| commit | author | age | ||
| 7c99ef | 1 | #!/bin/sh |
| T | 2 | # |
| 3 | # /sbin/bastille-ipchains Load/unload ipchains rulesets | |
| 4 | # | |
| 5 | # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-ipchains,v $ | |
| 6 | # Modified by: $Author: peterw $ | |
| 7 | # $Date: 2001/08/18 15:38:31 $ | |
| 8 | # $Revision: 1.18 $ | |
| 9 | # | |
| 10 | # Copyright (C) 1999-2001 Peter Watkins | |
| 11 | # | |
| 12 | # This program is distributed in the hope that it will be useful, | |
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 15 | # GNU General Public License for more details. | |
| 16 | # | |
| 17 | # You should have received a copy of the GNU General Public License | |
| 18 | # along with this program; if not, write to the Free Software | |
| 19 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
| 20 | # | |
| 21 | # Thanks to David Ranch, Brad A, Don G, and others for their suggestions | |
| 22 | # | |
| 23 | # This script is designed to be called BY a SysV-style init script. | |
| 24 | # | |
| 25 | # It should be run with a "start" argument | |
| 26 | # 1) BY an rc?.d "S" script, _before_ the "network" script | |
| 27 | # (normally via the "bastille-firewall" init script; | |
| 28 | # as of 2001/02/14, the only purpose of bastille-firewall | |
| 29 | # is to start this script) | |
| 30 | # 2) any time an interface is brought up or changed, e.g. | |
| 31 | # establishing a PPP conection or renewing a DHCP lease | |
| 32 | # [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and | |
| 33 | # 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script] | |
| 34 | # | |
| 35 | # Normally you Do Not _Ever_ Want to run this with a "stop" argument! | |
| 36 | # | |
| 37 | # Note that running this with "stop" will disable the firewall and open | |
| 38 | # your system to all network traffic; if you make changes to these rules, | |
| 39 | # apply them by running the script again with a "start" argument. | |
| 40 | ||
| 41 | PATH=/bin:/sbin:/usr/bin:/usr/sbin | |
| 42 | IPCHAINS=/sbin/ipchains | |
| 43 | CONFIG=/etc/Bastille/bastille-firewall.cfg | |
| 44 | ||
| 45 | if [ ! -f ${CONFIG} ]; then | |
| 46 | echo "ERROR: unable to read configuration file \"${CONFIG}\"" | |
| 47 | exit 1 | |
| 48 | fi | |
| 49 | ||
| 50 | # source the configuration file, which will set environment variables | |
| 51 | . ${CONFIG} | |
| 52 | ||
| 53 | if [ -z "${TRUSTED_IFACES}" ]; then | |
| 54 | echo "ERROR: no trusted interfaces specified! Exiting!" | |
| 55 | exit 1 | |
| 56 | fi | |
| 57 | ||
| 58 | # | |
| 59 | # Computed values | |
| 60 | # | |
| 61 | # These things should be queried/computed at run time | |
| 62 | # | |
| 63 | # LOCAL_ADDRESSES | |
| 64 | # | |
| 65 | # LOCAL_ADDRESSES lists all IP addresses for this server | |
| 66 | # (for the INTERNAL_SERVICES rules); if you have virtual | |
| 67 | # network devices, you may want to hand-code this, e.g. | |
| 68 | # LOCAL_ADDRESSES="127.0.0.0/8" | |
| 69 | # | |
| 70 | # The following makes a list of all current IP addresses | |
| 71 | LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: ` | |
| 72 | # | |
| 73 | # | |
| 74 | # INTERNAL_NETWORKS | |
| 75 | # | |
| 76 | # INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES | |
| 77 | # e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0" | |
| 78 | # The following makes a list of all current internal IP addresses _with netmasks_ | |
| 79 | for i in ${INTERNAL_IFACES} ; do | |
| 80 | INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} 2>/dev/null| grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`" | |
