#!/bin/sh echo "Setting filtering rules" IPCHAINS=/sbin/ipchains EXT_IP="x.x.x.x/32" DMZ="x.x.x.x/24" ANY="0.0.0.0/0" LOOPBACK="127.0.0.0/8" EXT_INTERFACE=eth0 LOOPBACK_INTERFACE=lo BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED="240.0.0.0/5" echo "Flush any existing rules from all chains" $IPCHAINS -P input DENY $IPCHAINS -P forward DENY $IPCHAINS -P output ACCEPT $IPCHAINS -F $IPCHAINS -X $IPCHAINS -N pppin $IPCHAINS -N ppp-out # Disallow fragmented packets $IPCHAINS -A input -f -i $EXT_INTERFACE -j DENY -l # Enable forwarding . /etc/firewall/firewall.init # Unlimited traffic on the loopback interface $IPCHAINS -A input -i $LOOPBACK_INTERFACE -j ACCEPT $IPCHAINS -A output -i $LOOPBACK_INTERFACE -j ACCEPT # Dump broadcast of M$ protocols (137:139) #$IPCHAINS -A input -p udp -i $EXT_INTERFACE -s $EXT_IP \ # -d 192.168.0.255 137:139 -j DENY # Refused spoofed packets pretending to be from # the external interface's IP address $IPCHAINS -A input -i $EXT_INTERFACE -s $EXT_IP -j DENY -l # Refuse packets from problem sites # ./blocked.sites should be a list of @IP if [ -f /etc/sysconfig/blocked.sites ]; then for site in `cat /etc/sysconfig/blocked.sites`; do $IPCHAINS -A input -s $site -j DENY -l done fi # Refuse packets claiming to be to or from a class A private network # The "DMZ" between this machine and the ADSL modem uses a class A network $IPCHAINS -A input -i $EXT_INTERFACE -s $CLASS_A -j DENY -l $IPCHAINS -A input -i $EXT_INTERFACE -d $CLASS_A -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -s $CLASS_A -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -d $CLASS_A -j DENY -l # Refuse packets claiming to be to or from a class B private network $IPCHAINS -A input -i $EXT_INTERFACE -s $CLASS_B -j DENY -l $IPCHAINS -A input -i $EXT_INTERFACE -d $CLASS_B -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -s $CLASS_B -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -d $CLASS_B -j DENY -l # Refuse packets claiming to be to or from a class C private network $IPCHAINS -A input -i $EXT_INTERFACE -s $CLASS_C -j DENY -l $IPCHAINS -A input -i $EXT_INTERFACE -d $CLASS_C -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -s $CLASS_C -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -d $CLASS_C -j DENY -l # Refuse packets claiming to be from the loopback interface $IPCHAINS -A input -i $EXT_INTERFACE -s $LOOPBACK -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -s $LOOPBACK -j DENY -l # Refuse malformed broadcast packets $IPCHAINS -A input -i $EXT_INTERFACE -s $BROADCAST_DEST -j DENY -l $IPCHAINS -A input -i $EXT_INTERFACE -d $BROADCAST_SRC -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -s $BROADCAST_DEST -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -d $BROADCAST_SRC -j DENY -l # Refuse class D multicast addresses # Multicast is only illegal as a source address # Multicast uses UDP $IPCHAINS -A input -i $EXT_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -s $CLASS_D_MULTICAST -j REJECT -l # Refuse class E reserved IP addresses $IPCHAINS -A input -i $EXT_INTERFACE -s $CLASS_E_RESERVED -j DENY -l $IPCHAINS -A output -i $EXT_INTERFACE -d $CLASS_E_RESERVED -j REJECT -l # Refuse addresses defined as reserved by the IANA # Here we also block incoming packets with forged @IP 0.0.0.0 for adr in 0 1 2 5 7 23 27 31 37 39 41 42 60 65 126 217; do $IPCHAINS -A input -i $EXT_INTERFACE -s \ ${adr}.0.0.0/8 -j DENY -l done for adr in 58 66 124 218; do # Exclude this @IP and the next one $IPCHAINS -A input -i $EXT_INTERFACE -s \ ${adr}.0.0.0/7 -j DENY -l done for adr in 68 120 220; do # Exclude this @IP and the 3 next ones $IPCHAINS -A input -i $EXT_INTERFACE -s \ ${adr}.0.0.0/6 -j DENY -l done # Exclude 72 to 79 and 112 to 119 $IPCHAINS -A input -i $EXT_INTERFACE -s 72.0.0.0/5 -j DENY -l $IPCHAINS -A input -i $EXT_INTERFACE -s 112.0.0.0/5 -j DENY -l # Pour tests # input rules #$IPCHAINS -A input -s $DMZ -d $DMZ -j ACCEPT #$IPCHAINS -A input -s $DMZ -d $ANY -j ACCEPT #$IPCHAINS -A input -s $ANY -d $ANY -j ACCEPT # Pour test $IPCHAINS -A input -s $ANY -d $ANY -i $EXT_INTERFACE -j pppin # forward rules # output rules #$IPCHAINS -A output -s $ANY -d $ANY -i $EXT_INTERFACE -j ACCEPT $IPCHAINS -A output -s $ANY -d $ANY -j ACCEPT #$IPCHAINS -A output -s $ANY -d $ANY -i $EXT_INTERFACE -j ppp-out # pppin rules $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY 3306 -j DENY -l $IPCHAINS -A pppin -p udp -s $ANY -d $ANY 10000 -j DENY -l $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY 2049 -j DENY -l # NFS $IPCHAINS -A pppin -p udp -s $ANY -d $ANY 2049 -j DENY -l $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY 6000:6063 -j DENY -l $IPCHAINS -A pppin -p icmp -s $ANY -d $ANY -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY 1023:65535 -j ACCEPT $IPCHAINS -A pppin -p udp -s $ANY -d $ANY 1023:65535 -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY auth -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY smtp -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY www -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY ftp -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY ftp-data -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY ssh -j ACCEPT $IPCHAINS -A pppin -p udp -s $ANY -d $ANY ssh -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY pop3 -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY https -j ACCEPT $IPCHAINS -A pppin -p udp -s $ANY -d $ANY domain -j ACCEPT $IPCHAINS -A pppin -p tcp -s $ANY -d $ANY domain -j ACCEPT $IPCHAINS -A pppin -s $ANY -d $ANY -j DENY -l # ppp-out rules #$IPCHAINS -A ppp-out -p tcp -s $ANY -d $ANY www -t 0x01 0x10 #$IPCHAINS -A ppp-out -p tcp -s $ANY -d $ANY telnet -t 0x01 0x10 #$IPCHAINS -A ppp-out -p tcp -s $ANY -d $ANY ftp -t 0x01 0x10 #$IPCHAINS -A ppp-out -p tcp -s $ANY -d $ANY ftp-data -t 0x01 0x08 # To create a computer understandable file /sbin/ipchains-save > /etc/firewall/rules