Very Computer

here's what I've got so far after two weeks of trying to make a secure
script.  Can anyone please help me get this working.

___________________________________
#variables
SERVER="10.0.0.3"
LOCALIP="208.xxx.xx.xx"
LOCALNET="208.xxx.xx.0/32"
INTERNALIP="10.0.0.1"
INTERNALNET="10.0.0.0/8"
REMOTENET="0/0"
LOOPBACKIF="lo"
EXTERNAL_INTERFACE="eth0"

## Flush everything, start from scratch
ipchains -F

#Default Policy
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY

## Allow all connections within the network
ipchains -A input -s $INTERNALNET  -d $INTERNALNET -j ACCEPT
ipchains -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT

## Allow loopback interface
ipchains -A input -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT
ipchains -A output -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT

## Masquerading
ipchains -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT

## dont MasQ external interface direct
ipchains -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT

## masquerade all internal IP's going outside
ipchains -A forward -s $INTERNALNET -d $REMOTENET -j MASQ

## Allow all connections from the network to the outside
ipchains -A input -s $INTERNALNET  -d $REMOTENET -j ACCEPT
ipchains -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT

#Set telnet, www and FTP for minimum delay
ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 telnet -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10

#Set ftp-data for maximum throughput
ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08

## Specific port blocks on the external interface
## MS-SQL
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -l -j DENY
#
## NFS
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -l -j DENY
#
## postgresSQL
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -l -j DENY
#
## X11disp:0-:2-
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -l -j DENY
#
## Back Orifice
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 31337 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 31337 -l -j DENY
#
## NetBus
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -l -j DENY

## High unpriv ports
#this open all unpriv ports, hense the need to port blocks above
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT

## Basic Services allowed on external interface
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 308 -j ACCEPT

#Forward Services to Internal Server
echo "Forwarding Needed Services"
ipmasqadm portfw -a -P tcp -L $LOCALIP 21 -R $SERVER 21
ipmasqadm portfw -a -P tcp -L $LOCALIP 23 -R $SERVER 23
ipmasqadm portfw -a -P tcp -L $LOCALIP 25 -R $SERVER 25
ipmasqadm portfw -a -P udp -L $LOCALIP 53 -R $SERVER 53
ipmasqadm portfw -a -P tcp -L $LOCALIP 53 -R $SERVER 53
ipmasqadm portfw -a -P tcp -L $LOCALIP 80 -R $SERVER 80
ipmasqadm portfw -a -P tcp -L $LOCALIP 110 -R $SERVER 110
ipmasqadm portfw -a -P tcp -L $LOCALIP 308 -R $SERVER 308

## ICMP
#
# Deny
# Use this to deny ICMP attacks from specific addresses
#ipchains -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -l -j DENY
#
# Allow incoming ICMP
ipchains -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
ipchains -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT

# Allow outgoing ICMP
ipchains -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT

#Bi-Directional Ping
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 0 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 3 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 4 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 11 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 12 -d
$LOCALIP  -j ACCEPT

echo "Firewall Enabled"
__________________________________________

just put this here to stop some spam from automated scanners
no spam please

You shouldn't need this; why would internal packets go through this
box at all?

Quote:> ## Allow loopback interface
> ipchains -A input -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT
> ipchains -A output -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT

> ## Masquerading
> ipchains -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT

Ditto.

Quote:> ## dont MasQ external interface direct
> ipchains -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT

> ## masquerade all internal IP's going outside
> ipchains -A forward -s $INTERNALNET -d $REMOTENET -j MASQ

Why not just specify -j MASQ for everything going out `-i
$EXTERNAL_INTERFACE'?

From browsing the rest, it looks like you're not allowing in packets
heading for the local host ports 61000:65095, and allowing out packets
heading from local host ports 61000:65095 (required for masquerading).

Rusty.
--
Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999?
                http://www.linux.org.au/projects/calu