#!/bin/sh # # /etc/rc.d/rc.firewall: An example of a Stronger IPCHAINS firewall # ruleset for 2.2 kernels # FWVER=0.71s # # Log: # 0.71s - ruleset now uses modprobe instead of insmod # 0.70s - Added missing execution variables # - fixed a missing -p tcp for the commented HTTPd section # 0.65s - Added comments HTTPd rules to the INPUT and OUTPUT section # - Added a comment where to insert IPPORTFW commands # 0.60s - Changed the EXTIP command to work on NON-English distros # - Updated the CASE of some of the script variables # echo -e "\nLoading rc.firewall-2.2-stronger : version $FWVER..\n" # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPCHAINS=/sbin/ipchains LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe GREP=/bin/grep AWK=/bin/awk SED=/bin/sed IFCONFIG=/sbin/ifconfig PATH=/sbin:/bin:/usr/sbin:/usr/bin # Global variables # ---------------- # ALL PPP and DHCP users must set this for the correct EXTERNAL and # INTERNAL interfaces names. Examples: eth0, ppp0, ippp0, etc. # EXTIF="ppp0" INTIF="eth0" # The INTERNAL IP address # INTNET="192.168.0.0/24" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented from loading. # Needed to initially load modules # $DEPMOD -a # Supports the proper masquerading of FTP file transfers using the PORT method # $MODPROBE ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # $MODPROBE ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #$MODPROBE ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. These modules are # for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #$MODPROBE ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #$MODPROBE ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #$MODPROBE ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #$MODPROBE ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmentation since it is disabled by default # in 2.2.x kernels # # This used as a compile-time option but the behavior was changed # in 2.2.12. It should also be noted that some distributions have # removed this option from the /proc table. If this entry isn't # present in your /proc, don't worry about it. # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making life with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you configured it to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vulnerabilities. # #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose # Specify your Static IP address here. # # If you have a DYNAMIC IP address, you need to make this ruleset recognize # your IP address everytime you get a new IP. To do this, enable the # following one-line script. (Please note that the different single and # double quote characters MATTER). # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc) # on the lines for "ppp-ip" and "EXTIP". You should note that the # DHCP server can change IP addresses on you. To fix this, users should # configure their DHCP client to re-run the firewall ruleset everytime the # DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the original "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions use syntax like: # dhcpcd eth0 /etc/rc.d/rc.firewall # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go and # get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up sccript, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # # Determine the external IP automatically: # ---------------------------------------- # # The following line will determine your external IP address. This # line is somewhat complex and confusing but it will also work for # all NON-English Linux distributions. # # Make sure the EXTIF variable above is set to reflect the name # of your Internet connection # EXTIP="`$IFCONFIG $EXTIF | $AWK \ /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) # $IPCHAINS -M -S 7200 10 60 ############################################################################# # Incoming, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # $IPCHAINS -F input $IPCHAINS -P input REJECT # local interface, local machines, going anywhere is valid # $IPCHAINS -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # $IPCHAINS -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT # remote interface, any source, going to permanent PPP address is valid # $IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT # loopback interface is valid. # $IPCHAINS -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # ----- Begin OPTIONAL INPUT Section ----- # # HTTPd - Enable the following lines if you either run a WWW server on # the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to # an internal WWW server # #$IPCHAINS -A input -i $EXTIF -p tcp -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT # # ----- End OPTIONAL INPUT Section ----- # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. # $IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ############################################################################# # Outgoing, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # $IPCHAINS -F output $IPCHAINS -P output REJECT # local interface, any source going to local net is valid # $IPCHAINS -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # $IPCHAINS -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT # outgoing from local net on remote interface, stuffed masquerading, deny # $IPCHAINS -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT # anything else outgoing on remote interface is valid # $IPCHAINS -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid. # $IPCHAINS -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # ----- Begin OPTIONAL OUTPUT Section ----- # # HTTPd - Enable the following lines if you either run a WWW server on # the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to # an internal WWW server # #$IPCHAINS -A output -i $EXTIF -p tcp -s $EXTIP 80 -d 0.0.0.0/0 -j ACCEPT # # ----- End OPTIONAL OUTPUT Section ----- # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # $IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ############################################################################# # Forwarding, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # $IPCHAINS -F forward $IPCHAINS -P forward DENY # ----- Begin OPTIONAL FORWARD Section ----- # # ----- End OPTIONAL FORWARD Section ----- # Masquerade from local net on local interface to anywhere. # $IPCHAINS -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ # # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. # $IPCHAINS -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT echo -e "\nDone.\n"