From: [ C T R L ] (ctrl@host4.web.tr)
Date: Tue 11 Nov 2003 - 08:00:26 EST
firewallss dosyasi olusturun.. asagisa dosyanin icerigi var.. calistirin
gereken ayarlari kendisi yapacaktir. Kullanim firewallss start
seklindedir. Ayr=FDca asagida baska ipuclari da var.
--------
#!/bin/sh
#
# chkconfig: 2345 11 89
# description: sets up a basic firewall ruleset
#
# This script is setup to use IPCHAINS to protect a small network. It
is
# considered to be 'medium-light' secure.
#
# This script should be saved as /etc/rc.d/init.d/firewallss
#
# to enable the system to run this script at system start and stop,
issue=20
# the command
# chkconfig --add firewallss --level 2345
# Make sure the script's executable bits are set. This can be done with
# chmod u+x firewallss
#
# Thanks go to various people around the office as well as the Trinity
OS author,
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
#
# There are three user-configurable sections. The first is for the
network=20
# values for the firewall. The second is for CIPE configuration. The
third
# consists of the ipchains commands themselves. The only thing that
should=20
# need to be changed for the third section is uncommenting the cipe
rulesets=20
# if needed (they are deactivated by default).
#
# Things to watch out for when using this script:
# a. When starting it by hand it tends to like the network already up.
# This includes both interfaces. (When started automatically by=20
# init it is started pretty early, there is minimal time for the=20
# window to be open. This is medium security, afterall.=20
# b. pump, which controls dhcp under Red Hat, isn't very good at
picking=20
# up a change in address for the interface. So if the IP addy of
the=20
# interface changes, the script might need to be start/stopped by
hand.
# You'll loose connectivity and a lot of messages about UDP errors
will=20
# be logged to /var/log/messages when this happens.
# c. This script is an example. It is targeted for a small LAN (a
single=20
# subnet) and would require work for a more complex network. It is
# also not guaranteed to be secure, though it is reasonable.
#
# NO WARRANTY
# This script is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, without even the implied warranty of
MERCHANTABILITY =20
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License=20
# (http://www.gnu.org/copyleft/gpl.html) for more details.
#
#
###### SCRIPT START ########
# ---- these are for the function calls so the script will run as a
service
# only change this if the location on your system is different. It
# shouldn't be.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
# only change this if the location on your system is different. It
# shouldn't be.
./etc/sysconfig/network
./etc/sysconfig/cipe
# ---- Basic sanity check. This makes sure that networking is up. If
it=20
# isn't, why continue?
# Check that networking is up.
[ ${NETWORKING} =3D "no" ] && exit 0
###### USER CONFIGURATION START
#########################################
# ---- The device name for the external network interface (in this case
"eth1"
# Change this to match the interface that is your external (WAN)
inter-
# face. (PPP users would use ppp0, for example).
EXTDEV=3Deth0
# ---- Don't change the code below. It uses the ifconfig command and=20
# cuts the relevant information out of the display (the IP address)
and
# configures it. Replacing the code segment with the IP address
would=20
# result in the same information anyway. The advantage of using
the=20
# code below is for DHCP or other dynamic networks.
EXTERNALIP=3D`ifconfig $EXTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${EXTERNALIP}" ]; then
exit 1
fi
# ---- The device name for the internal network interface (in this case
"eth0"
# See comments above.
INTDEV=3Deth1
# See comments above.
INTERNALIP=3D`ifconfig $INTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${INTERNALIP}" ]; then
exit 1
fi
# ---- The network value for the internal network, in this case it is
the=20
# reserved block of 192.168.20.xxx Chance it to match the internal
net-
# work you are using.
INTNET=3D"192.168.0.0"
