ipchains firewell

 
#!/bin/sh
#
# Startup script to implement /etc/sysconfig/ipchains pre-defined rules.
#
# chkconfig: 345 90 92
#
# description: Automates a packet filtering firewall with ipchains.
#
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
#
# Script modified by:   Stephen Fisher <fisher@aya.yale.edu>
#   borrowing code from:
#     http://www.yale.edu/its/security/Procedures/Securing/Unix/ipchains.html
#
# 06/14/00 Script modified by: 
# Paul Gluhosky, James Szinger, and Chuck Powell (Workstation Support)
# to enable chkconfig setup, active FTP, and efficient logging of 
# unauthorized connections to telnet, smtp, and finger ports

# Sorce 'em up
. /etc/rc.d/init.d/functions

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"

# Either hardcode your IP address and uncomment the following line:
# IPADDR="130.132.x.x"
# or (if you are using DHCP) try using the following:
IPADDR="`/sbin/ifconfig $EXTERNAL_INTERFACE | /bin/grep 'inet addr:' | /bin/sed -e 's/^.*inet addr://' -e 's/ .*//'`"

LOOPBACK="127.0.0.0/8"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
ANYWHERE="any/0"
NAMESERVER_1="130.132.1.11"
NAMESERVER_2="130.132.1.9"
NAMESERVER_3="130.132.1.10"
ADSMSERVER="130.132.43.6"

if [ ! -x /sbin/ipchains ]; then
    exit 0
fi

case "$1" in
  start)
	# Enable TCP SYN Cookie protection
	echo -n "Enabling TCP SYN Cookie protection:"
	echo 1 >/proc/sys/net/ipv4/tcp_syncookies && 
	    success "Enabling TCP SYN Cookie protection" || 
	    failure "Enabling TCP SYN Cookie protection"
	echo

	# Enable IP spoofing protection, turn on Source Address Verification
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
	    echo -n "Setting up IP spoofing protection:"
	    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
		echo 1 > $f
	    done && 
		success "Setting up IP spoofing protection" || 
		failure "Setting up IP spoofing protection"
	    echo
	else
	    echo "FIREWALL: PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED."
	fi

	# Clear out existing chains and start with all default chains using ACCEPT policy
	$0 stop

	echo -n "Applying ipchains policies:"

	# Set the default policy to deny
	ipchains -P input DENY && 

	# Allow outgoing -- taken care of by "stop"
	# Although this rule is the default for ipchains, it is good to be explicit
	ipchains -P output ACCEPT && 

	# Allow all incoming established connections
	# the ! -y option requires the ACK flag to be set in a TCP message
	# indicating an initial response to a connection or an ongoing
	# establish connection
	ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -j ACCEPT && 
		    
	# Allow incoming SSH connections
	# the -y option requires the SYN flag to be set and the ACK flag
	# to be cleared in a TCP message, indicating a connection request
	ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y -s $ANYWHERE -d $IPADDR 22 -j ACCEPT && 
		    
	# Allow ADSM server to connect to default port on client
	ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ADSMSERVER 1501 -d $IPADDR -j ACCEPT && 

	# Allow incoming DNS connections
	ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_1 53 -d $IPADDR -j ACCEPT && 
	ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_2 53 -d $IPADDR -j ACCEPT && 
	ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_3 53 -d $IPADDR -j ACCEPT && 

	# Allow full access to all machines on trusted 130.132.x.0/24 network 
	#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s 130.132.x.0/24 -d $IPADDR -j ACCEPT && 

	# NOTE ABOUT PRINTING WITH LPD
	# LPD uses a primitive form of authentication that requires the
	# printer to connect back to the client. The following rule will
	# allows all communication to and from the printer
	#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $PRINTER -d $IPADDR -j ACCEPT && 

	# Allow outgoing active FTP - ONLY IF YOU MUST
	# Instead you can use ncftp or a Web browser which both
	# default to passive FTP
	#ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR 1024: -j ACCEPT && 

	# To enable ping, traceroute etc.
	ipchains -A input -i $EXTERNAL_INTERFACE -p ICMP -s $ANYWHERE -d $IPADDR -j ACCEPT

	# Log attempts to "forbidden" telnet, smtp, finger ports
	ipchains -A input -i $EXTERNAL_INTERFACE -p TCP -d $IPADDR 23 -l -j REJECT
	ipchains -A input -i $EXTERNAL_INTERFACE -p TCP -d $IPADDR 25 -l -j REJECT
	ipchains -A input -i $EXTERNAL_INTERFACE -p TCP -d $IPADDR 79 -l -j REJECT

	# Allow loopback connection to the loopback interface
	ipchains -A input -i $LOOPBACK_INTERFACE -p all -d $LOOPBACK -j ACCEPT && 
	# Allow loopback connection to local IP address
	ipchains -A input -i $LOOPBACK_INTERFACE -p all -d $IPADDR -j ACCEPT && 

	success "Applying ipchains policies" || 
	failure "Applying ipchains policies"
	echo

	touch /var/lock/subsys/ipchains
	;;

  stop)
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
        action "Zeroing out packet and byte counters:" ipchains -Z
	echo -n "Resetting built-in chains to the default ACCEPT policy:"
	ipchains -P input ACCEPT && 
	    ipchains -P forward ACCEPT && 
	    ipchains -P output ACCEPT && 
	  success "Resetting built-in chains to the default ACCEPT policy" || 
	  failure "Resetting built-in chains to the default ACCEPT policy"
	echo
	rm -f /var/lock/subsys/ipchains
	;;

  restart)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	$0 start
	;;

  status)
	ipchains -nL
	;;

  panic)
	echo -n "Changing target policies to DENY: "	
	ipchains -P input DENY && 
	    ipchains -P forward DENY && 
	    ipchains -P output DENY && 
	  success "Changing target policies to DENY" || 
	  failure "Changing target policies to DENY"
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
	;;

  *)
	echo "Usage: $0 {start|stop|restart|status|panic}"
	exit 1
esac

exit 0
廣告
本篇發表於 未分類。將永久鏈結加入書籤。

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com 標誌

您的留言將使用 WordPress.com 帳號。 登出 /  變更 )

Google photo

您的留言將使用 Google 帳號。 登出 /  變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 /  變更 )

Facebook照片

您的留言將使用 Facebook 帳號。 登出 /  變更 )

連結到 %s