#! /bin/sh # # Minimal ipchains startup rules for a Linux 2.2.x based firewall. # (c)2000 Manfred Bartz # This file is subject to the GPL # # Use numeric IP addresses here. Most systems cannot do DNS lookups # at the time the firewall is initialised. # # Absolutely no responsibility for *anything* accepted, # use at your own risk. # Nonetheless, these rules provide a starting point and should allow # basic internet access for all systems on your LAN while also # providing basic security. # For single PCs (no LAN) leave out the ``forward'' stuff. # # Assumptions: # Local network is 192.168.1.0/24 # Local interface is eth0 # Internet interface is eth1 (yours may be ppp0, etc...) # # Read your logs if something doesn't work ;) #= startup ======================================== # Set the PATH so all commands in this script can be found. export PATH=/bin:/sbin # setting a policy of DENY before flushing the chains should make the firewall # fail in a safe way if something goes wrong further down in this script. ipchains -P input DENY ipchains -F input ipchains -P forward DENY ipchains -F forward # this assumes we trust internal users: ipchains -P output ACCEPT ipchains -F output #= input ========================================== # Turn on Source Address Verification so our network cannot be # used for IP address spoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done #- local ------------------------------------------ # Private LAN is trusted (is this acceptable for your site?) ipchains -A input -i eth0 -j ACCEPT # loopback: all packets with src and dst matching appear here, # not just the ones addressed to 127.0.0.1. ipchains -A input -i lo -j ACCEPT #- Internet --------------------------------------- # accept DHCP ipchains -A input -i eth1 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT # The order in which rules are added to a chain is very important! # The most specific rules come first, the most general rule (catchall) # goes last. Incorrect order can lead to disaster! ## Here you can add rules to allow specific IP addresses or subnets to ## connect to your gateway. E.g. I run sshd on my home PC and want to ## be able to log in from my office at work: ## ## Allow mywork.com (123.123.123.123) into sshd ## log initial connect: #ipchains -A input -i eth1 -p tcp -s 123.123.123.123 -d 0/0 22 --syn -j ACCEPT --log ## don't log remaining traffic for that connection #ipchains -A input -i eth1 -p tcp -s 123.123.123.123 -d 0/0 22 ! --syn -j ACCEPT # block access to NFS specifically (if you have it), do the same # with any other services using ports above 1023 (e.g. X11). # Check with: netstat -tupan ipchains -A input -i eth1 -p udp -d 0/0 2049 -j DENY --log ipchains -A input -i eth1 -p tcp -d 0/0 2049 -j DENY --log # block access to X11 specifically (if you have it). See above. ipchains -A input -i eth1 -p udp -d 0/0 6000:6063 -j DENY --log ipchains -A input -i eth1 -p tcp -d 0/0 6000:6063 -j DENY --log # block ALL access to privileged ports (below 1024) ipchains -A input -i eth1 -p tcp -d 0/0 0:1023 -j DENY --log ipchains -A input -i eth1 -p udp -d 0/0 0:1023 -j DENY --log # The privileged ports (<1024) are now blocked # Allow all TCP except incoming connections (no packets w SYN=1,ACK=0). # Blocking incoming connections causes problems only with ftp in active # mode, so use it in passive mode, that is much safer. ipchains -A input -i eth1 -p tcp -d 0/0 1024:65535 ! --syn -j ACCEPT # Accept DNS. This rule is not necessary if you enable all UDP above # port 1023 (see below). Also, filtering on a remote port is next to # useless because you don't control it. If you know your ISP's nameserver # address, put that after the ``-s'' instead of the ``0/0''. # If you have multiple nameservers have a rule for each one. ipchains -A input -i eth1 -p udp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT # Allow all UDP above 1023 but make doubly sure that you don't have # unprotected UDP servers in this port range. # If this is uncommented, then you don't need the DNS rule above. ipchains -A input -i eth1 -p udp --dport 1024:65535 -j ACCEPT # ICMP, Internet interface only: # This is needed for error conditions and Path-MTU discovery: for t in echo-reply \ destination-unreachable \ time-exceeded \ parameter-problem do ipchains -A input -i eth1 -p icmp --icmp-type $t -j ACCEPT done # ICMP, all other interfaces: ipchains -A input -i ! eth1 -p icmp -j ACCEPT # The input default policy blocks everything that doesn't match any # rule, but it doesn't give us log messages. That is why we use a # catch-all so we can see what is going on: ipchains -A input -j DENY --log #= output ========================================= #- Internet --------------------------------------- # Our private network addresses should never appear on the Internet ipchains -A output -i eth1 -d 192.168.0.0/16 -j REJECT #= forward ======================================== # you can load kernel modules for masquerading here if necessary, # for example: #modprobe ip_masq_irc # turn on forwarding (better to use sysctl, refer to man sysctl) echo 1 > /proc/sys/net/ipv4/ip_forward # only masquarade if its from us and goes out to the Internet ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ # The forward default policy blocks everything that doesn't match any # rule, but it doesn't give us log messages. That is why we use a # catch-all rule so we can see what is going on: ipchains -A forward -j REJECT --log