firewall script fighting

To: debian-firewall@lists.debian.org
Subject: firewall script fighting
From: tim@atomstrahl.de
Date: Sun, 1 Apr 2001 17:20:38 +0200
Message-id: <1074452452.20010401172038@atomstrahl.de>
Reply-to: tim@atomstrahl.de
Hello

i try to setup a firewall for my lan. i want to be invissible to the
internet (no respond to a ping), but i want to allow some specific
connects. my script i have so far makes me invissible and i can surf
the web..., but nobody can connect to my server.

maybe you easiely find some errors:


--------------------------------------------------------------------


# Firewall Skript
#!/bin/sh

DEV_LAN=eth0
IP_LAN=192.168.99.10
LAN=192.168.99.0/255.255.255.0
DEV_INET=ippp0
INET=0.0.0.0/0.0.0.0


insmod ip_masq_cuseeme
insmod ip_masq_ftp
insmod ip_masq_irc
insmod ip_masq_quake
insmod ip_masq_raudio
insmod ip_masq_user
insmod ip_masq_vdolive



#----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen aktivieren -----
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward

#----- Alle Regeln loeschen -----
ipchains -F

#----- Default Policy auf DENY setzen -----
ipchains -P input DENY
ipchains -P forward DENY 
ipchains -P output DENY 

#----- ip-spoofing verhindern -----
ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l

#----- Loopback erlauben -----
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

#----- alle Intranet Verbindungen erlauben -----
ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT
ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT

#----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP -----
ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT
ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT
ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y

#----- HTTP erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y

#----- HTTPS erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y

#----- FTP erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y

#----- Erweiterung fuer aktives FTP -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT

#----- SSH ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y

#----- SMTP ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y

#----- POP3 ins Internet erlauben -----
ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y


#-------------highports---------------
ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y
ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT



#----- Chain fuer ICMP erstellen -----
ipchains -N icmp-out
ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY
ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT

ipchains -N icmp-in
ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY
ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT

#----- ICMP Pakete an Output Chain uebergeben -----
ipchains -A output -p icmp -j icmp-out

#----- ICMP Pakete an Input Chain uebergeben -----
ipchains -A input -p icmp -j icmp-in

#----- Masquerading aktivieren -----
ipchains -A forward -s 192.168.99.0/24 -d 0.0.0.0/0 -j MASQ
echo Firewall is up


-------------------------------------------------------------------------------

again the problem is nobody cant connect except from inside the lan


thanks in advance

  

-- 
Best regards,
 tim                          mailto:tim@atomstrahl.de
Reply to:
Prev by Date: Active & passive FTP
Next by Date: Re: Active & passive FTP
Previous by thread: Re: Active & passive FTP
Next by thread: Re: firewall script fighting
Index(es):
- Date
- Thread