where it can be append ..
- To: debian-mentors@lists.debian.org
- Subject: where it can be append ..
- From: Kiryanov Vasiliy <kva@riva.gomel.by>
- Date: Tue, 13 May 2003 01:08:50 +0300
- Message-id: <20030512220850.GA956@night>
- In-reply-to: <20030512190507.GA1523@night>
- References: <20030512190507.GA1523@night>
sorry I forget to attach scripts
..
bye
#!/bin/sh
#
# 3iptables-ppp_up-rules, v 0.2 2003/04/27 17:52:55
# Kiryanov Vasiliy, mailto://root@lycos.ru
#
# Many people use ppp to connect to the InterNet, this script set BASIC
# firewall (iptables) rules to protect you machine from crackers.
# For good protect read iptables(8) manual and tune this script!
# !!! DO NOT USE FOR SERVERS !!! you need make your own script!
# If you find some errors or missing write me: root@lycos.ru
# check if iptables exist and have kernel support
# Is somebody know the better way to check it ?
/sbin/iptables --list --numeric
test $? -eq 0 || exit 0
# when started pppd it call ip-up, which set variables and uses run-parts
# to run scripts in /etc/ppp/ip-up.d, one of which is that.
# ip-up set this variables, so we don't need to do it:
# Var Name Example
# PPP_IFACE Interface name ppp0
# PPP_TTY The tty ttyS1
# PPP_SPEED The link speed 38400
# PPP_LOCAL Local IP number 12.34.56.78
# PPP_REMOTE Peer IP number 12.34.56.99
# PPP_IPPARAM Optional ``ipparam'' value foo
# PPP_TTYNAME Tty name stripped of /dev/ (if present) for easier matching
# PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
# set variables for handy manipulation
#MY_ISP="217.21.59.0/24" # set your ISP address range !!
#--------------------------------------------------------------
LOOPBACK_INTERFACE="lo" # loopback interface
LOOPBACK="127.0.0.0/8" # loopback interface
CLASS_A="10.0.0.0/8" # class A adresses
CLASS_B="172.168.0.0/12" # class B adresses
CLASS_C="192.168.0.0/16" # class C adresses
CLASS_D="224.0.0.0/4" # MULTICAST
CLASS_E="240.0.0.0/5" # RESERVED
BROADCAST_SRC="0.0.0.0" # broadcast source adress
BROADCAST_DST="255.255.255.255" # broadcast destination adress
PRIVATE_PORTS="0:1023" # your computer private ports
#--------------------------------------------------------------
# save iptables exist rulesets, we restore them after PPP interface down!
/sbin/iptables-save > /tmp/3iptables-ppp_up-SAVE
#INPUT RULESET
# block packets with your source ip-address [you can't send packets yourself]
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_LOCAL --jump DROP
# block packets with LOOPBACK source address
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $LOOPBACK --jump DROP
# block classes A,B,C,D,E adress range [it's can't come from InterNet]
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_A --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_B --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_C --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_D --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_E --jump DROP
# block multicast source and destination packets
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $BROADCAST_SRC --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --destination $BROADCAST_DST --jump DROP
#ISP block, WITHOUT Peer IP number [we work throught it]
#/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_REMOTE --jump ACCEPT
#/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $MY_ISP --jump DROP
#OUTPUT RULESET
# I can send anything I want, are you ?
#FORWARD RULESET
# block packets send to you for FORWARDING, do you need it?
/sbin/iptables --policy FORWARD DROP
#
# try '$ ifconfig' to see if your ppp interface all right
# try '# iptables --list' to see if all rules right
#!/bin/sh
#
# 3iptables-ppp_up-rules, v 0.2 2003/04/27 17:52:55
# Kiryanov Vasiliy, mailto://root@lycos.ru
#
# this script run when PPP down and
# restore iptables RULES that exist before PPP up
# If you find some errors or missing write me: root@lycos.ru
#--------------------------------------------------------------
# restoring iptables RULES
/sbin/iptables-restore < /tmp/3iptables-ppp_up-SAVE
#unlink(remove) temp file
rm -f /tmp/3iptables-ppp_up-SAVE
#
# try '$ ifconfig' to see if your ppp interface all right
# try '# iptables --list' to see if all rules right
Reply to: