ipchains script

ipchains script

Post by Ramon Leo » Wed, 14 Apr 1999 04:00:00



here's what I've got so far after two weeks of trying to make a secure
script.  Can anyone please help me get this working.

___________________________________
#variables
SERVER="10.0.0.3"
LOCALIP="208.xxx.xx.xx"
LOCALNET="208.xxx.xx.0/32"
INTERNALIP="10.0.0.1"
INTERNALNET="10.0.0.0/8"
REMOTENET="0/0"
LOOPBACKIF="lo"
EXTERNAL_INTERFACE="eth0"

## Flush everything, start from scratch
ipchains -F

#Default Policy
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY

## Allow all connections within the network
ipchains -A input -s $INTERNALNET  -d $INTERNALNET -j ACCEPT
ipchains -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT

## Allow loopback interface
ipchains -A input -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT
ipchains -A output -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT

## Masquerading
ipchains -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT

## dont MasQ external interface direct
ipchains -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT

## masquerade all internal IP's going outside
ipchains -A forward -s $INTERNALNET -d $REMOTENET -j MASQ

## Allow all connections from the network to the outside
ipchains -A input -s $INTERNALNET  -d $REMOTENET -j ACCEPT
ipchains -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT

#Set telnet, www and FTP for minimum delay
ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 telnet -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10

#Set ftp-data for maximum throughput
ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08

## Specific port blocks on the external interface
## MS-SQL
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -l -j DENY
#
## NFS
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -l -j DENY
#
## postgresSQL
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -l -j DENY
#
## X11disp:0-:2-
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -l -j DENY
#
## Back Orifice
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 31337 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 31337 -l -j DENY
#
## NetBus
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -l -j DENY

## High unpriv ports
#this open all unpriv ports, hense the need to port blocks above
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT

## Basic Services allowed on external interface
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 308 -j ACCEPT

#Forward Services to Internal Server
echo "Forwarding Needed Services"
ipmasqadm portfw -a -P tcp -L $LOCALIP 21 -R $SERVER 21
ipmasqadm portfw -a -P tcp -L $LOCALIP 23 -R $SERVER 23
ipmasqadm portfw -a -P tcp -L $LOCALIP 25 -R $SERVER 25
ipmasqadm portfw -a -P udp -L $LOCALIP 53 -R $SERVER 53
ipmasqadm portfw -a -P tcp -L $LOCALIP 53 -R $SERVER 53
ipmasqadm portfw -a -P tcp -L $LOCALIP 80 -R $SERVER 80
ipmasqadm portfw -a -P tcp -L $LOCALIP 110 -R $SERVER 110
ipmasqadm portfw -a -P tcp -L $LOCALIP 308 -R $SERVER 308

## ICMP
#
# Deny
# Use this to deny ICMP attacks from specific addresses
#ipchains -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -l -j DENY
#
# Allow incoming ICMP
ipchains -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
ipchains -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT

# Allow outgoing ICMP
ipchains -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT

#Bi-Directional Ping
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 0 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 3 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 4 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 11 -d
$LOCALIP  -j ACCEPT
ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 12 -d
$LOCALIP  -j ACCEPT

echo "Firewall Enabled"
__________________________________________

just put this here to stop some spam from automated scanners
no spam please

 
 
 

ipchains script

Post by Paul Rusty Russel » Sat, 08 May 1999 04:00:00



> here's what I've got so far after two weeks of trying to make a secure
> script.  Can anyone please help me get this working.

> ___________________________________
> #variables
> SERVER="10.0.0.3"
> LOCALIP="208.xxx.xx.xx"
> LOCALNET="208.xxx.xx.0/32"
> INTERNALIP="10.0.0.1"
> INTERNALNET="10.0.0.0/8"
> REMOTENET="0/0"
> LOOPBACKIF="lo"
> EXTERNAL_INTERFACE="eth0"

> ## Flush everything, start from scratch
> ipchains -F

> #Default Policy
> ipchains -P input DENY
> ipchains -P output ACCEPT
> ipchains -P forward DENY

> ## Allow all connections within the network
> ipchains -A input -s $INTERNALNET  -d $INTERNALNET -j ACCEPT
> ipchains -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT

You shouldn't need this; why would internal packets go through this
box at all?

Quote:> ## Allow loopback interface
> ipchains -A input -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT
> ipchains -A output -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT

> ## Masquerading
> ipchains -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT

Ditto.

Quote:> ## dont MasQ external interface direct
> ipchains -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT

> ## masquerade all internal IP's going outside
> ipchains -A forward -s $INTERNALNET -d $REMOTENET -j MASQ

Why not just specify -j MASQ for everything going out `-i
$EXTERNAL_INTERFACE'?

From browsing the rest, it looks like you're not allowing in packets
heading for the local host ports 61000:65095, and allowing out packets
heading from local host ports 61000:65095 (required for masquerading).

Rusty.
--
Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999?
                http://www.linux.org.au/projects/calu

 
 
 

1. RH 7.1 init.d ipchains script

It may be of interest for RH 7.1 users (and possibly others, I don't
know) that if a kernel is recompiled or otherwise updated, and if for
some reason that kernel does not support ipchains, that
/etc/rc.d/init.d/ipchains will in fact fail to notify that ipchains has
been deactivated...it will appear to be business as usual. You can check
if ipchains is really running via "ipchains -L".


2. SCO Merge & 24-bit graphics cards

3. Anyone got a ipchains-script whitch works with ICQ?

4. Problems with WindowMaker themes

5. ipchains script

6. Problem setting up NTP server

7. ipchains script question

8. HP UNIX load recommendations

9. ipchains script creation utilities: any recommendations?

10. How to run Ipchains script??????

11. Is IPChains Script secure?

12. ipchains script activation question

13. IPCHAINS Script Files, How Large?