| 81 | done | |
| 82 | # | |
| 83 | # | |
| 84 | # DNS_SERVERS | |
| 85 | # | |
| 86 | # Derive this from /etc/resolv.conf if it's not set already | |
| 87 | # Note we only take the first three as most systems' resolvers | |
| 88 | # can only use three nameservers; see MAXNS in resolv.h for details | |
| 89 | MAXNS=3 | |
| 90 | if [ -z "${DNS_SERVERS}" ]; then | |
| 91 | DNS_SERVERS=`grep nameserver /etc/resolv.conf | awk -F\# '{print $1}' | grep '^nameserver' | awk '{print $2"/32"}' | head -${MAXNS}` | |
| 92 | fi | |
| 93 | # | |
| 94 | # | |
| 95 | # LOG_FLAG | |
| 96 | # | |
| 97 | # Flag to add to ${REJECT_METHOD} rules to force logging | |
| 98 | if [ "${LOG_FAILURES}" = "Y" ]; then | |
| 99 | LOG_FLAG="-l" | |
| 100 | else | |
| 101 | LOG_FLAG="" | |
| 102 | fi | |
| 103 | # | |
| 104 | # | |
| 105 | # CALLED_METHOD | |
| 106 | # | |
| 107 | # Variable to hold $1, for use in functions (which have their own $1 vars) | |
| 108 | CALLED_METHOD="$1" | |
| 109 | # | |
| 110 | # | |
| 111 | # REJECT_METHOD | |
| 112 | # Convert netfilter/DROP to ipchains/DENY | |
| 113 | if [ "${REJECT_METHOD}" = "DROP" ]; then | |
| 114 | REJECT_METHOD="DENY" | |
| 115 | fi | |
| 116 | # | |
| 117 | # | |
| 118 | # NTP_SERVERS | |
| 119 | # | |
| 120 | # Do hostname lookups for any names in NTP_SERVERS | |
| 121 | # | |
| 122 | ntp_server_addrs="" | |
| 123 | for n in ${NTP_SERVERS}; do | |
| 124 | ip=`echo ${n} | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'` | |
| 125 | if [ -n "${ip}" ]; then | |
| 126 | # looks like an IP address, use it as-is | |
| 127 | ntp_server_addrs="${ntp_server_addrs} ${ip}" | |
| 128 | else | |
| 129 | # use 'host' t resolve address | |
| 130 | ip=`host ${n} 2>/dev/null| awk '/ has address / { print $4 }' | head -1` | |
| 131 | ntp_server_addrs="${ntp_server_addrs} ${ip}" | |
| 132 | fi | |
| 133 | done | |
| 134 | ||
| 135 | ||
| 136 | # | |
| 137 | # Shell functions | |
| 138 | # | |
| 139 | # include_supplemental | |
| 140 | # source supplemental (plug-in) firewall scripts | |
| 141 | include_supplemental() | |
| 142 | { | |
| 143 | # args: $1 = nickname for the supplemental phase | |
| 144 | nickname="$1" | |
| 145 | if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then | |
| 146 | cd /etc/Bastille/firewall.d && . ./${nickname}.sh | |
| 147 | fi | |
| 148 | if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then | |
| 149 | for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do | |
| 150 | cd /etc/Bastille/firewall.d/${nickname}.d && \ | |
| 151 | . ${s} | |
| 152 | done | |
| 153 | fi | |
| 154 | } | |
| 155 | # | |
| 156 | # do_masq_mods | |
| 157 | # Function to load/unload "ip_masq_*" kernel modules | |
| 158 | do_masq_mods() | |
| 159 | { | |
| 160 | # args: $1 = "load" or "unload" | |
| 161 | # | |
| 162 | # find the currently loaded modules | |
| 163 | masq_mods=`lsmod | awk '{print $1}' | grep '^ip_masq_'` | |
| 164 | # | |
| 165 | # Step 1: unload unwanted modules | |
| 166 | for m in ${masq_mods} ; do | |
| 167 | UNLOAD_THIS_MOD=Y | |
| 168 | for normal_mod in ${IP_MASQ_MODULES} ; do | |
| 169 | if [ "ip_masq_${normal_mod}" = $m ]; then | |
| 170 | # this module is _supposed_ to be loaded | |
| 171 | UNLOAD_THIS_MOD=N | |
| 172 | fi | |
| 173 | done | |
| 174 | if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then | |
| 175 | # we're either disabling the firewall or we've disabled masquerading, | |
| 176 | # so we should unload _all_ masq modules | |
| 177 | UNLOAD_THIS_MOD=Y | |
| 178 | fi | |
| 179 | if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then | |
| 180 | rmmod $m || echo "Error unloading ${m} module" | |
| 181 | fi | |
| 182 | done | |
| 183 | # Step 2: load wanted modules that are not already loaded | |
| 184 | if [ $1 = "load" ]; then | |
| 185 | for normal_mod in ${IP_MASQ_MODULES} ; do | |
| 186 | MOD_LOADED=N | |
| 187 | for m in ${masq_mods} ; do | |
| 188 | if [ "ip_masq_${normal_mod}" = ${m} ]; then | |
| 189 | MOD_LOADED=Y | |
| 190 | fi | |
| 191 | done | |
| 192 | if [ $MOD_LOADED = "N" ]; then | |
| 193 | insmod "ip_masq_${normal_mod}" || echo "Error loading ip_masq_${normal_mod} module" | |
| 194 | fi | |
| 195 | done | |
| 196 | fi | |
| 197 | } | |
| 198 | ||
| 199 | # See how we were called. | |
| 200 | case "$1" in | |
| 201 | start|reload|restart) | |
| 202 | # | |
| 203 | # anything to do before resetting? | |
| 204 | include_supplemental pre-reset | |
| 205 | # | |
| 206 | # For Red Hat users, let's ensure that its firewalls are disabled | |
| 207 | rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` | |
| 208 | rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on` | |
| 209 | bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on` | |
| 210 | if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then | |
| 211 | echo | |
| 212 | echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'" | |
| 213 | echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls." | |
| 214 | [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off | |
| 215 | [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off | |
| 216 | echo | |
| 217 | fi | |
| 218 | # load the IPCHAINS compatibilty module if we're using a 2.4 kernel | |
| 219 | if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then | |
| 220 | echo "Loading ipchains compatibility module" | |
| 221 | modprobe ipchains | |
| 222 | fi | |
| 223 | # | |
| 224 | # we set defaults to DENY now to minimize possible interruptions | |
| 225 | # if this script is re-run to reset rules | |
| 226 | # | |
| 227 | # set default policy to disallow forwarding | |
| 228 | ${IPCHAINS} -P forward DENY | |
| 229 | # flush rules | |
| 230 | ${IPCHAINS} -F forward | |
| 231 | # default is to disallow incoming traffic | |
| 232 | ${IPCHAINS} -P input DENY | |
| 233 | # flush rules | |
| 234 | ${IPCHAINS} -F input | |
| 235 | # disallow outbound until we set up the explicit outbound rules | |
| 236 | ${IPCHAINS} -P output DENY | |
| 237 | # flush rules | |
| 238 | ${IPCHAINS} -F output | |
| 239 | ||
| 240 | # Run our "early" custom script if it exists | |
| 241 | [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh | |
| 242 | ||
| 243 | # any new-style "early" plugins? | |
| 244 | include_supplemental early | |
| 245 | ||
| 246 | # always allow MTU discovery packets | |
| 247 | ${IPCHAINS} -A input -p icmp --icmp-type fragmentation-needed -j ACCEPT | |
| 248 | ${IPCHAINS} -A output -p icmp --icmp-type fragmentation-needed -j ACCEPT | |
| 249 | ||
| 250 | include_supplemental pre-local-block | |
| 251 | ||
| 252 | # Block any non-local attempts to get localhost addresses | |
| 253 | # per woody@thebunker.net's bugtraq post | |
| 254 | ${IPCHAINS} -A input -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 255 | ||
| 256 | # Fragments | |
| 257 | if [ "${ALLOW_FRAGMENTS}" = "N" ]; then | |
| 258 | ${IPCHAINS} -A input -f -j ${REJECT_METHOD} | |
| 259 | fi | |
| 260 | ||
| 261 | # from the ipchains HOWTO, I think | |
| 262 | if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then | |
| 263 | if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then | |
| 264 | echo -n "Setting up IP spoofing protection..." | |
| 265 | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do | |
| 266 | echo 1 > $f | |
| 267 | done | |
| 268 | echo " done." | |
| 269 | else | |
| 270 | echo "WARNING: errors encountered while trying to enable IP spoofing protection!" | |
| 271 | fi | |
| 272 | fi | |
| 273 | ||
| 274 | include_supplemental pre-trusted | |
| 275 | ||
| 276 | # Allow all traffic from trusted interfaces | |
| 277 | echo -n "Allowing traffic from trusted interfaces..." | |
| 278 | for t_iface in ${TRUSTED_IFACES} ; do | |
| 279 | ${IPCHAINS} -A input -i ${t_iface} -d 0.0.0.0/0 -j ACCEPT | |
| 280 | done | |
| 281 | echo " done. " | |
| 282 | ||
| 283 | # If you have networks that route traffic to each other through this | |
| 284 | # server, you may want to add some forwarding rules, here, e.g. | |
| 285 | # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0" | |
| 286 | #${IPCHAINS} -A forward -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT | |
| 287 | # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1" | |
| 288 | #${IPCHAINS} -A forward -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT | |
| 289 | ||
| 290 | include_supplemental pre-mcast-block | |
| 291 | ||
| 292 | # No packets with multicast source addresses (Joshua K, RFC 1122) | |
| 293 | ${IPCHAINS} -A input -s 224.0.0.0/4 -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 294 | ||
| 295 | # Forwarding | |
| 296 | ||
| 297 | include_supplemental pre-nat | |
| 298 | ||
| 299 | # IP Masquerading/forwarding | |
| 300 | # | |
| 301 | # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list) | |
| 302 | do_masq_mods unload | |
| 303 | # | |
| 304 | if [ -n "${IP_MASQ_NETWORK}" ]; then | |
| 305 | echo -n "Setting up masquerading rules..." | |
| 306 | # since we've set the default forwarding policy to | |
| 307 | # reject, we can enable forwarding now | |
| 308 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
| 309 | # set up rules for masqueraded networks | |
| 310 | for net in ${IP_MASQ_NETWORK} ; do | |
| 311 | if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then | |
| 312 | # NetBIOS | |
| 313 | ${IPCHAINS} -A forward -p tcp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 314 | ${IPCHAINS} -A forward -p udp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 315 | fi | |
| 316 | for pub in ${PUBLIC_IFACES} ; do | |
| 317 | # NAT should be one-way, deny traffic from public | |
| 318 | # interfaces that is addresses to masq'ed networks | |
| 319 | ${IPCHAINS} -A input -d ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 320 | # spoofed addreses from outside | |
| 321 | ${IPCHAINS} -A input -s ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 322 | # enable forwarding | |
| 323 | ${IPCHAINS} -A forward -s ${net} -i ${pub} -j MASQ | |
| 324 | done | |
| 325 | done | |
| 326 | echo " done." | |
| 327 | echo -n "Loading masquerading modules..." | |
| 328 | do_masq_mods load | |
| 329 | echo " done." | |
| 330 | fi | |
| 331 | ||
| 332 | echo -n "Setting up chains for public/internal interface traffic..." | |
| 333 | ||
| 334 | # make a public input chain | |
| 335 | ${IPCHAINS} -N PUB_IN 2> /dev/null | |
| 336 | ${IPCHAINS} -F PUB_IN | |
| 337 | # as close to setting policy as we can get | |
| 338 | ${IPCHAINS} -A PUB_IN -j DENY | |
| 339 | # make a public output chain | |
| 340 | ${IPCHAINS} -N PUB_OUT 2> /dev/null | |
| 341 | ${IPCHAINS} -F PUB_OUT | |
| 342 | # as close to setting policy as we can get | |
| 343 | ${IPCHAINS} -A PUB_OUT -j DENY | |
| 344 | ||
| 345 | # make an "INTERNAL" input chain | |
| 346 | ${IPCHAINS} -N INT_IN 2> /dev/null | |
| 347 | ${IPCHAINS} -F INT_IN | |
| 348 | # as close to setting policy as we can get | |
| 349 | ${IPCHAINS} -A INT_IN -j DENY | |
| 350 | # make an "INTERNAL" output chain | |
| 351 | ${IPCHAINS} -N INT_OUT 2> /dev/null | |
| 352 | ${IPCHAINS} -F INT_OUT | |
| 353 | # as close to setting policy as we can get | |
| 354 | ${IPCHAINS} -A INT_OUT -j DENY | |
| 355 | ||
| 356 | include_supplemental pre-chain-split | |
| 357 | ||
| 358 | # direct packets to the INTERNAL_* chains | |
| 359 | for iface in ${INTERNAL_IFACES} ; do | |
| 360 | ${IPCHAINS} -A input -i ${iface} -j INT_IN | |
| 361 | ${IPCHAINS} -A output -i ${iface} -j INT_OUT | |
| 362 | NON_LOOPBACK_SEEN=N | |
| 363 | for net in ${LOCAL_ADDRESSES} ; do | |
| 364 | if [ ${net} != "127.0.0.1/8" ]; then | |
| 365 | NON_LOOPBACK_SEEN=Y | |
| 366 | fi | |
| 367 | done | |
| 368 | # complain if no local addresses | |
| 369 | if [ ${NON_LOOPBACK_SEEN} = "N" ]; then | |
| 370 | echo "WARNING: no non-loopback local addresses; protection from INTERNAL_IFACES not enabled!" | |
| 371 | fi | |
| 372 | done | |
| 373 | ||
| 374 | # Direct PUBLIC interface traffic to the proper chain | |
| 375 | for iface in ${PUBLIC_IFACES} ; do | |
| 376 | ${IPCHAINS} -A input -i ${iface} -j PUB_IN | |
| 377 | ${IPCHAINS} -A output -i ${iface} -j PUB_OUT | |
| 378 | done | |
| 379 | ||
| 380 | include_supplemental pre-audit | |
| 381 | ||
| 382 | # Auditing must be set up before these packets are blocked! | |
| 383 | # | |
| 384 | for service in ${TCP_AUDIT_SERVICES} ; do | |
| 385 | ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${service} -y -l | |
| 386 | done | |
| 387 | for service in ${UDP_AUDIT_SERVICES} ; do | |
| 388 | ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${service} -l | |
| 389 | done | |
| 390 | for type in ${ICMP_AUDIT_TYPES} ; do | |
| 391 | ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -l | |
| 392 | done | |
| 393 | ||
| 394 | # disallow any attempts to get to internal interfaces from outside | |
| 395 | # not good if this is supposed to route between normal networks | |
| 396 | for int in ${INTERNAL_NETWORKS} ; do | |
| 397 | # deny traffic from public | |
| 398 | # interfaces that is addressed to internal networks | |
| 399 | ${IPCHAINS} -A PUB_IN -d ${int} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 400 | # spoofed addreses from outside | |
| 401 | ${IPCHAINS} -A PUB_IN -s ${int} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 402 | done | |
| 403 | ||
| 404 | echo " done. " | |
| 405 | ||
| 406 | echo -n "Setting up general rules..." | |
| 407 | ||
| 408 | include_supplemental pre-dhcp | |
| 409 | ||
| 410 | # Allow response from DHCP servers | |
| 411 | for iface in ${DHCP_IFACES} ; do | |
| 412 | for chain in input PUB_IN INT_IN ; do | |
| 413 | # allow UDP responses | |
| 414 | ${IPCHAINS} -A ${chain} -p udp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT | |
| 415 | # normally we allow TCP data returns so this is redundant | |
| 416 | # ${IPCHAINS} -A ${chain} -p tcp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT | |
| 417 | done | |
| 418 | # make link so dhcpcd runs firewall when IP changes (if no such file already) | |
| 419 | [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750 | |
| 420 | if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then | |
| 421 | ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe | |
| 422 | fi | |
| 423 | done | |
| 424 | ||
| 425 | include_supplemental pre-internal | |
| 426 | ||
| 427 | # internal interface rules | |
| 428 | for net in ${LOCAL_ADDRESSES} ; do | |
| 429 | # Allow accessses to TCP services on this system | |
| 430 | for serv in ${TCP_INTERNAL_SERVICES} ; do | |
| 431 | ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} -j ACCEPT | |
| 432 | done | |
| 433 | ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} \! -y -j ACCEPT | |
| 434 | # UDP services | |
| 435 | for serv in ${UDP_INTERNAL_SERVICES} ; do | |
| 436 | ${IPCHAINS} -A INT_IN -p udp -d ${net} ${serv} -j ACCEPT | |
| 437 | done | |
| 438 | done | |
| 439 | # ICMP | |
| 440 | # hopefully you don't care about hiding from internal hosts! | |
| 441 | ${IPCHAINS} -A INT_IN -p icmp -d 0.0.0.0/0 -j ACCEPT | |
| 442 | ${IPCHAINS} -A INT_OUT -p icmp -d 0.0.0.0/0 -j ACCEPT | |
| 443 | # ...but if you do... try this... (and see the PUB_IN rules below) | |
| 444 | #for type in ${ICMP_ALLOWED_TYPES} ; do | |
| 445 | # ${IPCHAINS} -A INT_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT | |
| 446 | #done | |
| 447 | #for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do | |
| 448 | # ${IPCHAINS} -A INT_OUT -p icmp --icmp-type ${type} -j REJECT | |
| 449 | #done | |
| 450 | ||
| 451 | # input rules | |
| 452 | # | |
| 453 | # public interfaces | |
| 454 | ||
| 455 | include_supplemental pre-input | |
| 456 | ||
| 457 | # --------------------- ICMP -------------------------- | |
| 458 | for type in ${ICMP_ALLOWED_TYPES} ; do | |
| 459 | ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT | |
| 460 | done | |
| 461 | ||
| 462 | # --------------------- TCP -------------------------- | |
| 463 | for serv in ${TCP_PUBLIC_SERVICES} ; do | |
| 464 | ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${serv} -j ACCEPT | |
| 465 | done | |
| 466 | ||
| 467 | # if you're disallowing ICMP, you may be trying to look | |
| 468 | # invisible/disable ping, so let's just drop these attempts | |
| 469 | ${IPCHAINS} -A PUB_IN -p icmp -d 0.0.0.0/0 -j DENY ${LOG_FLAG} | |
| 470 | ||
| 471 | for chain in PUB_IN INT_IN ; do | |
| 472 | if [ ${FORCE_PASV_FTP} != "Y" ]; then | |
| 473 | # no point explicitly blocking TCP services unless active FTP is enabled | |
| 474 | # Step 1: block the high port TCP services | |
| 475 | for serv in ${TCP_BLOCKED_SERVICES} ; do | |
| 476 | # only block -y initial connects; in case the port was needlessly | |
| 477 | # specified, this should still enable it to be used as a source | |
| 478 | # port for non-FTP connecions from this host or machines using it as a gateway | |
| 479 | ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 ${serv} -y -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 480 | done | |
| 481 | # FEATURE: check bound high TCP and complain? | |
| 482 | # Step 2: allow the ftp-data connections | |
| 483 | ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 1024: -s 0.0.0.0/0 ftp-data -j ACCEPT | |
| 484 | fi | |
| 485 | ||
| 486 | # general response to my TCP requests | |
| 487 | ${IPCHAINS} -A ${chain} -p tcp \! -y -j ACCEPT | |
| 488 | ||
| 489 | # no TCP requests to other ports (redundant) | |
| 490 | # ${IPCHAINS} -A ${chain} -p tcp -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 491 | ||
| 492 | # --------------------- UDP -------------------------- | |
