#!/bin/sh # # rc.firewall iptables # # chkconfig: 2345 9 91 # description: Example netfilter setup version 0.1 by Anthony C. Zboralski \ # Warning this is experimental, I don't garantee this is 100% \ # secure, it just does the work fine for me and i thought \ # it could be a good jumpstart for people new to netfilter. \ # Now I am waiting for your corrections, suggestions and \ # critics :) Also I am gonna write a small addon \ # for setting up dynamic rules cause i am tired of all \ # these programs with dynamics port like bind, xdm and rpc. \ # All mail go to acz@hert.org . /etc/rc.d/init.d/functions . /etc/sysconfig/network iptables=/usr/sbin/iptables ip6tables=/usr/sbin/ip6tables _modprobe single die -k -a ip_tables "`is_yes "$IPV6_NETWORKING" && echo ip6_tables`" show "Flush standard tables and deny everything" busy $iptables --flush INPUT $iptables --flush OUTPUT $iptables --flush FORWARD $iptables --table nat --flush OUTPUT $iptables --table nat --flush PREROUTING $iptables --table nat --flush POSTROUTING $iptables --policy INPUT DROP $iptables --policy OUTPUT DROP $iptables --policy FORWARD DROP if is_yes "$IPV6_NETWORKING" ; then $ip6tables --flush INPUT $ip6tables --flush OUTPUT $ip6tables --flush FORWARD # $ip6tables --table nat --flush OUTPUT # $ip6tables --table nat --flush PREROUTING # $ip6tables --table nat --flush POSTROUTING $ip6tables --policy INPUT DROP $ip6tables --policy OUTPUT DROP $ip6tables --policy FORWARD DROP fi deltext ; ok CHAINS=`$iptables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'` show "Remove remaining chains %s:" $CHAINS busy for chain in $CHAINS; do $iptables --flush $chain done # 2nd step cause of dependencies for chain in $CHAINS; do $iptables --delete-chain $chain done CHAINS=`$iptables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'` for chain in $CHAINS; do $iptables -t nat --flush $chain done # 2nd step cause of dependencies for chain in $CHAINS; do $iptables -t nat --delete-chain $chain done if is_yes "$IPV6_NETWORKING" ; then CHAINS=`$ip6tables -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(INPUT|OUTPUT|FORWARD)$/) {print $2}'` for chain in $CHAINS; do $ip6tables --flush $chain done # 2nd step cause of dependencies for chain in $CHAINS; do $ip6tables --delete-chain $chain done # CHAINS=`$ip6tables -t nat -n -L | awk '($1 ~ /^Chain/) && !($2 ~ /^(OUTPUT|PREROUTING|POSTROUTING)$/) {print $2}'` # for chain in $CHAINS; do # $ip6tables -t nat --flush $chain # done # # 2nd step cause of dependencies # for chain in $CHAINS; do # $ip6tables -t nat --delete-chain $chain # done fi deltext ; ok # now this is tricky with ipchains you just had to deny forward and set # forwarding to MASQ target but now you have to do it in two steps: show "Turn off rp_filter for all interfaces" busy echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter if is_yes "$IPV6_NETWORKING" ; then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding fi deltext ; ok show "Load modules needed by NAT" busy _modprobe die -k -a ip_conntrack ip_conntrack_ftp ip_nat_ftp # ip_nat_snmp_basic deltext ; ok show "Create a target for logging and dropping packets" busy $iptables --new LDROP 2>/dev/null $iptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop " $iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop " $iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop " $iptables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop " $iptables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop " $iptables -A LDROP -j DROP if is_yes "$IPV6_NETWORKING" ; then $ip6tables --new LDROP 2>/dev/null # $ip6tables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop " # $ip6tables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop " # $ip6tables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop " # $ip6tables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop " # $ip6tables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG. Drop " $ip6tables -A LDROP -j DROP fi deltext ; ok show "Create a target for watching some accepting rules" busy $iptables --new WATCH 2>/dev/null $iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT " $iptables -A WATCH -j ACCEPT if is_yes "$IPV6_NETWORKING" ; then $ip6tables --new WATCH 2>/dev/null # $ip6tables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT " $ip6tables -A WATCH -j ACCEPT fi deltext ; ok show "Enforcing up ICMP policies, use iptables -L ICMP to check" busy # If you deny all ICMP messages you head for trouble since it would # break lots of tcp/ip algorithm (acz) $iptables --new ICMP 2>/dev/null $iptables -A INPUT --proto icmp -j ICMP $iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT $iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH $iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH $iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH $iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH $iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT $iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP $iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH $iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH $iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH $iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH $iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH $iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH $iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH $iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH $iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP $iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP $iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP $iptables -A ICMP -p icmp --icmp-type redirect -j LDROP $iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP $iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP $iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP $iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP $iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH $iptables -A ICMP -p icmp --icmp-type router-advertisement -j WATCH $iptables -A ICMP -p icmp --icmp-type router-solicitation -j WATCH $iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH $iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH $iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH $iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH $iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH $iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH $iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP $iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP $iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP $iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP $iptables -A ICMP -p icmp -j LDROP deltext ; ok show "Authorize packet input and output" busy # Insert your rules here $iptables --policy INPUT ACCEPT $iptables --policy OUTPUT ACCEPT $iptables --table nat --policy PREROUTING ACCEPT $iptables --table nat --policy POSTROUTING ACCEPT $iptables --table nat --policy OUTPUT ACCEPT if is_yes "$IPV6_NETWORKING" ; then $ip6tables --policy INPUT ACCEPT $ip6tables --policy OUTPUT ACCEPT # $ip6tables --table nat --policy PREROUTING ACCEPT # $ip6tables --table nat --policy POSTROUTING ACCEPT # $ip6tables --table nat --policy OUTPUT ACCEPT fi deltext ; ok