#!/bin/sh # Set up firewall and forwarding rules # Set up some variables lannet="192.168.94.0/24" loopback="127.0.0.0/8" any="0.0.0.0/0" privateA="10.0.0.0/8" privateB="172.16.0.0/12" privateC="192.168.0.0/16" # Static IP address # staticaddr="999.999.999.999/32" # External interface name IFext="ppp0" # Clear any existing rules echo Clearing existing rules /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward /sbin/ipchains -F in-icmp /sbin/ipchains -F in-tcp /sbin/ipchains -F in-udp /sbin/ipchains -F acct-in /sbin/ipchains -F acct-out # Set up default policies: echo Setting default policies # No forwarding, reject input and allow output /sbin/ipchains -P input ALLOW /sbin/ipchains -P output ALLOW /sbin/ipchains -P forward REJECT # # Input rules # echo Setting input rules # Make sure accounting rules get called /sbin/ipchains -A input -j acct-in # No spoofing of private or local addresses from the outside world # Also no sending from the outside world to those addresses # No notification on these, become a black hole but log them /sbin/ipchains -A input -l -j DENY -i ${IFext} -b -s ${privateA} /sbin/ipchains -A input -l -j DENY -i ${IFext} -b -s ${privateB} /sbin/ipchains -A input -l -j DENY -i ${IFext} -b -s ${privateC} /sbin/ipchains -A input -l -j DENY -i ${IFext} -b -s ${loopback} #/sbin/ipchains -A input -l -j DENY -i ${IFext} -s ${staticaddr} # Block some dangerous or useless ICMP messages # 5 - routing redirects ( super-source-quench attack ) # 9 - router advertisement # 10 - router solicitation # 15,16 - obsolete /sbin/ipchains -A input -j in-icmp -i ${IFext} -p icmp /sbin/ipchains -A in-icmp -l -j DENY -p icmp -s ${any} 5 /sbin/ipchains -A in-icmp -l -j DENY -p icmp -s ${any} 9 /sbin/ipchains -A in-icmp -l -j DENY -p icmp -s ${any} 10 /sbin/ipchains -A in-icmp -l -j DENY -p icmp -s ${any} 15 /sbin/ipchains -A in-icmp -l -j DENY -p icmp -s ${any} 16 /sbin/ipchains -A in-icmp -j ACCEPT # Open holes for a few privileged UDP ports, block all other privileged # ports /sbin/ipchains -A input -j in-udp -i ${IFext} -p udp /sbin/ipchains -A in-udp -j ACCEPT -p udp -d ${any} domain /sbin/ipchains -A in-udp -j ACCEPT -p udp -d ${any} ntp /sbin/ipchains -A in-udp -l -j REJECT -p udp -d ${any} 1:32767 /sbin/ipchains -A in-udp -j ACCEPT # Open holes for a few privileged TCP ports for inbound connections, # block all other privileged and sensitive non-privileged ports /sbin/ipchains -A input -j in-tcp -i ${IFext} -p tcp /sbin/ipchains -A in-tcp -j ACCEPT -p tcp -d ${any} telnet /sbin/ipchains -A in-tcp -j ACCEPT -p tcp -d ${any} ssh /sbin/ipchains -A in-tcp -j ACCEPT -p tcp -d ${any} ftp /sbin/ipchains -A in-tcp -j ACCEPT -p tcp -d ${any} ftp-data /sbin/ipchains -A in-tcp -j ACCEPT -p tcp -d ${any} ntp /sbin/ipchains -A in-tcp -j ACCEPT -p tcp -d ${any} auth /sbin/ipchains -A in-tcp -l -j REJECT -p tcp -d ${any} 1:1023 /sbin/ipchains -A in-tcp -l -j REJECT -p tcp -d ${any} 6000 #/sbin/ipchains -A in-tcp -l -j REJECT -p tcp -d ${any} postgres /sbin/ipchains -A in-tcp -l -j REJECT -p tcp -d ${any} -y /sbin/ipchains -A in-tcp -j ACCEPT # # Forwarding rules # echo Setting forwarding rules # Forward within local network without masquerading anything /sbin/ipchains -A forward -j ACCEPT -s ${lannet} -d ${lannet} # Masquerade for everything to the outside world /sbin/ipchains -A forward -j MASQ -s ${lannet} -d ${any} # # Output rules # echo Setting output rules # Make sure accounting rules get called /sbin/ipchains -A output -j acct-out # Never allow things from private network numbers to escape /sbin/ipchains -A output -l -j REJECT -i ${IFext} -b -s ${privateA} /sbin/ipchains -A output -l -j REJECT -i ${IFext} -b -s ${privateB} /sbin/ipchains -A output -l -j REJECT -i ${IFext} -b -s ${privateC} /sbin/ipchains -A output -l -j REJECT -i ${IFext} -b -s ${loopback} # # Accounting # echo Setting accounting rules # Traffic monitoring rules /sbin/ipchains -A acct-in -i lo /sbin/ipchains -A acct-in -i ppp0 /sbin/ipchains -A acct-in -i eth0 /sbin/ipchains -A acct-in -i dummy0 /sbin/ipchains -A acct-out -i lo /sbin/ipchains -A acct-out -i ppp0 /sbin/ipchains -A acct-out -i eth0 /sbin/ipchains -A acct-out -i dummy0 echo Done exit 0