7. Example masquerading firewall scripts
7.1 Kernel 2.0, ipfwadm
#!/bin/sh
#04/04/1999
#example rc.firewall script for the 2.0 kernels using ipfwadm
#I cant take full credit for this script. I had found it a few
#years ago and made slight modifications.
#Send questions or comments to acj@home.com.
#---------------------------------------------------------------------
#Variables
#---------------------------------------------------------------------
#local ethernet interface
localip=
localif=eth0
#static ethernet interface
staticip=
staticif=eth1
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
#---------------------------------------------------------------------
#Incoming Firewall Policies
#---------------------------------------------------------------------
#flush incoming firewall policies
/sbin/ipfwadm -I -f
#set incoming firewall policy default to deny
/sbin/ipfwadm -I -p deny
#---------------------------------------------------------------------
#local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V $localip -S $localip/24 -D 0.0.0.0/0
#remote interface, claiming to be local machines (IP spoofing) deny and log
/sbin/ipfwadm -I -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o
#remote interface, any source, going to staticip address is valid
/sbin/ipfwadm -I -a accept -V $staticip -S 0.0.0.0/0 -D $staticip/32
#loopback interface is valid
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
#all other incoming is denied and logged
/sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
#---------------------------------------------------------------------
#Outgoing Firewall Policies
#---------------------------------------------------------------------
#flush outgoing firewall policies
/sbin/ipfwadm -O -f
#set outgoing firewall policy default to deny
/sbin/ipfwadm -O -p deny
#---------------------------------------------------------------------
#local interface, any source going to local net is valid
/sbin/ipfwadm -O -a accept -V $localip -S 0.0.0.0/0 -D $localip/24
#outgoing to localnet on static interface, stuffed routing, deny
/sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o
#outgoing from localnet on static interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o
#outgoing to localnet on static interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o
#anything else outgoing on remote interface is valid
/sbin/ipfwadm -O -a accept -V $staticip -S $staticip/32 -D 0.0.0.0/0
#loopback interface is valid
/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
#all other outgoing is denied and logged
/sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
#--------------------------------------------------------------------------
#Forwarding firewall policies
#--------------------------------------------------------------------------
#flush forwarding policies
/sbin/ipfwadm -F -f
#set forwarding policy default to deny
/sbin/ipfwadm -F -p deny
#masquerade from localnet on local interface to anywhere
/sbin/ipfwadm -F -a masquerade -W $staticif -S $localip/24 -D 0.0.0.0/0
#all other forwarding is denied
/sbin/ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0
exit 0
7.2 Kernel 2.1/2.2, ipchains
#!/bin/sh
#04/04/1999
#example rc.firewall script for the newer 2.1/2.2 kernels using ipchains
#that creates user defined chains for each interface. There are firewall
#rules for spoofing protection which may be unnecessary since the newer
#kernels can have kernel spoofing protection enabled. You might say it's
#super paranoid checking.
#Send questions or comments to acj@home.com.
#---------------------------------------------------------------------
#Variables
#---------------------------------------------------------------------
#local ethernet interface
localip=
localif=eth0
#static ethernet interface
staticip=
staticif=eth1
#loopback interface
loopback=lo
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
#---------------------------------------------------------------------
#Flush built-in input, output, and forward ipchains; set default policy
#Good policy to deny all packets especially while setting up chains
#---------------------------------------------------------------------
#set incoming firewall policy default to deny
ipchains -P input DENY
#flush incoming firewall policies
ipchains -F input
#---------------------------------------------------------------------
#set outgoing firewall policy default to deny
ipchains -P output DENY
#flush outgoing firewall policies
ipchains -F output
#---------------------------------------------------------------------
#set forwarding firewall policy default to deny
ipchains -P forward DENY
#flush forwarding firewall policies
ipchains -F forward
#---------------------------------------------------------------------
#flush all policies -redundant for main policies, but also flushes user
#defined policies
#ipchains -F
#remove all user defined policies - you may or may not want to enable this
#ipchains -X
#---------------------------------------------------------------------
#Incoming Firewall Policies
#---------------------------------------------------------------------
#create new input chain for static ethernet interface
ipchains -N $staticif"-i"
#flush all rules in chain (sanity flush)
ipchains -F $staticif"-i"
#block incoming tcp SYN packets to all ports on staticif and log
#this may be a little harsh but its a nice feature
#ipchains -A $staticif"-i" -j DENY -p tcp -y -i $staticif -s 0/0 \
#-d $staticip : -l
#remote interface, claiming to be local machines (IP spoofing) deny and log
ipchains -A $staticif"-i" -j DENY -i $staticif -s $localip/16 -d 0/0 -l
#remote interface, any source, going to staticip address is valid
ipchains -A $staticif"-i" -j ACCEPT -i $staticif -s 0/0 -d $staticip/32
#all other incoming is denied and logged
ipchains -A $staticif"-i" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#create new input chain for local ethernet interface
ipchains -N $localif"-i"
#flush all rules in chain (sanity flush)
ipchains -F $localif"-i"
#local interface, local machines, going anywhere is valid
ipchains -A $localif"-i" -j ACCEPT -i $localif -s $localip/24 -d 0/0
#all other incoming is denied and logged
ipchains -A $localif"-i" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#create new input chain for loopback interface
ipchains -N $loopback"-i"
#flush all rules in chain (sanity flush)
ipchains -F $loopback"-i"
#loopback interface is valid
ipchains -A $loopback"-i" -j ACCEPT -i $loopback -s 0/0 -d 0/0
#all other incoming is denied and logged
ipchains -A $loopback"-i" -j DENY -s 0/0 -d 0/0 -l
#--------------------------------------------------------------------------
#Forwarding firewall policies
#--------------------------------------------------------------------------
#create new forward chain for static ethernet interface
ipchains -N $staticif"-f"
#flush all rules in chain (sanity flush)
ipchains -F $staticif"-f"
#masquerade from localnet on static interface to anywhere
ipchains -A $staticif"-f" -j MASQ -i $staticif -s $localip/24 -d 0/0
#all other forwarding is denied and logged
ipchains -A $staticif"-f" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#create new forward chain for local ethernet interface
ipchains -N $localif"-f"
#flush all rules in chain (sanity flush)
ipchains -F $localif"-f"
#all other forwarding is denied and logged
ipchains -A $localif"-f" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#create new forward chain for loopback interface
ipchains -N $loopback"-f"
#flush all rules in chain (sanity flush)
ipchains -F $loopback"-f"
#all other forwarding is denied and logged
ipchains -A $loopback"-f" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#Outgoing Firewall Policies
#---------------------------------------------------------------------
#create new output chain for static ethernet interface
ipchains -N $staticif"-o"
#flush all rules in chain (sanity flush)
ipchains -F $staticif"-o"
#outgoing to localnet on remote interface(stuffed routing) deny & log
ipchains -A $staticif"-o" -j DENY -i $staticif -s 0/0 -d $localip/24 -l
#outgoing from local net on remote interface, stuffed masquerading, deny
ipchains -A $staticif"-o" -j DENY -i $staticif -s $localip/24 -d 0/0 -l
#anything else outgoing on remote interface is valid
ipchains -A $staticif"-o" -j ACCEPT -i $staticif -s $staticip/32 -d 0/0
#all other outgoing is denied and logged
ipchains -A $staticif"-o" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#create new output chain for local ethernet interface
ipchains -N $localif"-o"
#flush all rules in chain (sanity flush)
ipchains -F $localif"-o"
#local interface, any source going to local net is valid
ipchains -A $localif"-o" -j ACCEPT -i $localif -s 0/0 -d $localip/24
#all other outgoing is denied and logged
ipchains -A $localif"-o" -j DENY -s 0/0 -d 0/0 -l
#---------------------------------------------------------------------
#create new output chain for loopback interface
ipchains -N $loopback"-o"
#flush all rules in chain (sanity flush)
ipchains -F $loopback"-o"
#loopback interface is valid
ipchains -A $loopback"-o" -j ACCEPT -i $loopback -s 0/0 -d 0/0
#all other outgoing is denied and logged
ipchains -A $loopback"-o" -j DENY -s 0/0 -d 0/0 -l
#--------------------------------------------------------------------------
#make sure forwarding is enabled in the kernel
#--------------------------------------------------------------------------
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
#--------------------------------------------------------------------------
#Add pointers to built-in chains to enable user defined chains
#change the order in each chain to optimize filtering for an interface
#--------------------------------------------------------------------------
#add local interface input chain
ipchains -A input -i $localif -j $localif"-i"
#add static interface input chain
ipchains -A input -i $staticif -j $staticif"-i"
#add loopback interface input chain
ipchains -A input -i $loopback -j $loopback"-i"
#-------------------------------------------------------------------------
#add local interface output chain
ipchains -A output -i $localif -j $localif"-o"
#add static interface output chain
ipchains -A output -i $staticif -j $staticif"-o"
#add loopback interface output chain
ipchains -A output -i $loopback -j $loopback"-o"
#-------------------------------------------------------------------------
#add local interface forward chain
ipchains -A forward -i $localif -j $localif"-f"
#add static interface forward chain
ipchains -A forward -i $staticif -j $staticif"-f"
#add loopback interface forward chain
ipchains -A forward -i $loopback -j $loopback"-f"
#---------------------------------------------------------------------
#Super Paranoid check --- even though default policy is set for deny,
#block all packets on any interface
#---------------------------------------------------------------------
#all other incoming is denied and logged
ipchains -A input -j DENY -s 0/0 -d 0/0 -l
#all other output is denied and logged
ipchains -A output -j DENY -s 0/0 -d 0/0 -l
#all other forwarding is denied and logged
ipchains -A forward -j DENY -s 0/0 -d 0/0 -l
exit 0
Next Previous Contents