#!/bin/sh # ----------------------------------------- Ipchains Firewall and MASQ Script - # # Original script by Ian Hall-Beyer (manuka@nerdherd.net) # Modified by BlackNet (blaknet@earthlink.net) # # Credit goes out to hackerboy for doing the remote testing due in part to # his sorry ass # ---------------------------------------------------------------- Interfaces - # Local Interface # This is the DMZ a.k.a. dirty side of the network LOCALIF="ppp0" # Internal Interface # This is the protected a.k.a. clean side of the network # NOTE: INTERNALNET is a *network* address. All host bits should be 0 INTERNALNET1="192.168.1.1/27" INTERNALIF1="eth0" # -------------------------------------------------------------End Interfaces - # -------------------------------------------- Firewall definitions for rules - # Yes these ports are in numerical order! DMZ_ALLOW_FTP_DATA=no DMZ_ALLOW_FTP=yes DMZ_ALLOW_SSH=yes DMZ_ALLOW_TELNET=no DMZ_ALLOW_SMTP=no DMZ_ALLOW_TIME=no DMZ_ALLOW_NAMESERVER=yes DMZ_ALLOW_WHOIS=yes DMZ_ALLOW_DOMAIN=no DMZ_ALLOW_TFTP=no DMZ_ALLOW_FINGER=no DMZ_ALLOW_WWW=yes DMZ_ALLOW_POP3=no DMZ_ALLOW_SUNRPC=no DMZ_ALLOW_AUTH=no DMZ_ALLOW_SFTP=no DMZ_ALLOW_AUTH=no DMZ_ALLOW_NNTP=no DMZ_ALLOW_NETBIOS_NS=no DMZ_ALLOW_NETBIOS_DGM=no DMZ_ALLOW_NETBIOS_SSN=no DMZ_ALLOW_SNMP=no DMZ_ALLOW_SNMP_TRAP=no DMZ_ALLOW_NEXTSTEP=no DMZ_ALLOW_IPX=no DMZ_ALLOW_RAW_FTP=no DMZ_ALLOW_HTTPS=yes DMZ_ALLOW_EXEC=no DMZ_ALLOW_BIFF=no DMZ_ALLOW_WHO=no DMZ_ALLOW_SHELL=yes DMZ_ALLOW_PRINTER=no DMZ_ALLOW_TALK=no DMZ_ALLOW_NTALK=yes DMZ_ALLOW_SUBMISSION=no DMZ_ALLOW_SWAT=no DMZ_ALLOW_MS_SQL=no DMZ_ALLOW_NFS=no DMZ_ALLOW_NESSUSD=no DMZ_ALLOW_MYSQL=no DMZ_ALLOW_POSTGRES=no DMZ_ALLOW_X_DISPLAY=no DMZ_ALLOW_XTERM=no DMZ_ALLOW_XFS=no DMZ_ALLOW_BACK_ORIFICE=no DMZ_ALLOW_WEBMIN=no DMZ_ALLOW_NETBUS=no DMZ_ALLOW_ICMP_INCOMING=yes DMZ_ALLOW_ICMP_OUTGOING=yes # ---------------------------------------- End Firewall definitions for rules - # ------------------------------------------------------- Variable definition - # Set the location of ipchains. IPCHAINS="/sbin/ipchains" LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4` LOCALNET="$LOCALIP/$LOCALMASK" echo "Internal ($INTERNALIF1): $INTERNALNET1" echo "External ($LOCALIF): $LOCALNET" echo "-------------------------------------" REMOTENET="0/0" # --------------------------------------------------- End Variable definition - # -------------------------------------- Flush everything, start from scratch - echo -n "Flushing rulesets" # Incoming packets from the outside network $IPCHAINS -F input echo -n "." # Outgoing packets from the internal network $IPCHAINS -F output echo -n "." # Forwarding/masquerading $IPCHAINS -F forward echo -n "." echo "Done!" # ---------------------------------- End Flush everything, start from scratch - # -------------------------------------------------- stealth mode / portsentry- # Toggle STEALTH mode on and start portsentry if [ -x /etc/rc.d/rc.stealthon ]; then /etc/rc.d/rc.stealthon else echo "Stealth file not found, not enabling steath mode" fi # ---------------------------------------------- End stealth mode / portsentry- # ---------------------------------- Allow all connections within the network - echo -n "Internal" $IPCHAINS -A input -s $INTERNALNET1 -d $INTERNALNET1 -j ACCEPT echo -n "." $IPCHAINS -A output -s $INTERNALNET1 -d $INTERNALNET1 -j ACCEPT echo -n "." echo "Done!" # ------------------------------ End Allow all connections within the network - # -------------------------------------------------- Allow loopback interface - echo -n "Loopback" $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT echo -n "." $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT echo -n "." echo "Done!" # ---------------------------------------------- End Allow loopback interface - # -------------------------------------------------------------- Masquerading - echo -n "Masquerading" # don't masquerade internal-internal traffic $IPCHAINS -A forward -s $INTERNALNET1 -d $INTERNALNET1 -j ACCEPT echo -n "." # don't Masquerade external interface direct $IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT echo -n "." # masquerade all internal IP's going outside #$IPCHAINS -A forward -s $INTERNALNET1 -d $REMOTENET -j MASQ echo -n "." # set Default rule on MASQ chain to Deny $IPCHAINS -P forward REJECT echo "Done!" # ---------------------------------------------------------- End Masquerading - # --------------------- Allow all connections from the network to the outside - echo -n "Internal traffic" $IPCHAINS -A input -s $INTERNALNET1 -d $REMOTENET -j ACCEPT echo -n "." $IPCHAINS -A output -s $INTERNALNET1 -d $REMOTENET -j ACCEPT echo -n "." echo "Done!" # ----------------- End Allow all connections from the network to the outside - # ----------------------------------Set telnet, www and FTP for minimum delay - # This section manipulates the Type Of Service (TOS) bits of the # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled # in your kernel echo -n "TOS flags.." # web traffic to min delay $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 echo -n "." # telnet tcp traffic to min delay $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 echo -n "." # telnet udp traffic to min delay $IPCHAINS -A output -p udp -d 0/0 23 -t 0x01 0x10 echo -n "." # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 echo -n "." echo "Done!" # ----------------------------- End Set telnet, www and FTP for minimum delay - # ------------------------------------------- Ports on the external interface - echo -n "External Ports" # FTP_DATA (20) (tcp/udp) if [ $DMZ_ALLOW_FTP_DATA = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_FTP_DATA = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 20 -j REJECT echo -n "." else echo "dmz_allow_ftp_data not set!" fi # FTP (21) (tcp/udp) if [ $DMZ_ALLOW_FTP = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_FTP = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 21 -j REJECT echo -n "." else echo "dmz_allow_ftp not set!" fi # SSH (22) (tcp/udp if [ $DMZ_ALLOW_SSH = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SSH = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 22 -j REJECT echo -n "." else echo "dmz_allow_ssh not set!" fi # TELNET (23) (tcp/udp) if [ $DMZ_ALLOW_TELNET = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_TELNET = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 23 -j REJECT echo -n "." else echo "dmz_allow_telnet not set!" fi # SMTP (25) (tcp) if [ $DMZ_ALLOW_SMTP = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SMTP = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j REJECT echo -n "." else echo "dmz_allow_smtp not set!" fi # TIME (37) (tcp/udp) if [ $DMZ_ALLOW_TIME = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 37 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 37 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_TIME = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 37 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 37 -j REJECT echo -n "." else echo "dmz_allow_time not set!" fi # NAMESERVER (42) (tcp) if [ $DMZ_ALLOW_NAMESERVER = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 42 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NAMESERVER = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 42 -j REJECT echo -n "." else echo "dmz_allow_nameserver not set!" fi # WHOIS (43) (tcp) if [ $DMZ_ALLOW_WHOIS = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 43 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_WHOIS = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 43 -j REJECT echo -n "." else echo "dmz_allow_whois not set!" fi # DOMAIN (53) (tcp/udp) if [ $DMZ_ALLOW_DOMAIN = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_DOMAIN = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j REJECT echo -n "." else echo "dmz_allow_domain not set!" fi # TFTP (69) (udp) if [ $DMZ_ALLOW_TFTP = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 69 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_TFTP = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 69 -j REJECT echo -n "." else echo "dmz_allow_tftp not set!" fi # FINGER (79) (tcp) if [ $DMZ_ALLOW_FINGER = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET -79 j ACCEPT echo -n "." elif [ $DMZ_ALLOW_FINGER = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 79 -j REJECT echo -n "." else echo "dmz_allow_finger not set!" fi #WWW (80) (tcp/udp) if [ $DMZ_ALLOW_WWW = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_WWW = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 80 -j REJECT echo -n "." else echo "dmz_allow_www not set!" fi #POP3 (110) (tcp/udp) if [ $DMZ_ALLOW_POP3 = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_POP3 = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 110 -j REJECT echo -n "." else echo "dmz_allow_pop3 not set!" fi #SUNRPC (111) (tcp/udp) (logged) if [ $DMZ_ALLOW_SUNRPC = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 111 -j ACCEPT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 111 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SUNRPC = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 111 -j REJECT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 111 -j REJECT echo -n "." else echo "dmz_allow_sunrpc not set!" fi #AUTH (113) (tcp) if [ $DMZ_ALLOW_AUTH = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_AUTH = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j REJECT echo -n "." else echo "dmz_allow_auth not set!" fi #SFTP (114) (tcp) if [ $DMZ_ALLOW_SFTP = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 114 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SFTP = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 114 -j REJECT echo -n "." else echo "dmz_allow_sftp not set!" fi #NNTP (119) (tcp) if [ $DMZ_ALLOW_NNTP = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NNTP = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j REJECT echo -n "." else echo "dmz_allow_nntp not set!" fi #NETBIOS_NS (137) (tcp/udp) (logged) if [ $DMZ_ALLOW_NETBIOS_NS = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 137 -j ACCEPT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 137 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NETBIOS_NS = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 137 -j REJECT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 137 -j REJECT