where it can be append ..

To: debian-mentors@lists.debian.org
Subject: where it can be append ..
From: Kiryanov Vasiliy <kva@riva.gomel.by>
Date: Tue, 13 May 2003 01:08:50 +0300
Message-id: <20030512220850.GA956@night>
In-reply-to: <20030512190507.GA1523@night>
References: <20030512190507.GA1523@night>

sorry I forget to attach scripts
..
bye

#!/bin/sh
#
# 3iptables-ppp_up-rules, v 0.2 2003/04/27 17:52:55
# Kiryanov Vasiliy, mailto://root@lycos.ru
#
# Many people use ppp to connect to the InterNet, this script set BASIC
# firewall (iptables) rules to protect you machine from crackers.
# For good protect read iptables(8) manual and tune this script! 
# !!! DO NOT USE FOR SERVERS !!! you need make your own script!

# If you find some errors or missing write me: root@lycos.ru

# check if iptables exist and have kernel support
# Is somebody know the better way to check it ?
/sbin/iptables --list --numeric 
test $? -eq 0 || exit 0 

# when started pppd it call ip-up, which set variables and uses run-parts
# to run scripts in /etc/ppp/ip-up.d, one of which is that.

# ip-up set this variables, so we don't need to do it:
#      Var            Name                     Example
#   PPP_IFACE    Interface name                 ppp0
#   PPP_TTY      The tty                        ttyS1
#   PPP_SPEED    The link speed                 38400
#   PPP_LOCAL    Local IP number                12.34.56.78
#   PPP_REMOTE   Peer  IP number                12.34.56.99
#   PPP_IPPARAM  Optional ``ipparam'' value     foo

#   PPP_TTYNAME  Tty name stripped of /dev/ (if present) for easier matching

# PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# set variables for handy manipulation
#MY_ISP="217.21.59.0/24"    # set your ISP address range !!
#--------------------------------------------------------------
LOOPBACK_INTERFACE="lo"    # loopback interface
LOOPBACK="127.0.0.0/8"     # loopback interface
CLASS_A="10.0.0.0/8"       # class A adresses
CLASS_B="172.168.0.0/12"   # class B adresses
CLASS_C="192.168.0.0/16"   # class C adresses
CLASS_D="224.0.0.0/4"      # MULTICAST
CLASS_E="240.0.0.0/5"      # RESERVED
BROADCAST_SRC="0.0.0.0"         # broadcast source adress
BROADCAST_DST="255.255.255.255" # broadcast destination adress
PRIVATE_PORTS="0:1023"          # your computer private ports
#--------------------------------------------------------------

# save iptables exist rulesets, we restore them after PPP interface down!
/sbin/iptables-save > /tmp/3iptables-ppp_up-SAVE

#INPUT RULESET
# block packets with your source ip-address [you can't send packets yourself]
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_LOCAL --jump DROP
# block packets with LOOPBACK source address
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $LOOPBACK --jump DROP
# block classes A,B,C,D,E adress range [it's can't come from InterNet]
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_A --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_B --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_C --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_D --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_E --jump DROP
# block multicast source and destination packets
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $BROADCAST_SRC --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --destination $BROADCAST_DST --jump DROP
#ISP block, WITHOUT Peer IP number [we work throught it]
#/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_REMOTE --jump ACCEPT
#/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $MY_ISP --jump DROP

#OUTPUT RULESET 
# I can send anything I want, are you ? 

#FORWARD RULESET
# block packets send to you for FORWARDING, do you need it?
/sbin/iptables --policy FORWARD DROP

#
# try '$ ifconfig' to see if your ppp interface all right
# try '# iptables --list' to see if all rules right

#!/bin/sh
#
# 3iptables-ppp_up-rules, v 0.2 2003/04/27 17:52:55
# Kiryanov Vasiliy, mailto://root@lycos.ru
#
# this script run when PPP down and
# restore iptables RULES that exist before PPP up

# If you find some errors or missing write me: root@lycos.ru

#--------------------------------------------------------------

# restoring iptables RULES
/sbin/iptables-restore < /tmp/3iptables-ppp_up-SAVE

#unlink(remove) temp file
rm -f /tmp/3iptables-ppp_up-SAVE 

#
# try '$ ifconfig' to see if your ppp interface all right
# try '# iptables --list' to see if all rules right

Reply to:

References:
- where it can be append ..
  - From: Kiryanov Vasiliy <kva@riva.gomel.by>

Prev by Date: Re: webCDwriter: Building with non-free tools; DFSG-conforming?. Dependencies vs Suggestions
Next by Date: Re: where it can be append ..
Previous by thread: where it can be append ..
Next by thread: Re: where it can be append ..
Index(es):
- Date
- Thread