447 lines
13 KiB
HTML
447 lines
13 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Firewall and Proxy Server HOWTO: APPENDEX A - Example Scripts</TITLE>
|
|
<LINK HREF="Firewall-HOWTO-16.html" REL=next>
|
|
<LINK HREF="Firewall-HOWTO-14.html" REL=previous>
|
|
<LINK HREF="Firewall-HOWTO.html#toc15" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Firewall-HOWTO-16.html">Next</A>
|
|
<A HREF="Firewall-HOWTO-14.html">Previous</A>
|
|
<A HREF="Firewall-HOWTO.html#toc15">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s15">15. APPENDEX A - Example Scripts</A></H2>
|
|
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss15.1">15.1 RC Script useing GFCC</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<PRE>
|
|
#!/bin/bash
|
|
#
|
|
# Firewall Script - Version 0.9.1
|
|
#
|
|
# chkconfig: 2345 09 99
|
|
# description: firewall script for 2.2.x kernel
|
|
# Set for testing
|
|
# set -x
|
|
#
|
|
# NOTES:
|
|
#
|
|
# This script is written for RedHat 6.1 or better.
|
|
#
|
|
# Be careful about offering public services like web or ftp servers.
|
|
#
|
|
# INSTALLATION:
|
|
# 1. place this file in /etc/rc.d/init.d (you'll have to be root..)
|
|
# call it something like "firewall" :-)
|
|
# make it root owned --> "chown root.root (filename)"
|
|
# make it executable --> "chmod 755 (filename)"
|
|
#
|
|
# 2. use GFCC to create your firewall rules and export them to a file
|
|
# named /etc/gfcc/rules/firewall.rule.sh.
|
|
#
|
|
# 3. add the firewall to the RH init structure --> "chkconfig --add (filename)"
|
|
# next time the router boots, things should happen automagically!
|
|
# sleep better at night knowing you are *LESS* vulnerable than before...
|
|
#
|
|
# RELEASE NOTES
|
|
# 30 Jan, 2000 - Changed to GFCC script
|
|
# 11 Dec, 1999 - updated by Mark Grennan <mark@grennan.com>
|
|
# 20 July, 1999 - initial writing - Anthony Ball <tony@LinuxSIG.org>
|
|
#
|
|
|
|
################################################
|
|
|
|
# Source function library.
|
|
. /etc/rc.d/init.d/functions
|
|
|
|
# Source networking configuration.
|
|
. /etc/sysconfig/network
|
|
|
|
# Check that networking is up.
|
|
[ ${NETWORKING} = "no" ] && exit 0
|
|
|
|
# See how we are called
|
|
case "$1" in
|
|
|
|
start)
|
|
# Start providing access
|
|
action "Starting firewall: " /bin/true
|
|
/etc/gfcc/rules/firewall.rule.sh
|
|
echo
|
|
;;
|
|
|
|
stop)
|
|
action "Stoping firewall: " /bin/true
|
|
echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
/sbin/ipchains -F input
|
|
/sbin/ipchains -F output
|
|
/sbin/ipchains -F forward
|
|
|
|
echo
|
|
;;
|
|
|
|
restart)
|
|
action "Restarting firewall: " /bin/true
|
|
$0 stop
|
|
$0 start
|
|
|
|
echo
|
|
;;
|
|
|
|
status)
|
|
# List out all settings
|
|
/sbin/ipchains -L
|
|
;;
|
|
|
|
test)
|
|
action "Test Mode firewall: " /bin/true
|
|
/sbin/ipchains -F input
|
|
/sbin/ipchains -F output
|
|
/sbin/ipchains -F forward
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
/sbin/ipchains -A input -j ACCEPT
|
|
/sbin/ipchains -A output -j ACCEPT
|
|
/sbin/ipchains -P forward DENY
|
|
/sbin/ipchains -A forward -i $PUBLIC -j MASQ
|
|
|
|
echo
|
|
;;
|
|
|
|
*)
|
|
echo "Usage: $0 {start|stop|restart|status|test}"
|
|
exit 1
|
|
|
|
esac
|
|
</PRE>
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss15.2">15.2 GFCC script</A>
|
|
</H2>
|
|
|
|
<P>This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set.