# =3D=3D=3D=3D=3D End of the first configuration section
# CIPE Configuration section.
# ---- If running CIPE, uncomment these lines. If you are not running
CIPE
# DON'T mess with any of these.
#CIPEDEV=3Dcipcb0
#CIPE_INET=3D`ifconfig $CIPEDEV | grep "inet addr:" | \
# awk -F: {'print $2'} | cut -d\ -f 1`
#if [ -z "${INTERNALIP}" ]; then
# exit 1
#fi
#
#CIPE_PTP=3D`ifconfig $CIPEDEV | grep "P-t-P:" | \
# awk -F: {'print $3'} | cut -d\ -f 1`
#if [ -z "${INTERNALIP}" ]; then
# exit 1
# fi
#
# # The internal IPs used for the destination network.
# CIPEINTNET=3D"xxx.xxx.xxx.xxx"
# The real IP network used for Red Hat
# CIPEREALNET=3D"xxx.xxx.xxx.xxx"
# The IP Tunnel Box's IP Addy
# TUNNEL=3D"xxx.xxx.xxx.xxx"
# IMPORTANT NOTE: If using CIPE then the sections below with the same=20
# variables will need to be uncommented. If you don't
# know what CIPE is or don't know how to configure it,=20
# leave it alone. VAriable list: TUNNEL, CIPEREALNET,
# CIPEINTNET
# =3D=3D=3D=3D=3D End of CIPE configuration section
echo "EXTDEV: ${EXTDEV} on ${EXTERNALIP}"
echo "INTDEV: ${INTDEV} on ${INTERNALIP}"
# See how we were called.
case "$1" in
start)
# Start firewall.
echo -n "Starting firewall: "
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_raudio
# ---- Begin of firewall/ipchain rules.
# NOTE: If you have your own firewall script you would rather use, you
# can replace the below section with it. Replace everything until the
***
# Don't mess with these unless you know what you are doing.
# MASQ timeouts. Change these only if the timeouts are causing=20
# problems.
# 2 hrs timeout for TCP session timeouts (7200 seconds)
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is=20
# received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable
# a 30sec firewal
#
echo "Setting masq timeouts"
ipchains -M -S 7200 10 60
=09
##################################################################
# Forwarding, flush and set default policy of deny. Actually the
# default policy is irrelevant because there is a catch all rule
# with deny and log.
echo "Setting new forward rules"
echo -n "forward..."
# This makes sure that IP forwarding is turned on for
networking.
echo 1 > /proc/sys/net/ipv4/ip_forward
# This does the flush
ipchains -F forward
# This sets the default to DENY
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere. The
# 255.255.255.0 netmasks out to the last section. Using the
above
# internal network example, it makes it everything in the=20
# 192.168.20.xxx range to be legal on this interface.
ipchains -A forward -s $INTNET/255.255.255.0 -j MASQ
# Masquerade from local net on local interface to anywhere.
Like the=20
# above rule, this one says that anything that has the source of
the=20
# internal network should be forwarded to the external device
and=20
# all these packets are to be masquared. The -d 0.0.0.0/0
indicates=20
# that the destination of the traffic can be to anywhere.
ipchains -A forward -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j
MASQ
=09
# Backup Rule. Try this out if forwarding doesn't seem to work
with=20
# the above rule (make sure to comment out the above). It says
that=20
# any packets are to be masq'd and forwarded to the external
device.
# ipchains -A forward -i $EXTDEV -j MASQ
# CIPE Forwarding. Ignore this unless you need it.
# ipchains -A forward -d $CIPEINTNET/255.255.255.0
# ipchains -A forward -d $CIPEREALNET/255.255.254.0
# catch all rule, all other forwarding is denied and logged.
pity=20
# there is no log option on the policy but this does the job
instead.
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
# These are variations of the uncommented rule above.
#ipchains -A forward -j DENY -l
#ipchains -A forward -j DENY
### Port Forwarding Operations #################################
# Uncomment these commands only if port forwarding is needed.
# this one
# echo "Enabling IPPORTFW Redirection on the external LAN..."
# this one
# /usr/sbin/ipmasqadm portfw -f
#
# You probably don't have the ipmasqadm package installed. If=20
# not, go to http://juanjox.kernelnotes.org/ for the binaries.
# before trying to run these commands. "rpm -q ipmasqadm" can=20
# be used to check for the package.
#
#### ---- These Are Examples of Port Forwards=20
## This one forwards the httpd port from the firewall and=20
## points it to another machine on the LAN with the IP address
of=20
## 192.168.100.100
# /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTERNALIP 80 -R
192.168.100.100 80
## This one forwards a specilized port from the firewall and=20
## points it at a machine on the LAN with the IP address of=20
## 192.168.100.100 at port 7000.
# /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTERNALIP 7000 -R
192.168.100.100 7000
=09
################################################################
# Incoming, flush and set default policy of deny. Actually the=20
# default policy is irrelevant because there is a catch all rule
# with deny and log.
echo -n "input..."
echo "Setting new input rules"
# Incoming, flush and set default policy of deny.
ipchains -F input
ipchains -P input DENY
# local interface, local machines, going anywhere is valid
ipchains -A input -i $INTDEV -s $INTNET/24 -d 0.0.0.0/0 -j
ACCEPT
# multicasting is valid (xntpd)
ipchains -A input -i $EXTDEV -s $EXTERNALIP/32 -d 224.0.0.0/8 -j
ACCEPT
# remote interface, claiming to be local machines, IP spoofing,=20
# the rule tells to get lost
ipchains -A input -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY
# loopback interface is valid.
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# The following are ports that could not be configured to only
# listen on the internal network, thus we firewall the external
side.
# Deny access to the backup software port
# These lines are read as "Add to Input, Protocol "tcp", source
"all"
# with the destentation=20
ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 617 -j DENY
# Deny access to the firewall auth port
ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 7777 -j
DENY
# Deny access to the echo port (used by squid/junkbuster)
ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 7 -j DENY
# Deny access to syslog
ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 514 -j DENY
# remote interface, any source, going to external address is
valid
ipchains -A input -i $EXTDEV -s 0.0.0.0/0 -d $EXTERNALIP/32 -j
ACCEPT
# IP-IP tunnel. Use these only if you need them.
# FIXME: limit this to a device (EXTDEV OR CIPEDEV)
# ipchains -A input -p udp -s $TUNNEL $PORT -j ACCEPT
# ipchains -A input -i $CIPEDEV -j ACCEPT
# catch all rule, all other incoming is denied.
# ipchains -A input -j DENY -l
# ipchains -A input -j DENY
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
=09
################################################################## =20
# Outgoing, flush and set default policy of reject. Actually the
# default policy is irrelevant because there is a catch all rule
# with deny and log.=20
echo "Setting new output rules"
echo -n "output..."
# Outgoing, flush and set default policy of deny.=20
ipchains -F output
ipchains -P output DENY
# local interface, any source going to local net is valid
#ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j
ACCEPT
ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j
ACCEPT
# loopback interface is valid.
# ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# outgoing to local net on remote interface: stuffed routing,
deny
ipchains -A output -i $EXTDEV -s 0.0.0.0/0 -d $INTNET/24 -j DENY
# outgoing from local net on remote interface: stuffed masq,
deny
ipchains -A output -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY
# anything else outgoing on remote interface is valid
#ipchains -A output -i $EXTDEV -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i $EXTDEV -s $EXTERNALIP/32 -d 0.0.0.0/0 -j
ACCEPT
# outgoing to IP-IP tunnel for CIPE server is valid. Use these=20
# Only if you need them.
# ipchains -A output -i $CIPEDEV -s $CIPE_INET -d $CIPE_PTP/32
-j ACCEPT
# ipchains -A output -i $CIPEDEV -s $CIPE_INET -d
$CIPEREALNET/23 -j ACCEPT
# ipchains -A output -i $CIPEDEV -s $EXTERNALIP -d
$CIPEREALNET/23 -j ACCEPT
# ipchains -A output -i $CIPEDEV -s $CIPE_INET -d 0.0.0.0/0 -j
ACCEPT
# catch all rule, all other outgoing is denied.
# ipchains -A output -j DENY -l
# ipchains -A output -j DENY=20
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
echo "Done with the firewall rulesets"=09
echo -n "acct..."
# Accounting, flush all entries
ipchains -N acctin
ipchains -N acctout
ipchains -N acctio
# Track traffic just to network, not individual hosts
ipchains -I input -j acctio
ipchains -I input -j acctin
ipchains -I output -j acctio
ipchains -I output -j acctout
ipchains -I forward -j acctout
=09
echo "done"
touch /var/lock/subsys/firewall
;;
stop)
# Stop firewall.
echo -n "Shutting down firewall: "
ipchains -F input
ipchains -A input -j ACCEPT
ipchains -F output
ipchains -A output -j ACCEPT
ipchains -F forward
ipchains -A forward -j ACCEPT
ipchains -X acctio
ipchains -X acctin
ipchains -X acctout
rmmod ip_masq_raudio
rmmod ip_masq_irc
rmmod ip_masq_ftp
echo "done"
rm -f /var/lock/subsys/firewall
;;
restart)
$0 stop
$0 start
;;
status)
status firewall
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
exit 1
esac
exit 0
=20