echo -n "." else echo "dmz_allow_netbios_ns not set!" fi #NETBIOS_DGM (138) (tcp/udp) (logged) if [ $DMZ_ALLOW_NETBIOS_DGM = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 138 -j ACCEPT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 138 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NETBIOS_DGM = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 138 -j REJECT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 138 -j REJECT echo -n "." else echo "dmz_allow_netbios_dgm not set!" fi #NETBIOS_SSN (139) (tcp/udp) (logged) if [ $DMZ_ALLOW_NETBIOS_SSN = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j ACCEPT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NETBIOS_SSN = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j REJECT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j REJECT echo -n "." else echo "dmz_allow_netbios_ssn not set!" fi #SNMP (161) (udp) if [ $DMZ_ALLOW_SNMP = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 161 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SNMP = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 161 -j REJECT echo -n "." else echo "dmz_allow_snmp not set!" fi #SNMP_TRAP (162) (udp) if [ $DMZ_ALLOW_SNMP_TRAP = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 162 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SNMP_TRAP = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 162 -j REJECT echo -n "." else echo "dmz_allow_snmp_trap not set!" fi #NEXTSTEP (178) (tcp/udp) if [ $DMZ_ALLOW_NEXTSTEP = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 178 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 178 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NEXTSTEP = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 178 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 178 -j REJECT echo -n "." else echo "dmz_allow_nextstep not set!" fi #IPX (213) (tcp/udp) if [ $DMZ_ALLOW_IPX = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 213 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 213 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_IPX = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 213 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 213 -j REJECT echo -n "." else echo "dmz_allow_ipx not set!" fi #RAW_FTP (351) (tcp) if [ $DMZ_ALLOW_RAW_FTP = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 351 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_RAW_FTP = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 351 -j REJECT echo -n "." else echo "dmz_allow_raw_ftp not set!" fi # HTTPS (443) (tcp) if [ $DMZ_ALLOW_HTTPS = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_HTTPS = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j REJECT echo -n "." else echo "dmz_allow_https not set!" fi #EXEC (512) (tcp) if [ $DMZ_ALLOW_EXEC = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 512 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_EXEC = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 512 -j REJECT echo -n "." else echo "dmz_allow_exec not set!" fi #BIFF (512) (udp) if [ $DMZ_ALLOW_BIFF = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 512 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_BIFF = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 512 -j REJECT echo -n "." else echo "dmz_allow_biff not set!" fi #WHO (513) (udp) if [ $DMZ_ALLOW_WHO = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 513 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_WHO = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 513 -j REJECT echo -n "." else echo "dmz_allow_WHO not set!" fi #SHELL (514) (tcp) if [ $DMZ_ALLOW_SHELL = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 514 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SHELL = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 514 -j REJECT echo -n "." else echo "dmz_allow_shell not set!" fi #PRINTER (515) (tcp) if [ $DMZ_ALLOW_PRINTER = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 515 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_PRINTER = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 515 -j REJECT echo -n "." else echo "dmz_allow_printer not set!" fi #TALK (517) (udp) if [ $DMZ_ALLOW_TALK = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 517 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_TALK = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 517 -j REJECT echo -n "." else echo "dmz_allow_talk not set!" fi #NTALK (518) (udp) if [ $DMZ_ALLOW_NTALK = yes ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 518 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NTALK = no ]; then $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 518 -j REJECT echo -n "." else echo "dmz_allow_ntalk not set!" fi #SUBMISSION (587) (tcp) if [ $DMZ_ALLOW_SUBMISSION = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 587 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SUBMISSION = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 587 -j REJECT echo -n "." else echo "dmz_allow_submission not set!" fi #SWAT (901) (tcp) (logged) if [ $DMZ_ALLOW_SWAT = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 901 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_SWAT = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 901 -j REJECT echo -n "." else echo "dmz_allow_swat not set!" fi #MS_SQL (1433) (tcp/udp) if [ $DMZ_ALLOW_MS_SQL = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_MS_SQL = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j REJECT echo -n "." else echo "dmz_allow_ms_sql not set!" fi #NFS (2049) (tcp/udp) if [ $DMZ_ALLOW_NFS = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NFS = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j REJECT echo -n "." else echo "dmz_allow_nfs not set!" fi #NESSUSD (3001) (tcp) if [ $DMZ_ALLOW_NESSUSD = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 3001 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NESSUSD = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 3001 -j REJECT echo -n "." else echo "dmz_allow_nessusd not set!" fi #MYSQL (3306) (tcp/udp) if [ $DMZ_ALLOW_MYSQL = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 3306 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 3306 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_MYSQL = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 3306 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 3306 -j REJECT echo -n "." else echo "dmz_allow_mysql not set!" fi #POSTGRES (5432) (tcp/udp) if [ $DMZ_ALLOW_POSTGRES = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_POSTGRES = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j REJECT echo -n "." else echo "dmz_allow_postgres not set!" fi #X_DISPLAY () () if [ $DMZ_ALLOW_X_DISPLAY = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_X_DISPLAY = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j REJECT echo -n "." else echo "dmz_allow_x_display not set!" fi #XTERM (6000) (tcp) if [ $DMZ_ALLOW_XTERM = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 6000 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_XTERM = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 6000 -j REJECT echo -n "." else echo "dmz_allow_xterm not set!" fi #XFS (7100) (tcp/udp) if [ $DMZ_ALLOW_XFS = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_XFS = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j REJECT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j REJECT echo -n "." else echo "dmz_allow_xfs not set!" fi #BACK_ORIFICE (31337) (tcp/udp) (logged) if [ $DMZ_ALLOW_BACK_ORIFICE = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 31337 -j ACCEPT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 31337 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_BACK_ORIFICE = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 31337 -j REJECT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 31337 -j REJECT echo -n "." else echo "dmz_allow_back_orifice not set!" fi #WEBMIN (10000) (tcp) if [ $DMZ_ALLOW_WEBMIN = yes ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 10000 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_WEBMIN = no ]; then $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 10000 -j REJECT echo -n "." else echo "dmz_allow_webmin not set!" fi #NETBUS (12345:12346) (tcp/udp) )logged) if [ $DMZ_ALLOW_NETBUS = yes ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j ACCEPT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_NETBUS = no ]; then $IPCHAINS -l -A input -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j REJECT echo -n "." $IPCHAINS -l -A input -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j REJECT echo -n "." else echo "dmz_allow_netbus not set!" fi echo "Done!" # ------------------------------------------- Ports on the external interface - # --------------------------------------------------- High Unprivileged ports - # These are opened up to allow sockets created by connections allowed by # ipchains echo -n "High Ports.." $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT echo -n "." $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT echo -n "." echo "Done!" # ----------------------------------------------- End High Unprivileged ports - # ---------------------------------------------------------------------- ICMP - echo -n "ICMP Rules.." # Use this to deny ICMP attacks from specific addresses # $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s
-d 0/0 -j REJECT # echo -n "." # Accept incoming ICMP if [ $DMZ_ALLOW_ICMP_INCOMING = yes ]; then $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_ICMP_INCOMING = no ]; then $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j REJECT echo -n "." else echo "dmz icmp incoming not set!" fi # Allow outgoing ICMP if [ $DMZ_ALLOW_ICMP_OUTGOING = yes ]; then $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT echo -n "." elif [ $DMZ_ALLOW_ICMP_OUTGOING = no ]; then $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j REJECT echo -n "." else echo "dmz icmp outgoing not set!" fi echo "Done!" # ------------------------------------------------------------------ End ICMP - # -------------------------------------------------------- set default policy - $IPCHAINS -A input -j ACCEPT $IPCHAINS -A output -j ACCEPT # ---------------------------------------------------- End set default policy - echo "" echo "Finished Establishing Firewall."