|
|
<P>
|
|
<PRE>
|
|
|
|
#!/bin/sh
|
|
# Generated by Gtk+ firewall control center
|
|
|
|
IPCHAINS=/sbin/ipchains
|
|
|
|
|
|
localnet="192.168.1.0/24"
|
|
firewallhost="192.168.1.1/32"
|
|
localhost="172.0.0.0/8"
|
|
DNS1="24.94.163.119/32"
|
|
DNS2="24.94.163.124/32"
|
|
Broadcast="255.255.255.255/32"
|
|
Multicast="224.0.0.0/8"
|
|
Any="0.0.0.0/0"
|
|
mail_grennan_com="192.168.1.1/32"
|
|
mark_grennan_com="192.168.1.3/32"
|
|
|
|
$IPCHAINS -P input DENY
|
|
$IPCHAINS -P forward ACCEPT
|
|
$IPCHAINS -P output ACCEPT
|
|
|
|
$IPCHAINS -F
|
|
$IPCHAINS -X
|
|
|
|
# input rules
|
|
$IPCHAINS -A input -s $Any -d $Broadcast -j DENY
|
|
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY
|
|
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY
|
|
$IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY
|
|
$IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY
|
|
$IPCHAINS -A input -s $Multicast -d $Any -j DENY
|
|
$IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT
|
|
$IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT
|
|
$IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT
|
|
$IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y
|
|
$IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT
|
|
$IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT
|
|
$IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT
|
|
$IPCHAINS -A input -s $Any -d $Any -j DENY -l
|
|
|
|
# forward rules
|
|
$IPCHAINS -A forward -s $localnet -d $Any -j MASQ
|
|
|
|
# output rules
|
|
</PRE>
|
|
<P>
|
|
<H2><A NAME="ss15.3">15.3 RC Script without GFCC</A>
|
|
This is the firewall rules set built my hand. It does not use GFCC.</H2>
|
|
|
|
<P>
|
|
<PRE>
|
|
#!/bin/bash
|
|
#
|
|
# Firewall Script - Version 0.9.0
|
|
|
|
# chkconfig: 2345 09 99
|
|
# description: firewall script for 2.2.x kernel
|
|
|
|
# Set for testing
|
|
# set -x
|
|
|
|
#
|
|
# NOTES:
|
|
#
|
|
# This script is written for RedHat 6.0 or better.
|
|
#
|
|
# This firewall script should work for most routers, dial-up or cable modem.
|
|
# It was written for RedHat distributions.
|
|
#
|
|
# Be careful about offering public services like web or ftp servers.
|
|
#
|
|
# INSTALLATION:
|
|
# 1. This file planned for a RedHat system. It would work
|
|
# on other distro's with perhaps no modification, but again...
|
|
# Who knows?!!? These instructions apply to RedHat systems.
|
|
#
|
|
# 2. place this file in /etc/rc.d/init.d (you'll have to be root..)
|
|
# call it something like "firewall" :-)
|
|
# make it root owned --> "chown root.root <filename>"
|
|
# make it executable --> "chmod 755 <filename>"
|
|
#
|
|
# 3. set the values for your network, internal interface, and DNS servers
|
|
# uncomment lines further down to enable optional in-bound services
|
|
# make sure "eth0" is your internal NIC (or change the value below)
|
|
# test it --> "/etc/rc.d/init.d/<filename> start"
|
|
# you can list the rules --> "ipchains -L -n"
|
|
# fix anything that broke... :-)
|
|
#
|
|
# 4. add the firewall to the RH init structure --> "chkconfig --add <filename>"
|
|
# next time the router boots, things should happen automagically!
|
|
# sleep better at night knowing you are *LESS* vulnerable than before...
|
|
#
|
|
# RELEASE NOTES
|
|
# 20 July, 1999 - initial writing - Anthony Ball <tony@LinuxSIG.org>
|
|
# 11 Dec, 1999 - updated by Mark Grennan <mark@grennan.com>
|
|
#
|
|
|
|
################################################
|
|
# Fill in the values below to match your
|
|
# local network.
|
|
|
|
PRIVATENET=xxx.xxx.xxx.xxx/xx
|
|
|
|
PUBLIC=ppp0
|
|
PRIVATE=eth0
|
|
|
|
# your dns servers
|
|
DNS1=xxx.xxx.xxx.xxx
|
|
DNS2=xxx.xxx.xxx.xxx
|
|
|
|
################################################
|
|
|
|
# some handy generic values to use
|
|
ANY=0.0.0.0/0
|
|
ALLONES=255.255.255.255
|
|
|
|
# Source function library.
|
|
. /etc/rc.d/init.d/functions
|
|
|
|
# Source networking configuration.
|
|
. /etc/sysconfig/network
|
|
|
|
# Check that networking is up.
|
|
[ ${NETWORKING} = "no" ] && exit 0
|
|
|
|
# See how we are called
|
|
case "$1" in
|
|
|
|
start)
|
|
# Start providing access
|
|
action "Starting firewall: " /bin/true
|
|
|
|
##
|
|
## Setup Envirement
|
|
##
|
|
# Flush all lists
|
|
/sbin/ipchains -F input
|
|
/sbin/ipchains -F output
|
|
/sbin/ipchains -F forward
|
|
|
|
# Plug up everything
|
|
/sbin/ipchains -I input 1 -j DENY
|
|
|
|
# set policy to deny (Default is ACCEPT)
|
|
/sbin/ipchains -P input DENY
|
|
/sbin/ipchains -P output ACCEPT
|
|
/sbin/ipchains -P forward ACCEPT
|
|
|
|
# Turn on packet forwarding
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
##
|
|
## Install Modules
|
|
##
|
|
# Insert the active ftp module. This will allow non-passive ftp to machines
|
|
# on the local network (but not to the router since it is not masq'd)
|
|
if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then
|
|
/sbin/insmod ip_masq_ftp
|
|
fi
|
|
|
|
##
|
|
## Some Security Stuff
|
|
##
|
|
# turn on Source Address Verification and get spoof protection
|
|
# on all current and future interfaces.
|
|
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
|
|
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
|
echo 1 > $f
|
|
done
|
|
else
|
|
echo
|
|
echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."
|
|
echo
|
|
fi
|
|
|
|
# deny bcasts on remaining interfaces
|
|
/sbin/ipchains -A input -d 0.0.0.0 -j DENY
|
|
/sbin/ipchains -A input -d 255.255.255.255 -j DENY
|
|
|
|
# deny these without logging 'cause there tend to be a lot...
|
|
/sbin/ipchains -A input -p udp -d $ANY 137 -j DENY # NetBIOS over IP
|
|
/sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY # ""
|
|
/sbin/ipchains -A input -p udp -d $ANY 138 -j DENY # ""
|
|
/sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY # ""
|
|
/sbin/ipchains -A input -p udp -d $ANY 67 -j DENY # bootp
|
|
/sbin/ipchains -A input -p udp -d $ANY 68 -j DENY # ""
|
|
/sbin/ipchains -A input -s 224.0.0.0/8 -j DENY # Multicast addresses
|
|
|
|
##
|
|
## Allow private network out
|
|
##
|
|
# allow all packets on the loopback interface
|
|
/sbin/ipchains -A input -i lo -j ACCEPT
|
|
|
|
# allow all packets from the internal "trusted" interface
|
|
/sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT
|
|
/sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT
|
|
|
|
##
|
|
## Allow Outside Services into the firewall (if you dare)
|
|
##
|
|
# allow ICMP
|
|
/sbin/ipchains -A input -p icmp -j ACCEPT
|
|
# allow TCP
|
|
/sbin/ipchains -A input -p tcp ! -y -j ACCEPT
|
|
|
|
# allow lookups to DNS (on firewall)
|
|
/sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT
|
|
/sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT
|
|
# or (BETTER IDEA) run a caching DNS server on the router and use the
|
|
# following two lines instead...
|
|
# /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
|
|
# /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT
|
|
|
|
# uncomment the following to allow ssh in
|
|
/sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT
|
|
|
|
# uncomment the following to allow telnet in (BAD IDEA!!)
|
|
/sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT
|
|
|
|
# uncomment to allow NTP (network time protocol) to router
|
|
# /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT
|
|
|
|
# uncomment to allow SMTP in (not for mail clients - only a server)
|
|
/sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT
|
|
|
|
# uncomment to allow POP3 in (for mail clients)
|
|
/sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT
|
|
|
|
# allow auth in for sending mail or doing ftp
|
|
/sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT
|
|
|
|
# uncomment to allow HTTP in (only if you run a web server on the router)
|
|
/sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT
|
|
|
|
# uncomment to allow FTP in
|
|
/sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT
|
|
|
|
##
|
|
## Masquerading stuff
|
|
##
|
|
# masquerade packets forwarded from internal network
|
|
/sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ
|
|
|
|
##
|
|
## deny EVERYthing else and log them to /var/log/messages
|
|
##
|
|
/sbin/ipchains -A input -l -j DENY
|
|
|
|
# Remove the Plug
|
|
/sbin/ipchains -D input 1
|
|
|
|
;;
|
|
|
|
stop)
|
|
action "Stoping firewall: " /bin/true
|
|
echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
/sbin/ipchains -F input
|
|
/sbin/ipchains -F output
|
|
/sbin/ipchains -F forward
|
|
|
|
echo
|
|
;;
|
|
|
|
restart)
|
|
action "Restarting firewall: " /bin/true
|
|
$0 stop
|
|
$0 start
|
|
|
|
echo
|
|
;;
|
|
|
|
status)
|
|
# List out settings
|
|
/sbin/ipchains -L
|
|
;;
|
|
|
|
test)
|
|
##
|
|
## This is about as simple as it gets
|
|
## (This is not secure AT ALL)
|
|
action "WARNING Test Firewall: " /bin/true
|
|
/sbin/ipchains -F input
|
|
/sbin/ipchains -F output
|
|
/sbin/ipchains -F forward
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
/sbin/ipchains -A input -j ACCEPT
|
|
/sbin/ipchains -A output -j ACCEPT
|
|
/sbin/ipchains -P forward DENY
|
|
/sbin/ipchains -A forward -i $PUBLIC -j MASQ
|
|
|
|
echo
|
|
;;
|
|
|
|
*)
|
|
echo "Usage: $0 {start|stop|restart|status|test}"
|
|
exit 1
|
|
|
|
esac
|
|
</PRE>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Firewall-HOWTO-16.html">Next</A>
|
|
<A HREF="Firewall-HOWTO-14.html">Previous</A>
|
|
<A HREF="Firewall-HOWTO.html#toc15">Contents</A>
|
|
</BODY>
|
|
</HTML>
|