Naresh on Thu, 26 Dec 2002 21:30:33 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] myfirst fw rules(rev.2) 

Looks very good, you don't by chace have this on a website do you?

Naresh

On Thu, 26 Dec 2002 epike@isinet.com wrote:

> Hi
>
> thanks for all the people who responded, my
> firewall rule script now looks like this.
>
> Suggestions are still welcome and much appreciated
> thanks!
>
> jondz / epike
>
> (changes: broadcast address was wrong, changes in ICMP section)
> ---------------------------------------------------------------
>
> #! /bin/sh
> ###################################################################
> # SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY
> #
> # OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc)
> #             2. Log everything else thats not allowed, then drop them
> #
> # JondZ Mon Dec 23 16:12:14 EST 2002
> # JondZ Thu Dec 26 14:57:26 EST 2002 revised (thanks to PLUG)
> ####################################################################
>
> VERSION="JondZ 12/2002"
> WAN_DEVICE=eth0
> WAN_DEVICE_BROADCAST=192.168.1.255/32
> TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128
> UDP_OPENPORTS=53,137,138,139
>
> IPTABLES=/sbin/iptables
>
> echo "$0 ($VERSION): Starting custom firewall..."
>
> ###########################################################
> # INITIALIZE CHAINS
> ###########################################################
> echo "$0: initializing chains..."
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -X
> $IPTABLES -Z
>
> #############################################3
> # IMPLEMENT DEFAULT DRACONIAN POLICIES
> #############################################3
> echo "$0: applying default policies..."
> $IPTABLES -P INPUT    DROP
> $IPTABLES -P OUTPUT   ACCEPT
> $IPTABLES -P FORWARD  DROP
>
> #############################################
> # lo CONNECTIONS
> #############################################
> echo "$0: Accepting lo connections..."
> $IPTABLES -A INPUT  -i lo -j ACCEPT
>
> #############################################
> # LOG FORWARDING ATTEMPTS
> #############################################
> $IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED "
>
> #######################################################################
> # ENABLE BROADCAST PACKETS
> #
> # NOTES
> # -----
> # On some setups you may want to ACCEPT broadcasts (eg, SAMBA, DHCP)
> # On some setups you may want to DENY broadcasts
> #######################################################################
> echo "$0: accepting broadcast packets.."
> $IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT
>
> #############################################
> # INCOMING TCP CONNECTIONS for WAN_DEVICE
> #############################################
> echo "$0: Allowing TCP Services..."
> $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
>           -m state --state INVALID -j DROP
> $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
>           -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
>           -m state --state NEW -m multiport \
>          --destination-port $TCP_OPENPORTS -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
>           -m limit --limit 3/s -j LOG --log-prefix "TCP_IN "
>
> #################################################
> # INCOMING UDP CONNECTIONS for WAN_DEVICE
> #################################################
> echo "$0: Allowing UDP Services..."
> $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
>           -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
>           -m state --state NEW -m multiport \
>           --destination-port $UDP_OPENPORTS -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
>           -m limit --limit 3/s -j LOG --log-prefix "UDP_IN "
>
> #############################################
> # INCOMING ICMP CONNECTIONS
> #############################################
> echo "$0: allowing some ICMP Connections..."
>
> ########################################################################
> # ICMP TYPES (incomplete)
> # --------------------------
> # (ideas gathered from fw script of vogt@hansenet.com)
> #
> # 0  - echo reply
> # 3  - Destination Unreachable
> # 4  - source quench
> # 5  - redirect
> # 8  - echo
> # 11 - Time Exceeded
> # 30 - Traceroute
> #
> # Ping - udp types 0,8
> # destination unreachable - 3
> # traceroute - 11,30
> #
> # NOTES - icmp type 5 is needed for routing with other network segments!
> #       - icmp type 4 source quench - when packets arrive too fast to
> #         be processed type 4 is sent (??).
> ########################################################################
> $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
>           --icmp-type 0 -m limit --limit 3/s -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp \
>           --icmp-type 3 -m limit --limit 3/s -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
>           --icmp-type 4 -m limit --limit 3/s -j ACCEPT
> # $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
> #           --icmp-type 5 -m limit --limit 2/s -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
>           --icmp-type 8 -m limit --limit 3/s -j ACCEPT
> $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
>           --icmp-type 11 -m limit --limit 3/s -j ACCEPT
> _________________________________________________________________________
> Philadelphia Linux Users Group        --       http://www.phillylinux.org
> Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug
>
_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug