Hallo debian-firewall@lists.debian.org 's world! I'm Valerio from Rome, Italy. I've set-up a firewall's scripts on some Debian servers @ university, work & home. Can you please have a look at my script to know me any purposes? And a second question: is in Debian 2.4.18 any utility for the firewall rules like shorewall? (please don't hurt me: i don't know now (i'll study it) how to rebuild kernel sigh!) I'm sorry for my bad bad english! Thanks, Valerio ------------------------------------------------------------ ------------------------------------------------------------ SCRIPT CONCEPT: --- ocb_networking.sh is linked in /etc/init.d/ with a #> ln -s /etc/ocb_networking/ocb_networking.sh /etc/init.d/ocb_networking and made bootable with #> update-rc.d ocb_networking defaults it will call firewall.sh and masquerade.sh . ------------------------------------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ FILE OCB_NETWORKING.SH --- #!/bin/sh # # byOCB-mag04: definizioni di FireWall e Masquerade con IpTables # # # Check that networking is up. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # IPTABLES=/sbin/iptables # See how we were called. case "$1" in start) /etc/ocb_networking/firewall.sh /etc/ocb_networking/masquerade.sh ;; stop) echo -e "\nFlushing firewall and setting default policies to CLEAR\n" /etc/init.d/iptables clear #echo -e "\nFlushing firewall and setting default policies to DROP\n" #$IPTABLES -P INPUT DROP #$IPTABLES -F INPUT #$IPTABLES -P OUTPUT DROP #$IPTABLES -F OUTPUT #$IPTABLES -P FORWARD DROP #$IPTABLES -F FORWARD #$IPTABLES -F -t nat # Delete all User-specified chains #$IPTABLES -X # # Reset all IPTABLES counters #$IPTABLES -Z ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: ocb_networking {start|stop|restart|status|mlist}" exit 1 esac exit 0 ------------------------------------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ FILE FIREWALL.SH --- #!/bin/sh echo -n "ocb_networking: starting FireWall" ##################################################################### ##################################################################### EXT_IF="eth0" INT_IF="eth1" ##################################################################### ##################################################################### # ip for the external interface (assuming EXT_IF is the external) EXT_IP=`ifconfig $EXT_IF | grep "addr:" | cut -d: -f 2 | cut -d\ -f1` # external netmask EXT_MASK=`ifconfig $EXT_IF | grep "Mask:" | cut -d: -f4` # ip for the internal interface (assuming INT_IF is te internal) INT_IP=`ifconfig $INT_IF | grep "addr:" | cut -d: -f 2 | cut -d\ -f1` # internal netmask INT_MASK=`ifconfig $INT_IF | grep "Mask:" | cut -d: -f4` # the gateway ip GATEWAY=`route -n | grep "^0.0.0.0" | sed -e "s/ \+/ /g" | cut -d\ -f2` # the path to the iptables command if needed FW=/sbin/iptables echo -n "." #progress marker # set the network address INT_NET="$INT_IP/$INT_MASK" EXT_NET="$EXT_IP/$EXT_MASK" echo -n "." #progress marker #flush the BUFFA $FW -t filter -F $FW -t filter -X echo -n "." #progress marker ##################################################################### #setup the logging chain $FW -N LOGDROP 2>/dev/null $FW -A LOGDROP -p TCP -j LOG --log-level 7 --log-prefix "TCP Drop " $FW -A LOGDROP -p UDP -j LOG --log-level 7 --log-prefix "UDP Drop " $FW -A LOGDROP -p ICMP -j LOG --log-level 7 --log-prefix "ICMP Drop " $FW -A LOGDROP -f -j LOG --log-level 7 --log-prefix "FRAG Drop " $FW -A LOGDROP -j DROP echo -n "." #progress marker ##################################################################### # things to always allow # this will enable all localhost connections $FW -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT ##################################################################### #some people that we will never allow #scanning host for @home #$FW -A INPUT -p ALL -s 24.0.0.203 -j LOGDROP ##################################################################### ##################################################################### # things that we want to accept from anywhere #ECHO #[tcp:7; udp:7] #$FW -A INPUT -p tcp -s 0/0 --dport 7 -j ACCEPT #$FW -A INPUT -p udp -s 0/0 --dport 7 -j ACCEPT # #DISCARD #[tcp:9; udp:9] #$FW -A INPUT -p tcp -s 0/0 --dport 9 -j ACCEPT #$FW -A INPUT -p udp -s 0/0 --dport 9 -j ACCEPT # #DAYTIME #[tcp:13; udp:13] #$FW -A INPUT -p tcp -s 0/0 --dport 13 -j ACCEPT #$FW -A INPUT -p udp -s 0/0 --dport 13 -j ACCEPT # #FTP File Transfer #[tcp:20=DefaultData;tcp:21=Control] #$FW -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT # ftp control/passiveTranfer traffic (tcp) #$FW -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT # ftp traffic (tcp) # #SSH remote Secure SHell #[tcp:22] $FW -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT # #TELNET #[tcp:23] #$FW -A INPUT -p tcp -s 0/0 --dport 23 -j ACCEPT # #SMTP Simple Mail Transfer #[tcp:25] #$FW -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT # #TIME #[tcp:37; udp:37] #$FW -A INPUT -p tcp -s 0/0 --dport 37 -j ACCEPT #$FW -A INPUT -p udp -s 0/0 --dport 37 -j ACCEPT # #NAMESERVER Host Name Server #[tcp:42] #$FW -A INPUT -p tcp -s 0/0 --dport 42 -j ACCEPT # #DOMAIN Domain Name Server (DNS) #[tcp:53; udp:53] #$FW -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT #$FW -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT # #BOOTPS Bootstrap Protocol Server #[udp:67] #$FW -A INPUT -p udp -s 0/0 --dport 67 -j ACCEPT # #BOOTPC Bootstrap Protocol Client #[udp:68] #$FW -A INPUT -p udp -s 0/0 --dport 68 -j ACCEPT # # DHCP server #[udp:67,tcp:68] $FW -A INPUT -p udp -s 0/0 --dport 67 -j ACCEPT $FW -A INPUT -p tcp -s 0/0 --dport 68 -j ACCEPT # #TFTP Trivial File Transfer Protocol #[udp:69] #$FW -A INPUT -p udp -s 0/0 --dport 69 -j ACCEPT # #HTTP #[tcp:80=http;tcp:446=https] #$FW -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT # httpd #$FW -A INPUT -p tcp -s 0/0 --dport 446 -j ACCEPT # httpd ssl # # POP Mail Server #[tcp:109=oldPop;tcp:110=POP3] #$FW -A INPUT -p tcp -s 0/0 --dport 109 -j ACCEPT # old pop #$FW -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT # pop3 # #AUTH Authentication Service #[tcp:113] #$FW -A INPUT -p tcp -s 0/0 --dport 113 -j ACCEPT # ident request # #NTP Network Time Protocol #[udp:123] #$FW -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT # #NETBIOS File-Sharing with Samba or similar #[udp:137=NS,NameService;udp:138=DGM,DatagramService;tcp:139=SSN,SessionServ ice] #$FW -A INPUT -p udp -s 0/0 --dport 137 -j ACCEPT # netbios-ns #$FW -A INPUT -p udp -s 0/0 --dport 138 -j ACCEPT # netbios-dgm #$FW -A INPUT -p tcp -s 0/0 --dport 139 -j ACCEPT # netbios-ssn # #SNMP Simple Network Mgmt. Protocol #[udp:126=SNMP;udp:161=SNMP_Q/R;udp:162=SNMP-Trap,EventTraps] #$FW -A INPUT -p udp -s 0/0 --dport 126 -j ACCEPT # SNMP #$FW -A INPUT -p udp -s 0/0 --dport 161 -j ACCEPT # Q/R #$FW -A INPUT -p udp -s 0/0 --dport 162 -j ACCEPT # Event Traps # #SYSLOG #[udp:514] #$FW -A INPUT -p udp -s 0/0 --dport 514 -j ACCEPT # #TALK Two User Interaction #[udp:517] #$FW -A INPUT -p udp -s 0/0 --dport 517 -j ACCEPT # #RIP Routing Information Protocol #[udp:520] #$FW -A INPUT -p udp -s 0/0 --dport 520 -j ACCEPT # #TIMED Time Server #[udp:525] #$FW -A INPUT -p udp -s 0/0 --dport 525 -j ACCEPT # #SWAT Samba configuration via web #[tcp:901] #$FW -A INPUT -p tcp -s 0/0 --dport 901 -j ACCEPT # swat # # MLDonkey File-Sharing #[tcp:4662=traffic/control;udp:4662=traffic/control] #[tcp:4002=chat] #[tcp:4080=WebInterface;tcp:4000=TelnetInterface;tcp:4001=GuiInterface] #[tcp:1214=FT;tcp:4444=DirectConnect;tcp:6882=BitTorrent;tcp:9999=OpenNap;tc p:14402=Overnet] $FW -A INPUT -p tcp -s 0/0 --dport 4662 -j ACCEPT # traffic/control (tcp) $FW -A INPUT -p udp -s 0/0 --dport 4662 -j ACCEPT # traffic/control (udp) $FW -A INPUT -p tcp -s 0/0 --dport 4002 -j ACCEPT # chat #$FW -A INPUT -p tcp -s 0/0 --dport 4000 -j ACCEPT # telnet interface #$FW -A INPUT -p tcp -s 0/0 --dport 4001 -j ACCEPT # GUI interface $FW -A INPUT -p tcp -s 0/0 --dport 4080 -j ACCEPT # web interface $FW -A INPUT -p tcp -s 0/0 --dport 1214 -j ACCEPT # FT traffic (default:disabled) #$FW -A INPUT -p tcp -s 0/0 --dport 4444 -j ACCEPT # DirectConnect traffic (default:disabled) $FW -A INPUT -p tcp -s 0/0 --dport 6882 -j ACCEPT # BitTorrent traffic (default:Enabled) #$FW -A INPUT -p tcp -s 0/0 --dport 9999 -j ACCEPT # Opennap traffic (default:disabled) $FW -A INPUT -p tcp -s 0/0 --dport 14402 -j ACCEPT # overnet traffic (default:disabled) # #VNC VNC Virtual Network Computer #[tcp:5900=display0-viewer;tcp:5800=display0-http] #[tcp:5901=display1-viewer;tcp:5801=display1-http] #[tcp:5902=display2-viewer;tcp:5802=display2-http] #$FW -A INPUT -p tcp -s 0/0 --dport 5900 -j ACCEPT # :0 viewer #$FW -A INPUT -p tcp -s 0/0 --dport 5800 -j ACCEPT # :0 http $FW -A INPUT -p tcp -s 0/0 --dport 5901 -j ACCEPT # :1 viewer #$FW -A INPUT -p tcp -s 0/0 --dport 5801 -j ACCEPT # :1 http #$FW -A INPUT -p tcp -s 0/0 --dport 5902 -j ACCEPT # :2 viewer #$FW -A INPUT -p tcp -s 0/0 --dport 5802 -j ACCEPT # :2 http # #MYSQL #[tcp:3306] #$FW -A INPUT -p tcp -s 0/0 --dport 3306 -j ACCEPT # ##################################################################### ##################################################################### # things that we want to accept from internal net #ECHO #[tcp:7; udp:7] #$FW -A INPUT -p tcp -s $INT_NET --dport 7 -j ACCEPT #$FW -A INPUT -p udp -s $INT_NET --dport 7 -j ACCEPT # #DISCARD #[tcp:9; udp:9] #$FW -A INPUT -p tcp -s $INT_NET --dport 9 -j ACCEPT #$FW -A INPUT -p udp -s $INT_NET --dport 9 -j ACCEPT # #DAYTIME #[tcp:13; udp:13] #$FW -A INPUT -p tcp -s $INT_NET --dport 13 -j ACCEPT #$FW -A INPUT -p udp -s $INT_NET --dport 13 -j ACCEPT # #FTP File Transfer #[tcp:20=DefaultData;tcp:21=Control] #$FW -A INPUT -p tcp -s $INT_NET --dport 21 -j ACCEPT # ftp control/passiveTranfer traffic (tcp) #$FW -A INPUT -p tcp -s $INT_NET --dport 20 -j ACCEPT # ftp traffic (tcp) # #SSH remote Secure SHell #[tcp:22] $FW -A INPUT -p tcp -s $INT_NET --dport 22 -j ACCEPT # #TELNET #[tcp:23] #$FW -A INPUT -p tcp -s $INT_NET --dport 23 -j ACCEPT # #SMTP Simple Mail Transfer #[tcp:25] #$FW -A INPUT -p tcp -s $INT_NET --dport 25 -j ACCEPT # #TIME #[tcp:37; udp:37] #$FW -A INPUT -p tcp -s $INT_NET --dport 37 -j ACCEPT #$FW -A INPUT -p udp -s $INT_NET --dport 37 -j ACCEPT # #NAMESERVER Host Name Server #[tcp:42] #$FW -A INPUT -p tcp -s $INT_NET --dport 42 -j ACCEPT # #DOMAIN Domain Name Server (DNS) #[tcp:53; udp:53] #$FW -A INPUT -p tcp -s $INT_NET --dport 53 -j ACCEPT $FW -A INPUT -p udp -s $INT_NET --dport 53 -j ACCEPT # #BOOTPS Bootstrap Protocol Server #[udp:67] #$FW -A INPUT -p udp -s $INT_NET --dport 67 -j ACCEPT # #BOOTPC Bootstrap Protocol Client #[udp:68] #$FW -A INPUT -p udp -s $INT_NET --dport 68 -j ACCEPT # # DHCP server #[udp:67,tcp:68] $FW -A INPUT -p udp -s $INT_NET --dport 67 -j ACCEPT $FW -A INPUT -p tcp -s $INT_NET --dport 68 -j ACCEPT # #TFTP Trivial File Transfer Protocol #[udp:69] #$FW -A INPUT -p udp -s $INT_NET --dport 69 -j ACCEPT # #HTTP #[tcp:80=http;tcp:446=https] #$FW -A INPUT -p tcp -s $INT_NET --dport 80 -j ACCEPT # httpd #$FW -A INPUT -p tcp -s $INT_NET --dport 446 -j ACCEPT # httpd ssl # # POP Mail Server #[tcp:109=oldPop;tcp:110=POP3] #$FW -A INPUT -p tcp -s $INT_NET --dport 109 -j ACCEPT # old pop #$FW -A INPUT -p tcp -s $INT_NET --dport 110 -j ACCEPT # pop3 # #AUTH Authentication Service #[tcp:113] #$FW -A INPUT -p tcp -s $INT_NET --dport 113 -j ACCEPT # ident request # #NTP Network Time Protocol #[udp:123] #$FW -A INPUT -p udp -s $INT_NET --dport 123 -j ACCEPT # #NETBIOS File-Sharing with Samba or similar #[udp:137=NS,NameService;udp:138=DGM,DatagramService;tcp:139=SSN,SessionServ ice] $FW -A INPUT -p udp -s $INT_NET --dport 137 -j ACCEPT # netbios-ns $FW -A INPUT -p udp -s $INT_NET --dport 138 -j ACCEPT # netbios-dgm $FW -A INPUT -p tcp -s $INT_NET --dport 139 -j ACCEPT # netbios-ssn # #SNMP Simple Network Mgmt. Protocol #[udp:126=SNMP;udp:161=SNMP_Q/R;udp:162=SNMP-Trap,EventTraps] $FW -A INPUT -p udp -s $INT_NET --dport 126 -j ACCEPT # SNMP $FW -A INPUT -p udp -s $INT_NET --dport 161 -j ACCEPT # Q/R $FW -A INPUT -p udp -s $INT_NET --dport 162 -j ACCEPT # Event Traps # #SYSLOG #[udp:514] $FW -A INPUT -p udp -s $INT_NET --dport 514 -j ACCEPT # #TALK Two User Interaction #[udp:517] $FW -A INPUT -p udp -s $INT_NET --dport 517 -j ACCEPT # #RIP Routing Information Protocol #[udp:520] #$FW -A INPUT -p udp -s $INT_NET --dport 520 -j ACCEPT # #TIMED Time Server #[udp:525] $FW -A INPUT -p udp -s $INT_NET --dport 525 -j ACCEPT # #SWAT Samba configuration via web #[tcp:901] $FW -A INPUT -p tcp -s $INT_NET --dport 901 -j ACCEPT # swat # # MLDonkey File-Sharing #[tcp:4080=WebInterface;tcp:4000=TelnetInterface;tcp:4004=GuiInterface] #$FW -A INPUT -p tcp -s $INT_NET --dport 4000 -j ACCEPT # telnet interface #$FW -A INPUT -p tcp -s $INT_NET --dport 4001 -j ACCEPT # GUI interface $FW -A INPUT -p tcp -s $INT_NET --dport 4080 -j ACCEPT # web interface # #VNC VNC Virtual Network Computer #[tcp:5900=display0-viewer;tcp:5800=display0-http] #[tcp:5901=display1-viewer;tcp:5801=display1-http] #[tcp:5902=display2-viewer;tcp:5802=display2-http] #$FW -A INPUT -p tcp -s $INT_NET --dport 5900 -j ACCEPT # :0 viewer #$FW -A INPUT -p tcp -s $INT_NET --dport 5800 -j ACCEPT # :0 http #$FW -A INPUT -p tcp -s $INT_NET --dport 5901 -j ACCEPT # :1 viewer #$FW -A INPUT -p tcp -s $INT_NET --dport 5801 -j ACCEPT # :1 http #$FW -A INPUT -p tcp -s $INT_NET --dport 5902 -j ACCEPT # :2 viewer #$FW -A INPUT -p tcp -s $INT_NET --dport 5802 -j ACCEPT # :2 http # #MYSQL #[tcp:3306] $FW -A INPUT -p tcp -s $INT_NET --dport 3306 -j ACCEPT # ##################################################################### # block everything else in the low port range. $FW -A INPUT -p tcp -s 0/0 --dport 1:1024 -j LOGDROP $FW -A INPUT -p udp -s 0/0 --dport 1:1024 -j LOGDROP ##################################################################### # extras to block to the outside #$FW -A INPUT -p tcp -s 0/0 --dport 3306 -j LOGDROP #$FW -A INPUT -p udp -s 0/0 --dport 3306 -j LOGDROP ##################################################################### # a spot of flood defense $FW -A INPUT -m limit --limit 1/second -p icmp -j ACCEPT echo -n "." #progress marker echo "done" #progress marker ------------------------------------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ FILE FIREWALL.SH --- #!/bin/sh echo -n "ocb_networking: starting Masquerading" ##################################################################### ##################################################################### EXT_IF="eth0" INT_IF="eth1" ##################################################################### ##################################################################### ##################################################################### # variables and stuff # ip for the external interface EXT_IP=`ifconfig $EXT_IF | grep "addr:" | cut -d: -f 2 | cut -d\ -f1` # external netmask EXT_MASK=`ifconfig $EXT_IF | grep "Mask:" | cut -d: -f4` # ip for the internal interface INT_IP=`ifconfig $INT_IF | grep "addr:" | cut -d: -f 2 | cut -d\ -f1` # internal netmask INT_MASK=`ifconfig $INT_IF | grep "Mask:" | cut -d: -f4` # the gateway ip GATEWAY=`route -n | grep "^0.0.0.0" | sed -e "s/ \+/ /g" | cut -d\ -f2` # the path to the iptables command if needed FW=iptables # set the network address INT_NET="$INT_IP/$INT_MASK" EXT_NET="$EXT_IP/$EXT_MASK" echo -n "." #progress marker ##################################################################### # turn on ip_forwarding.. echo "1" > /proc/sys/net/ipv4/ip_forward echo -n "." #progress marker ##################################################################### # load modules modprobe ip_conntrack_irc ports=6666,6667,6668,6669,6670,7000 # DCC sends modprobe ip_nat_ftp modprobe ip_conntrack_ftp echo -n "." #progress marker ##################################################################### # flush the NAT tables $FW -t nat -F echo -n "." #progress marker ##################################################################### #general forwarding for internal network $FW -t nat -A POSTROUTING -s $INT_NET -j SNAT --to-source=$EXT_IP echo -n "." #progress marker ##################################################################### ##################################################################### #forward special requests to the internal network # #ICQ example #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 4001:4010 -j DNAT --to-destination 192.168.x.x:4001-4010 # # #EMULE example #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 4662 -j DNAT --to-destination 192.168.x.x:4662 # #$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 4672 -j DNAT --to-destination 192.168.x.x:4672 # #SAMBA example #$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 137 -j DNAT --to-destination 192.168.x.x:137 # #$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 138 -j DNAT --to-destination 192.168.x.x:138 # #$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 139 -j DNAT --to-destination 192.168.x.x:139 # #MLDonkey Web Interface example #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 4080 -j DNAT --to-destination 192.168.x.x:4080 # #SSH example #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 6922 -j DNAT --to-destination 192.168.x.x:22 # ext_ip:6922 to int_ip:22 #VNC $FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.101:5900 # :0 viewer #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5800 -j DNAT --to-destination 192.168.x.x:5800 # :0 http #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5901 -j DNAT --to-destination 192.168.1.101:5901 # :1 viewer #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5801 -j DNAT --to-destination 192.168.x.x:5801 # :1 http #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5902 -j DNAT --to-destination 192.168.x.x:5902 # :2 viewer #$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5802 -j DNAT --to-destination 192.168.x.x:5802 # :2 http echo -n "." echo "done" ------------------------------------------------------------ ------------------------------------------------------------ THASNKS!!! Valerio -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=&d=18-5
Attachment:
firewall.sh
Description: Binary data
Attachment:
masquerade.sh
Description: Binary data
Attachment:
ocb_networking.sh
Description: Binary data