[PLUG] my first fw rules

epike on Tue, 24 Dec 2002 14:21:05 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] my first fw rules

From: epike@isinet.com

To: plug@lists.phillylinux.org

Subject: [PLUG] my first fw rules

Date: Tue, 24 Dec 2002 14:07:38 -0500 (EST)

Delivery-date: Tue, 24 Dec 2002 14:21:05 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

Hi list.. I've finally able to write my own firewall rules, I'd appreciate it if somebody comments or hints for general suggestions, thanks! (this is my first try). I'm getting the hang of it and it seems to work; though if I'm missing something let me know, much appreciated. (the server is behind a linksys router so its on the 192.168.1 network, configured as the DMZ host). e pike --------- #! /bin/sh ################################################################### # SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY # # OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc) # 2. Log everything else thats not allowed, then drop them # # JondZ Mon Dec 23 16:12:14 EST 2002 #################################################################### VERSION="JondZ 12/2002" WAN_DEVICE=eth0 WAN_DEVICE_BROADCAST=192.168.1.255/24 TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128 UDP_OPENPORTS=53,137,138,139 IPTABLES=/sbin/iptables echo "$0 ($VERSION): Starting custom firewall..." ########################################################### # INITIALIZE CHAINS ########################################################### echo "$0: initializing chains..." $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -X $IPTABLES -Z #############################################3 # IMPLEMENT DEFAULT DRACONIAN POLICIES #############################################3 echo "$0: applying default policies..." $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP ############################################# # lo CONNECTIONS ############################################# echo "$0: Accepting lo connections..." $IPTABLES -A INPUT -i lo -j ACCEPT ############################################# # LOG FORWARDING ATTEMPTS ############################################# $IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED " ############################################# # DROP BROADCAST PACKETS ############################################# # echo "$0: accepting broadcast packets.." # $IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT ############################################# # INCOMING TCP CONNECTIONS for WAN_DEVICE ############################################# echo "$0: Allowing TCP Services..." $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ -m state --state INVALID -j DROP $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ -m state --state NEW -m multiport \ --destination-port $TCP_OPENPORTS -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \ -m limit --limit 3/s -j LOG --log-prefix "TCP_IN " ################################################# # INCOMING UDP CONNECTIONS for WAN_DEVICE ################################################# echo "$0: Allowing UDP Services..." $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ -m state --state NEW -m multiport \ --destination-port $UDP_OPENPORTS -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ -m limit --limit 3/s -j LOG --log-prefix "UDP_IN " ############################################# # INCOMING ICMP CONNECTIONS ############################################# echo "$0: allowing some ICMP Connections..." ################################################################# # ICMP TYPES (incomplete) # -------------------------- # (ideas gathered from fw script of vogt@hansenet.com) # # 0 - echo reply # 8 - echo # 3 - Destination Unreachable # 11 - Time Exceeded # 30 - Traceroute # # Ping - udp types 0,8 # destination unreachable - 3 # traceroute - 11,30 #################################################################### $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp --icmp-type 30 -j ACCEPT _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] my first fw rules
From: "Michael C. Toren" <mct@toren.net>

Re: [PLUG] my first fw rules
From: Naresh <nganta@myrealbox.com>

Re: [PLUG] my first fw rules
From: Martin DiViaio <scatterbrained@usermail.com>

Prev by Date: Re: [PLUG] proc filesystem

Next by Date: Re: [PLUG] my first fw rules

Previous by thread: RE: [PLUG] groupadd

Next by thread: Re: [PLUG] my first fw rules

Index(es):

Date

Thread