[CLUE-Tech] No firewalling success...
Jeremiah Stanley
miah at miah.org
Tue Feb 13 17:13:08 MST 2001
I have tried all of you suggestions to no avail. I am thinking that I may
have a bug somewhere other than the configuration script for when I
startup the firewall nothing (and I mean nothing) gets through to the
machine. Ping didn't even make it through (and I wasn't filtering them).
If anyone has a suggestion as to how I could test to make sure that
ipchains was working correctly on my machine (it is running RH7 so I am
assuming that they knew what they were doing when they setup the
distro...) I would greatly appreciate it.
In my searches for information I did find this rather neat tool...
http://www.linux-firewall-tools.com/linux/firewall/index.html
It is a CGI script that will configure a ipchains script for you. You
could then save the dump of the config under RH7 with the command:
/etc/rc.d/init.d/ipchains save
Which that will save all the firewall information to
/etc/sysconfig/network/ipchains in a nice neat and orderly fashion.
Jeremiah Stanley
--
A witty saying proves nothing.
-- Voltaire
-------------- next part --------------
#!/bin/sh
# /etc/rc.d/rc.firewall
# Invoked from /etc/rc.d/rc.local.
echo "Starting firewalling... "
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
IPADDR="216.98.203.244" # your IP address
ANYWHERE="any/0" # match any IP address
NAMESERVER_1="216.98.203.242" # everyone must have at least one
#NAMESERVER_2="216.98.203.242"
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
# ----------------------------------------------------------------------------
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY
# ----------------------------------------------------------------------------
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
ipchains -A input -s $IPADDR -j DENY -l
# Refuse incoming packets claiming to be from a Class A, B or C private network
ipchains -A input -s $CLASS_A -j DENY
ipchains -A input -s $CLASS_B -j DENY
ipchains -A input -s $CLASS_C -j DENY
# Refuse broadcast address SOURCE packets
ipchains -A input -s $BROADCAST_DEST -j DENY -l
ipchains -A input -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -s $CLASS_D_MULTICAST -j DENY
# Refuse Class E reserved IP addresses
ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included.
# Filtering them causes problems as reserved blocks are
# being allocated more often now.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
ipchains -A input -s 0.0.0.0/8 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -j DENY -l
ipchains -A input -s 169.254.0.0/16 -j DENY -l
ipchains -A input -s 192.0.2.0/24 -j DENY -l
ipchains -A input -s 224.0.0.0/3 -j DENY -l
# ----------------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers vary by
# supplier. Using them is less error prone and more meaningful, though.
# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# SOCKS: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j REJECT
# ----------------------------------------------------------------------------
# DNS client (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTP client (80)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTPS server (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTPS client (443)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# IMAP server (143)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 143 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 143 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
# SSH client (22)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 22 \
-d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT
# ------------------------------------------------------------------
# TELNET server (23)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 23 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 23 \
--destination-port $UNPRIVPORTS -j ACCEPT
# TELNET client (23)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 23 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Accept incoming connections to identd but disable in.identd in inetd.conf.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 113 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 113 \
--destination-port $UNPRIVPORTS -j ACCEPT
# AUTH client (113)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 43 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# FTP server (21)
# ---------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
--destination-port $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
# FTP client (21)
# ---------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
# IRC server (6667)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 6667 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 6667 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# IRC client (6667)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 6667 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# ICQ server (4000)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s any/0 $UNPRIVPORTS \
-d $IPADDR 2000:4000 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 2000:4000 \
-d any/0 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s any/0 $UNPRIVPORTS \
-d $IPADDR 4000 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 4000 \
-d any/0 $UNPRIVPORTS -j ACCEPT
# ICQ client (4000)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 2000:4000 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 2000:4000 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 4000 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 4000 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ----------------------------------------------------------------------------
# UDP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-request \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-reply -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR destination-unreachable -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR source-quench -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-request -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR time-exceeded -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13:255 -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l
# ----------------------------------------------------------------------------
echo "done"
exit 0
More information about the clue-tech
mailing list