LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Firewall-HOWTO-15.html

447 lines
13 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Firewall and Proxy Server HOWTO: APPENDEX A - Example Scripts</TITLE>
<LINK HREF="Firewall-HOWTO-16.html" REL=next>
<LINK HREF="Firewall-HOWTO-14.html" REL=previous>
<LINK HREF="Firewall-HOWTO.html#toc15" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-16.html">Next</A>
<A HREF="Firewall-HOWTO-14.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc15">Contents</A>
<HR>
<H2><A NAME="s15">15. APPENDEX A - Example Scripts</A></H2>
<P>
<P>
<H2><A NAME="ss15.1">15.1 RC Script useing GFCC</A>
</H2>
<P>
<PRE>
#!/bin/bash
#
# Firewall Script - Version 0.9.1
#
# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel
# Set for testing
# set -x
#
# NOTES:
#
# This script is written for RedHat 6.1 or better.
#
# Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
# 1. place this file in /etc/rc.d/init.d (you'll have to be root..)
# call it something like "firewall" :-)
# make it root owned --> "chown root.root (filename)"
# make it executable --> "chmod 755 (filename)"
#
# 2. use GFCC to create your firewall rules and export them to a file
# named /etc/gfcc/rules/firewall.rule.sh.
#
# 3. add the firewall to the RH init structure --> "chkconfig --add (filename)"
# next time the router boots, things should happen automagically!
# sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
# 30 Jan, 2000 - Changed to GFCC script
# 11 Dec, 1999 - updated by Mark Grennan &lt;mark@grennan.com&gt;
# 20 July, 1999 - initial writing - Anthony Ball &lt;tony@LinuxSIG.org&gt;
#
################################################
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
# See how we are called
case "$1" in
start)
# Start providing access
action "Starting firewall: " /bin/true
/etc/gfcc/rules/firewall.rule.sh
echo
;;
stop)
action "Stoping firewall: " /bin/true
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo
;;
restart)
action "Restarting firewall: " /bin/true
$0 stop
$0 start
echo
;;
status)
# List out all settings
/sbin/ipchains -L
;;
test)
action "Test Mode firewall: " /bin/true
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A input -j ACCEPT
/sbin/ipchains -A output -j ACCEPT
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $PUBLIC -j MASQ
echo
;;
*)
echo "Usage: $0 {start|stop|restart|status|test}"
exit 1
esac
</PRE>
<P>
<P>
<H2><A NAME="ss15.2">15.2 GFCC script</A>
</H2>
<P>This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set.
<P>
<PRE>
#!/bin/sh
# Generated by Gtk+ firewall control center
IPCHAINS=/sbin/ipchains
localnet="192.168.1.0/24"
firewallhost="192.168.1.1/32"
localhost="172.0.0.0/8"
DNS1="24.94.163.119/32"
DNS2="24.94.163.124/32"
Broadcast="255.255.255.255/32"
Multicast="224.0.0.0/8"
Any="0.0.0.0/0"
mail_grennan_com="192.168.1.1/32"
mark_grennan_com="192.168.1.3/32"
$IPCHAINS -P input DENY
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -F
$IPCHAINS -X
# input rules
$IPCHAINS -A input -s $Any -d $Broadcast -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY
$IPCHAINS -A input -s $Multicast -d $Any -j DENY
$IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT
$IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT
$IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT
$IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y
$IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT
$IPCHAINS -A input -s $Any -d $Any -j DENY -l
# forward rules
$IPCHAINS -A forward -s $localnet -d $Any -j MASQ
# output rules
</PRE>
<P>
<H2><A NAME="ss15.3">15.3 RC Script without GFCC</A>
This is the firewall rules set built my hand. It does not use GFCC.</H2>
<P>
<PRE>
#!/bin/bash
#
# Firewall Script - Version 0.9.0
# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel
# Set for testing
# set -x
#
# NOTES:
#
# This script is written for RedHat 6.0 or better.
#
# This firewall script should work for most routers, dial-up or cable modem.
# It was written for RedHat distributions.
#
# Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
# 1. This file planned for a RedHat system. It would work
# on other distro's with perhaps no modification, but again...
# Who knows?!!? These instructions apply to RedHat systems.
#
# 2. place this file in /etc/rc.d/init.d (you'll have to be root..)
# call it something like "firewall" :-)
# make it root owned --> "chown root.root &lt;filename>"
# make it executable --> "chmod 755 &lt;filename>"
#
# 3. set the values for your network, internal interface, and DNS servers
# uncomment lines further down to enable optional in-bound services
# make sure "eth0" is your internal NIC (or change the value below)
# test it --> "/etc/rc.d/init.d/&lt;filename> start"
# you can list the rules --> "ipchains -L -n"
# fix anything that broke... :-)
#
# 4. add the firewall to the RH init structure --> "chkconfig --add &lt;filename>"
# next time the router boots, things should happen automagically!
# sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
# 20 July, 1999 - initial writing - Anthony Ball &lt;tony@LinuxSIG.org>
# 11 Dec, 1999 - updated by Mark Grennan &lt;mark@grennan.com>
#
################################################
# Fill in the values below to match your
# local network.
PRIVATENET=xxx.xxx.xxx.xxx/xx
PUBLIC=ppp0
PRIVATE=eth0
# your dns servers
DNS1=xxx.xxx.xxx.xxx
DNS2=xxx.xxx.xxx.xxx
################################################
# some handy generic values to use
ANY=0.0.0.0/0
ALLONES=255.255.255.255
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
# See how we are called
case "$1" in
start)
# Start providing access
action "Starting firewall: " /bin/true
##
## Setup Envirement
##
# Flush all lists
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# Plug up everything
/sbin/ipchains -I input 1 -j DENY
# set policy to deny (Default is ACCEPT)
/sbin/ipchains -P input DENY
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
# Turn on packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
##
## Install Modules
##
# Insert the active ftp module. This will allow non-passive ftp to machines
# on the local network (but not to the router since it is not masq'd)
if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then
/sbin/insmod ip_masq_ftp
fi
##
## Some Security Stuff
##
# turn on Source Address Verification and get spoof protection
# on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
else
echo
echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."
echo
fi
# deny bcasts on remaining interfaces
/sbin/ipchains -A input -d 0.0.0.0 -j DENY
/sbin/ipchains -A input -d 255.255.255.255 -j DENY
# deny these without logging 'cause there tend to be a lot...
/sbin/ipchains -A input -p udp -d $ANY 137 -j DENY # NetBIOS over IP
/sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY # ""
/sbin/ipchains -A input -p udp -d $ANY 138 -j DENY # ""
/sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY # ""
/sbin/ipchains -A input -p udp -d $ANY 67 -j DENY # bootp
/sbin/ipchains -A input -p udp -d $ANY 68 -j DENY # ""
/sbin/ipchains -A input -s 224.0.0.0/8 -j DENY # Multicast addresses
##
## Allow private network out
##
# allow all packets on the loopback interface
/sbin/ipchains -A input -i lo -j ACCEPT
# allow all packets from the internal "trusted" interface
/sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT
/sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT
##
## Allow Outside Services into the firewall (if you dare)
##
# allow ICMP
/sbin/ipchains -A input -p icmp -j ACCEPT
# allow TCP
/sbin/ipchains -A input -p tcp ! -y -j ACCEPT
# allow lookups to DNS (on firewall)
/sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT
/sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT
# or (BETTER IDEA) run a caching DNS server on the router and use the
# following two lines instead...
# /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
# /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT
# uncomment the following to allow ssh in
/sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT
# uncomment the following to allow telnet in (BAD IDEA!!)
/sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT
# uncomment to allow NTP (network time protocol) to router
# /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT
# uncomment to allow SMTP in (not for mail clients - only a server)
/sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT
# uncomment to allow POP3 in (for mail clients)
/sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT
# allow auth in for sending mail or doing ftp
/sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT
# uncomment to allow HTTP in (only if you run a web server on the router)
/sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT
# uncomment to allow FTP in
/sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT
##
## Masquerading stuff
##
# masquerade packets forwarded from internal network
/sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ
##
## deny EVERYthing else and log them to /var/log/messages
##
/sbin/ipchains -A input -l -j DENY
# Remove the Plug
/sbin/ipchains -D input 1
;;
stop)
action "Stoping firewall: " /bin/true
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo
;;
restart)
action "Restarting firewall: " /bin/true
$0 stop
$0 start
echo
;;
status)
# List out settings
/sbin/ipchains -L
;;
test)
##
## This is about as simple as it gets
## (This is not secure AT ALL)
action "WARNING Test Firewall: " /bin/true
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A input -j ACCEPT
/sbin/ipchains -A output -j ACCEPT
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $PUBLIC -j MASQ
echo
;;
*)
echo "Usage: $0 {start|stop|restart|status|test}"
exit 1
esac
</PRE>
<P>
<HR>
<A HREF="Firewall-HOWTO-16.html">Next</A>
<A HREF="Firewall-HOWTO-14.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc15">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink