epike on Thu, 26 Dec 2002 15:41:03 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] myfirst fw rules(rev.2) 

Hi

thanks for all the people who responded, my 
firewall rule script now looks like this.

Suggestions are still welcome and much appreciated
thanks!

jondz / epike

(changes: broadcast address was wrong, changes in ICMP section)
---------------------------------------------------------------

#! /bin/sh 
###################################################################
# SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY
#
# OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc)
#             2. Log everything else thats not allowed, then drop them
#
# JondZ Mon Dec 23 16:12:14 EST 2002
# JondZ Thu Dec 26 14:57:26 EST 2002 revised (thanks to PLUG)
####################################################################

VERSION="JondZ 12/2002"
WAN_DEVICE=eth0
WAN_DEVICE_BROADCAST=192.168.1.255/32
TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128
UDP_OPENPORTS=53,137,138,139

IPTABLES=/sbin/iptables

echo "$0 ($VERSION): Starting custom firewall..."

###########################################################
# INITIALIZE CHAINS
###########################################################
echo "$0: initializing chains..."
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X 
$IPTABLES -Z 

#############################################3
# IMPLEMENT DEFAULT DRACONIAN POLICIES
#############################################3
echo "$0: applying default policies..."
$IPTABLES -P INPUT    DROP
$IPTABLES -P OUTPUT   ACCEPT
$IPTABLES -P FORWARD  DROP

#############################################
# lo CONNECTIONS
#############################################
echo "$0: Accepting lo connections..."
$IPTABLES -A INPUT  -i lo -j ACCEPT

#############################################
# LOG FORWARDING ATTEMPTS
#############################################
$IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED "

#######################################################################
# ENABLE BROADCAST PACKETS
# 
# NOTES
# -----
# On some setups you may want to ACCEPT broadcasts (eg, SAMBA, DHCP)
# On some setups you may want to DENY broadcasts
#######################################################################
echo "$0: accepting broadcast packets.."
$IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT

#############################################
# INCOMING TCP CONNECTIONS for WAN_DEVICE
#############################################
echo "$0: Allowing TCP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m state --state INVALID -j DROP
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m state --state NEW -m multiport \
         --destination-port $TCP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
          -m limit --limit 3/s -j LOG --log-prefix "TCP_IN "

#################################################
# INCOMING UDP CONNECTIONS for WAN_DEVICE
#################################################
echo "$0: Allowing UDP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
          -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
          -m state --state NEW -m multiport \
          --destination-port $UDP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
          -m limit --limit 3/s -j LOG --log-prefix "UDP_IN "

#############################################
# INCOMING ICMP CONNECTIONS
#############################################
echo "$0: allowing some ICMP Connections..."

########################################################################
# ICMP TYPES (incomplete)
# --------------------------
# (ideas gathered from fw script of vogt@hansenet.com)
#
# 0  - echo reply
# 3  - Destination Unreachable
# 4  - source quench
# 5  - redirect 
# 8  - echo
# 11 - Time Exceeded
# 30 - Traceroute
#
# Ping - udp types 0,8
# destination unreachable - 3
# traceroute - 11,30
#
# NOTES - icmp type 5 is needed for routing with other network segments!
#       - icmp type 4 source quench - when packets arrive too fast to
#         be processed type 4 is sent (??).  
########################################################################
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 0 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp \
          --icmp-type 3 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 4 -m limit --limit 3/s -j ACCEPT
# $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
#           --icmp-type 5 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 8 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
          --icmp-type 11 -m limit --limit 3/s -j ACCEPT
_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug