15. APPENDEX A - Example Scripts
15.1 RC Script useing GFCC
#!/bin/bash # # Firewall Script - Version 0.9.1 # # chkconfig: 2345 09 99 # description: firewall script for 2.2.x kernel # Set for testing # set -x # # NOTES: # # This script is written for RedHat 6.1 or better. # # Be careful about offering public services like web or ftp servers. # # INSTALLATION: # 1. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root (filename)" # make it executable --> "chmod 755 (filename)" # # 2. use GFCC to create your firewall rules and export them to a file # named /etc/gfcc/rules/firewall.rule.sh. # # 3. add the firewall to the RH init structure --> "chkconfig --add (filename)" # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # # RELEASE NOTES # 30 Jan, 2000 - Changed to GFCC script # 11 Dec, 1999 - updated by Mark Grennan <mark@grennan.com> # 20 July, 1999 - initial writing - Anthony Ball <tony@LinuxSIG.org> # ################################################ # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # See how we are called case "$1" in start) # Start providing access action "Starting firewall: " /bin/true /etc/gfcc/rules/firewall.rule.sh echo ;; stop) action "Stoping firewall: " /bin/true echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo ;; restart) action "Restarting firewall: " /bin/true $0 stop $0 start echo ;; status) # List out all settings /sbin/ipchains -L ;; test) action "Test Mode firewall: " /bin/true /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A input -j ACCEPT /sbin/ipchains -A output -j ACCEPT /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $PUBLIC -j MASQ echo ;; *) echo "Usage: $0 {start|stop|restart|status|test}" exit 1 esac
15.2 GFCC script
This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set.
#!/bin/sh # Generated by Gtk+ firewall control center IPCHAINS=/sbin/ipchains localnet="192.168.1.0/24" firewallhost="192.168.1.1/32" localhost="172.0.0.0/8" DNS1="24.94.163.119/32" DNS2="24.94.163.124/32" Broadcast="255.255.255.255/32" Multicast="224.0.0.0/8" Any="0.0.0.0/0" mail_grennan_com="192.168.1.1/32" mark_grennan_com="192.168.1.3/32" $IPCHAINS -P input DENY $IPCHAINS -P forward ACCEPT $IPCHAINS -P output ACCEPT $IPCHAINS -F $IPCHAINS -X # input rules $IPCHAINS -A input -s $Any -d $Broadcast -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY $IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY $IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY $IPCHAINS -A input -s $Multicast -d $Any -j DENY $IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT $IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT $IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT $IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y $IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT $IPCHAINS -A input -s $Any -d $Any -j DENY -l # forward rules $IPCHAINS -A forward -s $localnet -d $Any -j MASQ # output rules
15.3 RC Script without GFCC This is the firewall rules set built my hand. It does not use GFCC.
#!/bin/bash # # Firewall Script - Version 0.9.0 # chkconfig: 2345 09 99 # description: firewall script for 2.2.x kernel # Set for testing # set -x # # NOTES: # # This script is written for RedHat 6.0 or better. # # This firewall script should work for most routers, dial-up or cable modem. # It was written for RedHat distributions. # # Be careful about offering public services like web or ftp servers. # # INSTALLATION: # 1. This file planned for a RedHat system. It would work # on other distro's with perhaps no modification, but again... # Who knows?!!? These instructions apply to RedHat systems. # # 2. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root <filename>" # make it executable --> "chmod 755 <filename>" # # 3. set the values for your network, internal interface, and DNS servers # uncomment lines further down to enable optional in-bound services # make sure "eth0" is your internal NIC (or change the value below) # test it --> "/etc/rc.d/init.d/<filename> start" # you can list the rules --> "ipchains -L -n" # fix anything that broke... :-) # # 4. add the firewall to the RH init structure --> "chkconfig --add <filename>" # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # # RELEASE NOTES # 20 July, 1999 - initial writing - Anthony Ball <tony@LinuxSIG.org> # 11 Dec, 1999 - updated by Mark Grennan <mark@grennan.com> # ################################################ # Fill in the values below to match your # local network. PRIVATENET=xxx.xxx.xxx.xxx/xx PUBLIC=ppp0 PRIVATE=eth0 # your dns servers DNS1=xxx.xxx.xxx.xxx DNS2=xxx.xxx.xxx.xxx ################################################ # some handy generic values to use ANY=0.0.0.0/0 ALLONES=255.255.255.255 # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # See how we are called case "$1" in start) # Start providing access action "Starting firewall: " /bin/true ## ## Setup Envirement ## # Flush all lists /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # Plug up everything /sbin/ipchains -I input 1 -j DENY # set policy to deny (Default is ACCEPT) /sbin/ipchains -P input DENY /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT # Turn on packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ## ## Install Modules ## # Insert the active ftp module. This will allow non-passive ftp to machines # on the local network (but not to the router since it is not masq'd) if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then /sbin/insmod ip_masq_ftp fi ## ## Some Security Stuff ## # turn on Source Address Verification and get spoof protection # on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done else echo echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED." echo fi # deny bcasts on remaining interfaces /sbin/ipchains -A input -d 0.0.0.0 -j DENY /sbin/ipchains -A input -d 255.255.255.255 -j DENY # deny these without logging 'cause there tend to be a lot... /sbin/ipchains -A input -p udp -d $ANY 137 -j DENY # NetBIOS over IP /sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY # "" /sbin/ipchains -A input -p udp -d $ANY 138 -j DENY # "" /sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY # "" /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY # bootp /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY # "" /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY # Multicast addresses ## ## Allow private network out ## # allow all packets on the loopback interface /sbin/ipchains -A input -i lo -j ACCEPT # allow all packets from the internal "trusted" interface /sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT /sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT ## ## Allow Outside Services into the firewall (if you dare) ## # allow ICMP /sbin/ipchains -A input -p icmp -j ACCEPT # allow TCP /sbin/ipchains -A input -p tcp ! -y -j ACCEPT # allow lookups to DNS (on firewall) /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT # or (BETTER IDEA) run a caching DNS server on the router and use the # following two lines instead... # /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT # /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT # uncomment the following to allow ssh in /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT # uncomment the following to allow telnet in (BAD IDEA!!) /sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT # uncomment to allow NTP (network time protocol) to router # /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT # uncomment to allow SMTP in (not for mail clients - only a server) /sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT # uncomment to allow POP3 in (for mail clients) /sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT # allow auth in for sending mail or doing ftp /sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT # uncomment to allow HTTP in (only if you run a web server on the router) /sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT # uncomment to allow FTP in /sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT ## ## Masquerading stuff ## # masquerade packets forwarded from internal network /sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ ## ## deny EVERYthing else and log them to /var/log/messages ## /sbin/ipchains -A input -l -j DENY # Remove the Plug /sbin/ipchains -D input 1 ;; stop) action "Stoping firewall: " /bin/true echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo ;; restart) action "Restarting firewall: " /bin/true $0 stop $0 start echo ;; status) # List out settings /sbin/ipchains -L ;; test) ## ## This is about as simple as it gets ## (This is not secure AT ALL) action "WARNING Test Firewall: " /bin/true /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A input -j ACCEPT /sbin/ipchains -A output -j ACCEPT /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $PUBLIC -j MASQ echo ;; *) echo "Usage: $0 {start|stop|restart|status|test}" exit 1 esac
Next Previous Contents