cortafuegos
Hola:
He utilizado http://www.linux-firewall-tools.com/ para generar un script
para ipchains y tengo alguna duda.
En su desarrollo toca algunos ficheros de /proc/sys/net/ipv4
entre ellos éste, que no existe en mi dist que es la sid:
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Lo he comentado y estoy obteniendo el error descripto en el atach
"error" por la tty que no sé si tenga que ver con ésto. Incluyo además
el script en cuestión.
Saludos
E.Guerra
#!/bin/sh
# Script generated Sat Apr 7 11:54:17 2001
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
# /etc/rc.d/rc.firewall
# Invoked from /etc/ppp/ip-up, or
# from /sbin/ifup-local, or
# from /etc/sysconfig/network-scripts/ifup-post.
echo "Starting firewalling... "
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="ppp0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
LOCAL_INTERFACE_1="eth0" # internal LAN interface
IPADDR=$(ifconfig | grep P-t-P | cut -c 21-38 | awk '{print $1}' )
LOCALNET_1="192.168.0.0/16" # whatever private range you use
ANYWHERE="any/0" # match any IP address
DHCP_SERVER="any/0"
NAMESERVER_1="192.168.1.251/0" # everyone must have at least one
POP_SERVER="any/0" # Your ISP pop mail server.
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
# ----------------------------------------------------------------------------
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY
# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0
# ----------------------------------------------------------------------------
# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# These modules are necessary to masquerade their respective services.
# /sbin/modprobe ip_masq_ftp
# /sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
# /sbin/modprobe ip_masq_irc
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
# ----------------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
ipchains -A input -s $IPADDR -j DENY -l
# ----------------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers vary by
# supplier. Using them is less error prone and more meaningful, though.
# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# NFS: establishing a TCP connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j REJECT
# Xwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j REJECT
# SOCKS: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j REJECT
# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DENY -l
# ----------------------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-d $IPADDR -j ACCEPT
# ------------------------------------------------------------------
# DNS server (53)
# ---------------
# DNS: full server
# ----------------
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR 53 -j ACCEPT
# DNS client (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTP client (80)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
# ------------------------------------------------------------------
# POP server (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
# POP client (110)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 113 -j REJECT
# AUTH client (113)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 43 -j ACCEPT
# ------------------------------------------------------------------
# FTP client (21)
# ---------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
# PORT mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
# IRC client (6667)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# RealAudio / QuickTime client
# ----------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 554 -j ACCEPT
# TCP is a more secure method: 7070:7071
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 7070:7071 -j ACCEPT
# UDP is the preferred method: 6970:6999
# For LAN machines, UDP requires the RealAudio masquerading module and
# the ipmasqadm third-party software.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR 6970:6999 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 6970:6999 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ----------------------------------------------------------------------------
# UDP accept only on selected ports
# ---------------------------------
# DHCP client (67, 68)
# --------------------
# allow dhcp server (67) to connect to dhcp client (68)
# Note: the DHCP server is the only externel source of broadcast
# messages we should see, ever.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $IPADDR 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 68 \
-d $DHCP_SERVER 67 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $BROADCAST_DEST 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $DHCP_SERVER 67 -j ACCEPT
# Getting renumbered
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 67 \
-d $BROADCAST_DEST 68 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $BROADCAST_DEST 67 -j ACCEPT
# As a result of the above, we're supposed to change our IP address with
# this message, which is addressed to our new address before the dhcp
# client has received the update.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
--destination-port 68 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 67 \
-d $IPADDR 68 -j DENY -l
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-request \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-reply -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR source-quench -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-request -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR time-exceeded -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13:255 -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l
# ----------------------------------------------------------------------------
echo "done"
exit 0
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = "es_ES",
LANG = "spanish"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Reply to: