IPCHAINS -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT echo -e "\nDone.\n"