| 493 | for serv in ${UDP_PUBLIC_SERVICES} ; do | |
| 494 | ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${serv} -j ACCEPT | |
| 495 | done | |
| 496 | ||
| 497 | # This isn't necessary unless you have DNS_SERVERS or NTP_SERVERS | |
| 498 | # but who wouldn't have DNS servers configured? | |
| 499 | for serv in ${UDP_BLOCKED_SERVICES} ; do | |
| 500 | ${IPCHAINS} -A ${chain} -p udp -d 0.0.0.0/0 ${serv} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 501 | done | |
| 502 | ||
| 503 | for dns_net in ${DNS_SERVERS} ; do | |
| 504 | ${IPCHAINS} -A ${chain} -p udp -s ${dns_net} domain -d 0.0.0.0/0 1024: -j ACCEPT | |
| 505 | done | |
| 506 | ||
| 507 | for ntp_net in ${ntp_server_addrs} ; do | |
| 508 | # this allows unprivileged queries, e.g. 'ntpdate' | |
| 509 | ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 1024: -j ACCEPT | |
| 510 | # this allows you to run an ntp daemon to maintain | |
| 511 | # system time nore gracefully than with 'ntpdate' | |
| 512 | ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 ntp -j ACCEPT | |
| 513 | done | |
| 514 | # Reject other UDP (redundant) | |
| 515 | #${IPCHAINS} -A ${chain} -p udp -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 516 | done | |
| 517 | ||
| 518 | ||
| 519 | # end of loop through public interfaces for input rules | |
| 520 | ||
| 521 | if [ ${FORCE_PASV_FTP} != "Y" -a \( -n "${PUBLIC_IFACES}" -o -n "${INTERNAL_IFACES}" \) ]; then | |
| 522 | # warning | |
| 523 | echo | |
| 524 | echo "WARNING: allowing \"active\" FTP; any unknown TCP services running" | |
| 525 | echo "on high ports will be vulnerable; blocking too many high TCP ports" | |
| 526 | echo "may affect various TCP _clients_ running on this machine or using" | |
| 527 | echo "this machine as a gateway." | |
| 528 | fi | |
| 529 | ||
| 530 | # now we can deny the attempts from the internal interfaces to this host | |
| 531 | for tnet in ${LOCAL_ADDRESSES} ; do | |
| 532 | for chain in PUB_IN INT_IN ; do | |
| 533 | ${IPCHAINS} -A ${chain} -d ${tnet} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 534 | done | |
| 535 | done | |
| 536 | # now that we've blocked attempts from the internal interfaces | |
| 537 | # to the IP's on this server, we need to accept other connections | |
| 538 | # so the IP Masq / NAT will function | |
| 539 | for net in ${IP_MASQ_NETWORK} ; do | |
| 540 | for chain in PUB_IN INT_IN ; do | |
| 541 | ${IPCHAINS} -A ${chain} -s ${net} -j ACCEPT | |
| 542 | done | |
| 543 | done | |
| 544 | ||
| 545 | # --------------------- catch-all -------------------------- | |
| 546 | # Reject all other traffic (redundant if not logging) | |
| 547 | if [ ${LOG_FAILURES} = "Y" ]; then | |
| 548 | for chain in input forward PUB_IN INT_IN ; do | |
| 549 | ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 550 | done | |
| 551 | fi | |
| 552 | ||
| 553 | # | |
| 554 | echo " done." | |
| 555 | ||
| 556 | echo -n "Setting up outbound rules..." | |
| 557 | ||
| 558 | include_supplemental pre-output | |
| 559 | ||
| 560 | # block outbound ICMP types (usu. to hide from traceroute) | |
| 561 | for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do | |
| 562 | # ** The following will limit ICMP on public and internal interfaces: | |
| 563 | # for chain in PUB_OUT INT_OUT ; do | |
| 564 | # ** but our default is to only limit outbound ICMP on public interfaces | |
| 565 | for chain in PUB_OUT ; do | |
| 566 | ${IPCHAINS} -A ${chain} -p icmp --icmp-type ${type} -j REJECT ${LOG_FLAG} | |
| 567 | done | |
| 568 | done | |
