|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
On 03/30, Jeff Abrahamson wrote:
> Hey.
>
> A bit ago you posted a note about logging ipchain denies. I deleted
> said note, but, more to the point, I was wondering if you'd be willing
> to share (with the list or just me) your set of chains. Sounds like
> you've put a lot of thought into them, and I'd love to see another
> example of a well thought out set.
>
> Thanks.
Attached to this email. I'd appreciate any proofreading.
--
http://www.ChaosReigns.com
#!/bin/bash
# By Darxus@ChaosReigns.com, 4/2/01
# This script is intended to allow incoming ssh, smtp, and http
# connections from everywhere, ntp and ident connections from
# appropriate servers, and all outgoing connections, and log and
# deny pretty much everything else.
#
# It does no routing / masquerading. It also breaks dcc in irc, and,
# I believe, outgoing ftp.
#
# There is nothing site-specific here.
#
# I am interested in feedback, but this is not an invitation to poke at
# my boxes. I recognize the impossibility of perfect security.
# 1 ICMP Internet Control Message [RFC792]
# 6 TCP Transmission Control [RFC793]
# 17 UDP User Datagram [RFC768,JBP]
# flush rules
ipchains -F # flush rules
ipchains -X # delete chains (eth0-in)
ipchains -Z # reset counters to zero
# Allow all connections to/from the loopback device.
# This is much better than allowing everything from localhost, since
# that would allow incoming connections from a spoofed IP of 127.0.0.1.
ipchains -i lo -A input -j ACCEPT
ipchains -i lo -A output -j ACCEPT
# create eth0-in
ipchains -N eth0-in
ipchains -A input -i eth0 -j eth0-in
# Deny connections from reserved subnets - anything from here can be
# assumed to be spoofed.. The last 2 could eventually be assigned/valid.
for source in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16 169.254.0.0/16 192.0.2.0/24 240.0.0.0/8 0/8;#1.0.0.0/8 2.0.0.0/8
do ipchains -l -A eth0-in -p all -s $source -j DENY;
done
# Deny connections to and from loopback and some broadcast type stuff.
# These would only be spoofed as well.
for range in 127.0.0.0/8 0.0.0.0/32 255.255.255.255/32 255.255.255.0/32 ;
do ipchains -l -A eth0-in -p all -d $range;
ipchains -l -A eth0-in -p all -s $range;
done
# allow web, ssh, & smtp in - feel free to modify this list of ports to
# suit your needs.
for port in 22 25 80;
do ipchains -A eth0-in -p tcp --destination-port $port -j ACCEPT;
done
# Allow return connections.
# - Allows incoming traffic from all outgoing connections.
ipchains -A eth0-in -p tcp ! -y -j ACCEPT
ipchains -A eth0-in -p udp --destination-port 1024: -j ACCEPT
# Allow ident from irc servers I use.
# - from efnet and undernet - roundrobin dns is properly expanded
#ipchains -A eth0-in -p tcp --destination-port 113 -j ACCEPT
for host in irc.lightning.net irc.ef.net irc.mcs.net irc.east.gblx.net irc.west.gblx.net baltimore.md.us.undernet.org newyork.ny.us.undernet.org austin.tx.us.undernet.org pwctoday.com Haarlem.NL.EU.UnderNet.Org newbrunswick.nj.us.undernet.org irc.undernet.org;
do ipchains -A eth0-in -p tcp -s $host --destination-port 113 -j ACCEPT;
done
# Allow NTP responses from NTP servers listed in /etc/ntp.conf.
# "server" lines in /etc/ntpd.conf must be delimited with 1 space.
#ipchains -A eth0-in -p udp --destination-port 123 -j ACCEPT
for source in `grep ^server /etc/ntp.conf | cut -d' ' -f2`
do
ipchains -A eth0-in -p udp --destination-port 123 -s $source -j ACCEPT
done
ipchains -A eth0-in -p all -s oblivion.chaosreigns.com -j ACCEPT
# deny and log everything else
ipchains -l -A eth0-in -j DENY
# change policy to default to deny all incoming connections
ipchains -P input DENY
|
|