[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Re: IPChains.

To: Sheflug <sheflug [at] vuw.ac.nz>
Subject: [Sheflug] Re: IPChains.
From: Richard <nospam [at] sheflug.co.uk>
Date: Thu, 15 Feb 2001 10:40:50 +0000 (GMT)
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

Sean

On Thu, 15 Feb 2001, Sean Liddall wrote:

> Anyone aware of a way of how to deny icmp requests on an external
> interface... but allow icmp for an internal network ?

Seen your other one as well.  The attached script might help ?

Thanks


Richard


-- Listar MIME Decryption --------------
-- Name   : firewall.txt
-- Decode : BASE64

#!/bin/sh
#
#Script to set up firewall.
#
#Anti Spoofing 
#

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection...."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE VERY WORRIED.
echo
fi 

#Enable masquerading

echo 1 > /proc/sys/net/ipv4/ip_forward

#Clean up any existing rules - this is essential 
/sbin/ipchains -F 
/sbin/ipchains -X

#Default to allowing nothing in, everything out.

/sbin/ipchains -P input   DENY
/sbin/ipchains -P output  ACCEPT
/sbin/ipchains -P forward DENY

#
#Ziegler allow local network bit - this is so that data can move between the local
# net and the internet.  If your machine is standalone then you should comment this out.

/sbin/ipchains -A  input -i lo   -j ACCEPT
/sbin/ipchains -A input -i eth0 -j ACCEPT


#
#modified by suggestion from the Open BSD book and the www.linuxnewbie.org
# site.


# Masquerade outgoing data

/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ

#Debugging -- log everything coming through the firewall. *VERBOSE*
#should only use for debugging purposes only unless you like lots
#of messages logged to syslog :)
#/sbin/ipchains -A input -p tcp -l
#

# Next we deal with identd.

/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 113 -j REJECT

#
#Can't remember what this does
#
 
/sbin/ipchains -A input  -i ppp0 -s 10.0.0.0/8 -j DENY
/sbin/ipchains -A input  -i ppp0 -d 10.0.0.0/8 -j DENY
/sbin/ipchains -A output -i ppp0 -s 10.0.0.0/8 -j DENY -l
/sbin/ipchains -A output -i ppp0 -d 10.0.0.0/8 -j DENY -l

#
#Refuse packets claiming to be from a Class B private network
#

/sbin/ipchains -A input  -i ppp0 -s 172.16.0.0/20 -j DENY
/sbin/ipchains -A input  -i ppp0 -d 172.16.0.0/20 -j DENY 
/sbin/ipchains -A output -i ppp0 -s 176.16.0.0/20 -j DENY -l
/sbin/ipchains -A output -i ppp0 -d 176.16.0.0/20 -j DENY -l

#
#Refuse packets claiming to be to or from a Class C private network
#

/sbin/ipchains -A input  -i ppp0 -s 192.168.0.0/16 -j DENY
/sbin/ipchains -A input  -i ppp0 -d 192.168.0.0/16 -j DENY
/sbin/ipchains -A output -i ppp0 -s 192.168.0.0/16 -j DENY -l
/sbin/ipchains -A output -i ppp0 -d 192.168.0.0/16 -j DENY -l

#
#Ziegler - refuse packets claiming to be from the loopback interface
#

/sbin/ipchains -A input  -i ppp0 -s 127.0.0.0/8 -j DENY
/sbin/ipchains -A output -i ppp0 -s 127.0.0.0/8 -j DENY -l

#
#Refuse malformed broadcast packets
#
#Refuse Class D multicast addresses - illegal only as source address
#Multicast uses UDP 

/sbin/ipchains -A output -i ppp0 -d 224.0.0.0/29 -j DENY -l

#Refuse Class E reserved IP addresses
/sbin/ipchains -A output -i ppp0 -d 240.0.0.0/28 -j DENY -l

#The IANA ultimately manages the allocation and registration
#of the world's IP address space.  See http://www.isi.edu/in-notes
#/iana/assignments/ipv4-address-space - Refuse addresses defined as 
#reserved by the IANA
/sbin/ipchains -A input -i ppp0 -s 1.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 2.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 5.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 7.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 23.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 27.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 31.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 37.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 39.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 41.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 42.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 58.0.0.0/7 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 60.0.0.0/8 -j DENY -l
# 65: 01000001  - /3 includes 64 - need 65-79 spelled out
/sbin/ipchains -A input -i ppp0 -s 65.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 66.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 67.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 68.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 69.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 70.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 71.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 72.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 73.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 74.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 75.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 76.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 77.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 78.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 79.0.0.0/9 -j DENY -l
#80: 01010000 - /4 masks 80-95
## CEJ: Fixed typo "80..0.0.0" to "80.0.0.0"
/sbin/ipchains -A input -i ppp0 -s 80.0.0.0/4 -j DENY -l
#96: 01100000 - /4 masks 96-111
/sbin/ipchains -A input -i ppp0 -s 96.0.0.0/4 -j DENY -l
#126: 01111110 - /3 includes 127 - need 112-126 spelled out
/sbin/ipchains -A input -i ppp0 -s 112.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 113.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 114.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 115.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 116.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 117.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 118.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 119.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 120.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 121.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 122.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 123.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 124.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 125.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 126.0.0.0/8 -j DENY -l
#217: 11011001 - /5 includes 216 - need 217-219 spelled out
/sbin/ipchains -A input -i ppp0 -s 217.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 218.0.0.0/8 -j DENY -l
/sbin/ipchains -A input -i ppp0 -s 219.0.0.0/8 -j DENY -l

#
#smurf attack
#

/sbin/ipchains -A input -i ppp0 -p icmp -d 255.255.255.255 -j DENY -l
/sbin/ipchains -A output -i ppp0 -p icmp -d 255.255.255.255 -j REJECT -l

#
#smurf attack - network mask
#

/sbin/ipchains -A input -i ppp0 -p icmp -d 255.255.255.0 -j DENY -l
/sbin/ipchains -A output -i ppp0 -p icmp -d 255.255.255.0 -j REJECT -l

#
#smurf attack - network address
# 

/sbin/ipchains -A input -i  ppp0 -p icmp -d 192.168.1.0/24 -j DENY -l
/sbin/ipchains -A output -i ppp0 -p icmp -d 192.168.1.0/24 -j REJECT -l

#
##All the stuff we're *allowing* in -- should be here otherwise
##none of the DENY rules above will take effect (the firewall
##processes the rules in sequence as they appear in ipchains -L -
##having these at the top nullified all the rules blocking reserved
##and restricted IP's :)

/sbin/ipchains -A input -i ppp0 -p tcp ! -y --source-port 110 -j  ACCEPT
/sbin/ipchains -A input -i ppp0 -p tcp ! -y --source-port 25  -j  ACCEPT
/sbin/ipchains -A input -p  tcp -d 192.168.1.0/24 25 -j  ACCEPT 
/sbin/ipchains -A input -i ppp0 -p tcp ! -y --source-port 21  -j  ACCEPT
/sbin/ipchains -A input -i ppp0 -p tcp ! -y --source-port 20011 -j ACCEPT
/sbin/ipchains -A input -i ppp0 \
 -p tcp ! -y --destination-port 1024: -j ACCEPT
#/sbin/ipchains -A input -i ppp0 -p tcp ! -y --source-port 80  -j  ACCEPT
## DNS replies...
/sbin/ipchains -A input -i ppp0 -p udp --source-port 53  -j  ACCEPT -l

#Allow ICMP data

/sbin/ipchains -A input -b -p icmp -i ppp0 -j ACCEPT

echo "Filtering firewall active"

#Log all unauthorised packets. Any packet that gets denied will
#be reported in /var/log/messages. This is a good way to spot
#if your rules are too restrictive for a service you want to run.

/sbin/ipchains -A input -p tcp -j DENY  -l
/sbin/ipchains -A input -p udp -j DENY  -l
/sbin/ipchains -A input -p icmp -j DENY -l
echo "Logging any rubbish that shouldn't be coming in !"

#
#
#everything else is caught by input policy DENY
# end of script

#save to /usr/local/bin as "firewall" after creating a /usr partition on the same disk
#It should have permissions: -rwx------   1 root 
#that means do "chmod 700 firewall" and miss out the quotation marks
#produced with help from ......
# Robert L. Zeigler - Author of Linux Firewalls
# Wes Sonnenreich and Tom Yates - Authors of Linux and Open BSD Firewalls
# Martin P. Holland - http://www.noether.freeserve.co.uk/secure.html
# Chris Johnson
# Craig Andrews - <craig [at] fishbot.org.uk>
# Linux Newbie.org - http://www.linuxnewbie.org
# Written by Richard Ibbotson
#    Richard <richard [at] sheflug.co.uk>     Janaury 28 2001 firewall
#




---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.
Follow-Ups:
- [Sheflug] Re: IPChains.
  - From: Richard <richard [at] sheflug.co.uk>
References:
- [Sheflug] IPChains.
  - From: "Sean Liddall" <sean [at] wombitch.net>
Prev by Date: [Sheflug] Ipchains.
Next by Date: [Sheflug] Re: IPChains.
Prev by thread: [Sheflug] IPChains.
Next by thread: [Sheflug] Re: IPChains.
Index(es):
- Date
- Thread