| 569 | # | |
| 570 | # Here you might really lock things down if this is a server, | |
| 571 | # e.g., to keep it from doing anything but connecting to | |
| 572 | # SMTP servers and responding to Web requests, or whatever | |
| 573 | # the specific requirements are. | |
| 574 | # | |
| 575 | # Such lockdowns are recommended if the situation affords you | |
| 576 | # that flexibility. | |
| 577 | # | |
| 578 | # default is to enable outbound traffic | |
| 579 | # (again, here, for a server you might default to ${REJECT_METHOD} ) | |
| 580 | ${IPCHAINS} -P output ACCEPT | |
| 581 | ||
| 582 | include_supplemental pre-policy-reset | |
| 583 | ||
| 584 | # Now that all rules are set, we can change the policies | |
| 585 | # to the user preference safely | |
| 586 | ${IPCHAINS} -P forward ${REJECT_METHOD} | |
| 587 | ${IPCHAINS} -P input ${REJECT_METHOD} | |
| 588 | # to set default "policies" for PUB_* and INT_* chains, add a final rule | |
| 589 | if [ ${LOG_FAILURES} != "Y" ]; then | |
| 590 | # if LOG_FAILURES were set, we would have already done this | |
| 591 | for chain in PUB_IN INT_IN ; do | |
| 592 | ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG} | |
| 593 | done | |
| 594 | fi | |
| 595 | for chain in PUB_OUT INT_OUT ; do | |
| 596 | ${IPCHAINS} -A ${chain} -j ACCEPT | |
| 597 | done | |
| 598 | # rule 1 in all of these chains is a deny rule; remove it so other rules work | |
| 599 | for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do | |
| 600 | ${IPCHAINS} -D ${chain} -j DENY | |
| 601 | done | |
| 602 | ||
| 603 | include_supplemental post-rule-setup | |
| 604 | ||
| 605 | echo " done." | |
| 606 | ||
| 607 | ;; | |
| 608 | stop) | |
| 609 | include_supplemental pre-drop-rules | |
| 610 | echo | |
| 611 | echo "WARNING: reverting to default settings (dropping firewall)" | |
| 612 | # We should disable NAT/forwarding even if not set to restore defaults | |
| 613 | echo -n "disabling IP forwarding..." | |
| 614 | echo 0 > /proc/sys/net/ipv4/ip_forward | |
| 615 | echo " done." | |
| 616 | echo -n "unloading masquerading modules..." | |
| 617 | do_masq_mods unload | |
| 618 | echo " done." | |
| 619 | # flushing seems to leave the default input at ${REJECT_METHOD} | |
| 620 | echo -n "resetting default input rules to accept..." | |
| 621 | ${IPCHAINS} -P input ACCEPT | |
| 622 | echo " done." | |
| 623 | echo -n "resetting default output rule to accept..." | |
| 624 | ${IPCHAINS} -P output ACCEPT | |
| 625 | echo " done." | |
| 626 | # We disabled forwarding with the /proc interface, but we | |
| 627 | # reset FORWARD to ACCEPT because that;s the normal default | |
| 628 | echo -n "resetting default forward rule to accept..." | |
| 629 | ${IPCHAINS} -P forward ACCEPT | |
| 630 | echo " done." | |
| 631 | for chain in input output forward ; do | |
| 632 | echo -n "flushing ${chain} rules..." | |
| 633 | ${IPCHAINS} -F ${chain} | |
| 634 | echo " done." | |
| 635 | done | |
| 636 | # flush and delete the user-defined chains | |
| 637 | echo -n "removing user-defined chains..." | |
| 638 | for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do | |
| 639 | ${IPCHAINS} -F ${chain} | |
| 640 | ${IPCHAINS} -X ${chain} | |
| 641 | done | |
| 642 | include_supplemental post-drop-rules | |
| 643 | echo " done." | |
| 644 | ;; | |
| 645 | status) | |
| 646 | ${IPCHAINS} -L -v -n | |
| 647 | ;; | |
| 648 | *) | |
| 649 | echo "Usage: $0 {start|restart|reload|stop|status}" | |
| 650 | exit 1 | |
| 651 | esac | |
| 652 | ||
| 653 | exit 0 | |
| 654 | ||
