Chris is still confused
Teddy Mills
teddymills-VFlxZYho3OA at public.gmane.org
Mon Dec 1 19:07:47 UTC 2003
internet interface is ppp0
internal inteface is eth1
This is on a DNS and Web server (I know, not the idea, but Im pressed for
space.)
All I want to is stop everything coming in, and allow ports 22,25,53,80.
Can someone post a generic one? Amazingly, this is not easy to find.
My script is 95% there, but that last 5% will be difficult.
Might be easier to work with a new script.
Theres lots of them out there, that start by allowing everything, and then
restricting.
I want to start by not allowing anything, and then allowing only
22,25,53,80.
Tried those online firewall config toolkits, but I have yet to have one
work.
And for my script, im still cannot get all packets relating to SMTP or DNS
to move correctly.
Anyways here it is....SMTP and DNS still messed up...
[root-v+aXH1h/sVw at public.gmane.org scripts]# cat firewall
#!/bin/sh
echo "Firewall 5.00 starting..."
# ****************************************
# Flushing all chains and reset iptables
# ****************************************
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -Z
# **********************************************
# DROP THESE PACKETS
# *********************************************
echo Default policy to DROP all INPUT packets
/sbin/iptables --policy INPUT DROP
echo Default policy to DROP all OUTPUT packets
/sbin/iptables --policy OUTPUT DROP
echo Default policy to DROP all FORWARD packets
/sbin/iptables --policy FORWARD DROP
echo SPOOF DROP incoming 192.168.0.0 packets from ppp0
/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/24 -j DROP
# **********************************************
# drop these nutbars
# *********************************************
echo Drop that spammer bitch from China 218.70.8.186
/sbin/iptables -A INPUT -s 218.70.8.186/24 -j DROP
/sbin/iptables -A INPUT -s 218.70.0.0/24 -j DROP
# ***************************************
# Kernel netfilter variables
# ***************************************
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# ****************************************************************
# ACCEPT THESE PACKETS
# ****************************************************************
echo Enable NAT/MASQUERADING and IPforwarding
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -j ACCEPT
echo Accept fragmented packets
/sbin/iptables -A FORWARD -f -j ACCEPT
echo accept packets from an already established TCP connection
/sbin/iptables -A FORWARD -m state -p tcp --state ESTABLISHED,RELATED -j
ACCEPT
echo allow everything on eth1 network
/sbin/iptables -A INPUT -i eth1 -p all -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p all -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -p all -j ACCEPT
echo allow everything on the loopback interface
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -p all -j ACCEPT
/sbin/iptables -A FORWARD -i lo -p all -j ACCEPT
# **********************************************************
# ppp0 INPUT and FORWARD rules
# **********************************************************
echo allow incoming traffic 110 993
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 110 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -i ppp0 --dport 993 -j ACCEPT
# ***************************************************************
# ppp0 OUTPUT and FORWARD rules
# ***************************************************************
echo allow outgoing ppp0 traffic 110 993
/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 110 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -o ppp0 --dport 993 -j ACCEPT
#################################################################
# ICMP 8
#################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 8 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 8 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 8 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 8 --sport 0:1024 -j
ACCEPT
#################################################################
# DNS 53
#################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 53 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 53 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A FORWARD -i ppp0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p udp --dport 53 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --dport 53 --sport 0:1024 -j
ACCEPT
#################################################################
# SMTP server 25
################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 25 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 25 --sport 0:1024 -j
ACCEPT
#################################################################
# AUTH 113
################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 113 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 113 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 113 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 113 --sport 0:1024 -j
ACCEPT
#################################################################
# IMAP 143
################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 143 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 143 --sport 0:1024 -j
ACCEPT
#################################################################
# httpd 80
################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 80 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 80 --sport 0:1024 -j
ACCEPT
#################################################################
# ssh 22
################################################################
/sbin/iptables -A FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -o ppp0 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 22 --sport 0:1024 -j
ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 22 --sport 0:1024 -j
ACCEPT
# *****************************************************
# Loading Iptable modules (enable if not kernel builtin)
# *****************************************************
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack
# /sbin/modprobe ip_nat_ftp
# /sbin/modprobe ip_conntrack_ftp
# *****************************************
# Disabled rules
# *****************************************
# echo Catchall In case a packet made it here, drop all other traffic.
# /sbin/iptables -A FORWARD -j DROP
# echo Drop any incoming SMTP packets
# /sbin/iptables -A INPUT -p tcp -i ppp0 -s 0/0 --dport 25 -j DROP
[root-v+aXH1h/sVw at public.gmane.org scripts]#
---------------------------------------------------------------
teddy mills
http://www.vger.ca
VGER directives...To collect...all that is collectable. To sell...all that
is saleable.To merchandise...all that is merchandisable.
Family Guys, Quagmire
"allllllllllllllllllllllllllllllll right"
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list