#!/bin/sh # # ipchains/ipmasq script written by David Wirch (kuma@linuxhelp.bc.ca) # v 2000092301 # Interface configuration # Can be eth0 or ppp0 IF0="eth0" # Can be eth1 or none IF1="eth1" if [ $IF1 != none ]; then LAN="10.0.1.2" fi # Block ICMP requests (yes/no) ICMP_BLOCK=no FW="`whereis -b ipchains | cut -d \" \" -f 2`" IP0=`ifconfig $IF0 | grep inet | cut -d : -f 2 | cut -d \ -f 1` MASK=`ifconfig $IF0 | grep Mask | cut -d : -f 4` LOCALNET="$IP0" echo "IP: $LOCALNET/$MASK" WORLD="0/0" echo -n "Starting Firewall..." ##### Flush rules $FW -F input $FW -F output $FW -F forward ##### Set default Policy # $FW -P input DENY # $FW -P output ACCEPT ##### Loopback $FW -A input -i lo -s 0/0 -d 0/0 -j ACCEPT $FW -A output -i lo -s 0/0 -d 0/0 -j ACCEPT ##### Set IP Masquerding if egrep -q "1" /proc/sys/net/ipv4/ip_forward; then # echo 1 > /proc/sys/net/ipv4/ip_forward $FW -A forward -s $LAN -d $LAN -j ACCEPT $FW -A forward -s $LOCALNET -d $WORLD -j ACCEPT $FW -A forward -s $LAN -d $WORLD -j MASQ $FW -A forward -p tcp -s $WORLD 137:139 -j DENY $FW -A forward -p udp -s $WORLD 137:139 -j DENY # Permit full traffic $FW -A input -s $LAN -d $WORLD -j ACCEPT $FW -A output -s $LAN -d $WORLD -j ACCEPT $FW -P forward DENY else $FW -P forward ACCEPT fi ##### Access permissions # Internal LAN if [ $IF1 != none ]; then $FW -A input -p tcp -s $LAN -d $LOCALNET 20: -j ACCEPT $FW -A input -p udp -s $LAN -d $LOCALNET 20: -j ACCEPT fi ##### Denied permissions # ##### Everything is logged except these: $FW -A input -p tcp -s $WORLD 53 -d $LOCALNET -j ACCEPT $FW -A input -p tcp -s $WORLD 113 -d $WORLD -j ACCEPT $FW -A input -p tcp -s $WORLD 6666:7000 -d $LOCALNET -j ACCEPT # @Home Authorized Scanner (gets very annoying if logged) $FW -A input -s 24.0.0.0/24 -d $LOCALNET -j DENY # ##### Upper ports $FW -A input -p tcp -s $WORLD -d $LOCALNET 1023: -j ACCEPT $FW -A input -p udp -s $WORLD -d $LOCALNET 1023: -j ACCEPT $FW -A output -p tcp -s $WORLD 1023: -d $LOCALNET -j ACCEPT $FW -A output -p tcp -s $WORLD 1023: -d $LOCALNET -j ACCEPT ##### Accepted Services # FTP $FW -A input -p tcp -s $WORLD -d $LOCALNET 20 -j ACCEPT $FW -A input -p tcp -s $WORLD -d $LOCALNET 21 -j ACCEPT # SSH $FW -A input -p tcp -s $WORLD -d $LOCALNET 22 -j ACCEPT # Telnet # $FW -A input -p tcp -d $WORLD -d $LOCALNET 23 -j ACCEPT # SMTP $FW -A input -p tcp -s $WORLD -d $LOCALNET 25 -j ACCEPT # DNS # $FW -A input -p tcp -s $WORLD -d $LOCALNET 53 -j ACCEPT # $FW -A input -p udp -s $WORLD -d $LOCALNET 53 -j ACCEPT # WWW $FW -A input -p tcp -s $WORLD -d $LOCALNET 80 -j ACCEPT $FW -A input -p udp -s $WORLD -d $LOCALNET 80 -j ACCEPT # POP3 $FW -A input -p tcp -s $WORLD -d $LOCALNET 110 -j ACCEPT # Auth/identd $FW -A input -p tcp -s $WORLD -d $LOCALNET 113 -j ACCEPT $FW -A input -p udp -s $WORLD -d $LOCALNET 113 -j ACCEPT # OpenH323 # $FW -A input -p tcp -s $WORLD -d $LOCALNET 1720 -j ACCEPT # $FW -A input -p udp -s $WORLD -d $LOCALNET 1720 -j ACCEPT # NFS # $FW -A input -p tcp -s $WORLD -d $LOCALNET 2049 -j ACCEPT # $FW -A input -p udp -s $WORLD 2049 -d $LOCALNET -j ACCEPT # $FW -A output -p tcp -s $WORLD -d $LOCALNET 2049 -j ACCEPT # $FW -A output -p udp -s $WORLD 2049 -d $LOCALNET -j ACCEPT # MySQL # $FW -A input -p tcp -s $WORLD -d $LOCALNET 3306 -j ACCEPT # $FW -A input -p udp -s $WORLD -d $LOCALNET 3306 -j ACCEPT ##### Set final rules $FW -A output -p icmp -s $LOCALNET -d $WORLD -j ACCEPT $FW -A input -p tcp -l -j DENY $FW -A input -p udp -l -j DENY $FW -A input -p igmp -l -j DENY if [ $ICMP_BLOCK = no ]; then $FW -A input -p icmp -i eth0 -j ACCEPT echo "ICMP Blocking disabled" else if [ $ICMP_BLOCK = yes ]; then $FW -A input -p icmp -i $IF0 -l -j DENY fi fi $FW -A output -j ACCEPT echo -n "Done" echo ""