#!/bin/bash # pppFirewall.sh # # Sets up a firewall using ip4tables (standard for Linux-Kernel 2.4) # # usable as template for software-router (local net) # # Date: 2003-04-17 # Author: Michael Besteck, mbr@freenet.de # Related informations: http://home.arcor.de/a.b.c/TechInfo/LinuxOnGericom.html # A few lines are overtaken from the iptables-source-package # License: GPL (Gnu Public License) # # Status of this script: TESTING # # This enables: # DNS requests to internet # active FTP # SMTP-Email send, POP3 Email receive, also on secure connections (TLS/SSL) # http and https connections (surfing internet) # RealPlayer # # Echo (ping-command) via icmp#0 disabled (see below) # ############################################################################ # **** YOU ARE SELF RESPONSIBLE FOR THE SECURITY OF YOUR OWN SYSTEM !!! **** ############################################################################ # # # Must be run as root # # RealPlayer ports not completely checked - still a superset of minimum flow # # services ipchains (and ip6tables) in System.services on RedHat # _must_ be disabled # Once iptables are running _do_not_use_ipchains/lockit-firewall_anymore_ ! # See RedHat- and iptable-docs for further details. # # This is for a fully trusted (local-)network connection # via eth and internet access via ppp+ # allows all local traffic # restricts traffic from/to internet via ppp+ # as is, _only_ active ftp, not passive # details: http://ContemporaryCodes.com/LinuxOnGericom/index.html # # This script is _very_ detailed, lots of redundancy, # for a special purpose this script can be reduced dramatically in size. # But this way experiments for extensions and modifications # are more easy to be done. # And need to be done (forward/realPlayer/winMedia/...)... # Some commands are disabled because service is not enabled # Some commands are disabled just for networking tests on the local net # and should not be uncommented when accessing internet # # Good tool for testing purposes: iptraf # # PORT-INFOS SEE END OF DOCUMENT # echo "pppFirewall_a.sh running..." # can only be run as root EXEC_USER=`whoami` if [ ${EXEC_USER} != "root" ] ; then echo "This script must be run as root. terminated." ; exit ; fi echo "stopping iptables ..." /sbin/service iptables stop echo "configuring ..." ##################################################################### # Configurations ##################################################################### # en- or disable messages to system log (-> /var/log/messages) # THIS M_MUST_ BE SET TO "1" FOR fiwali.sh TO WORK # declare -i DEBUG_DROP=0 # disable declare -i DEBUG_DROP=1 # enable # en- or disable firewall (SECURITY RISK!) declare -i ALLOW_ALL=0 # regular #declare -i ALLOW_ALL=1 # no firewall function: all traffic pass # en- or disable _any_ traffic on non-"system" ports # (port-nr. = [1024, 65535] (POSSIBLE SECURITY RISK!) declare -i ALLOW_ALL_HIP=0 # regular #declare -i ALLOW_ALL_HIP=1 # risky, but # RealPlayer needs HIP-access to connect to 127.0.0.1 # en- or disable _any_ traffic on non-"system" ports EXCEPT X-Window-ports 6000-6063 # (port-nr. = [1024, 65535] (POSSIBLE SECURITY RISK!) declare -i ALLOW_ALL_HIP_BUT_XWIN=0 # regular #declare -i ALLOW_ALL_HIP_BUT_XWIN=1 # risky, but # RealPlayer needs HIP-access to connect to 127.0.0.1 # en- or disable forwarding # _only_ needed for # 1. sharing the intenet connection to local net # 2. acting as a router declare -i ALLOW_FORWARD=0 # regular #declare -i ALLOW_FORWARDP=1 # en- or disable _all_ RealPlayer related port # POSSIBLE SECURITY RISK ! declare -i ALLOW_REALPLAY=0 # disable RealPlayer #declare -i ALLOW_REALPLAY=1 # this surely needs adjustment declare -i ALLOW_WINMEDIA=0 # disable #declare -i ALLOW_WINMEDIA=1 # enable # System-dependent definitions # INCOMING echo / PING via icmp declare -i ALLOW_ECHOPING=0 # disable #declare -i ALLOW_ECHOPING=1 # enable # System-dependent definitions IPTABLES="/sbin/iptables" IPTABLES_SAVE=${IPTABLES}"-save" LOCALHOST="127.0.0.1" NETHOSTS="10.10.10/24 10.20.20/24" # at least the ip-addr. of the running system # (if one defined different from 127.0.0.1) # should be mentioned here LOCALNETHOSTS="${LOCALHOST} ${NETHOSTS}" # For _test_: _to_be_detailed/restricted_, # does not yet differ between udp and tcp # Modifications also in conjunction # with RealPlayer-settings!! # Port 1090 is default for PNA-Proxy # At least RealPlayer works this way REALPLAY_OUT_PORTS="554 5540 7070 8080 8554" # ports on the remote streaming server REALPLAY_IN_PORTS="554 6970:7170 8554" # local ports #REALPLAY_IN_PORTS="6970:7170" # local ports # -> OUTPUT: TCP 554, 5540, 7070, 8080, 8554 # -> OUTPUT UPD 554, 5540, 7070, 8080, 8554 # -> INPUT: TCP 554, [6970-7170], 8554 # -> INPUT: UDP 554, [6970-7170], 8554 CONFNAME="./pppFirewall_a.iptables.conf" # where the iptables-config is stored first (local dir) DESTNAME="/etc/sysconfig/iptables" # the final destination of the config DATESTAMP="date +%Y-%m-%d_%H:%M:%S" # postfix for backup STAMP="until_"`${DATESTAMP}` # postfix for backup ##################################################################### ## For systems that use iptables as "add-on" - _not_ needed for RH7.3 ##################################################################### # # initially load modules # #/sbin/depmod -a # # Adds some iptables targets like LOG, REJECT and MASQUARADE. # #/sbin/modprobe ipt_LOG #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE # # Support for owner matching # #/sbin/modprobe ipt_owner # # Support for connection tracking of FTP and IRC. # #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc # # prepare kernel # # echo "1" >/proc/sys/net/ipv4/ip_dynaddr ; # echo "1" >/proc/sys/net/ipv4/ip_forward ; # ##################################################################### # reset the default policies in the filter table. # all packets not matched by another rule will be dropped ##################################################################### $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P FORWARD DROP $IPTABLES -t filter -P OUTPUT DROP # # set the default policies in the nat table. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # reset the default policies in the mangle table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT # # flush all the rules in the filter and nat tables. # $IPTABLES -t filter -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # # erase all chains that's not default in filter and nat table. # $IPTABLES -t filter -X $IPTABLES -t nat -X $IPTABLES -t mangle -X ##################################################################### ### NEW TABLES DEFINITIONS ##################################################################### # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N icmp_packets $IPTABLES -N udpincoming_packets $IPTABLES -N tcp_packets $IPTABLES -N TCPallowed ##################################################################### ### PREROUTING TABLE - for packets creating new connections ##################################################################### if [ ${ALLOW_ALL} -eq 1 ] ; then $IPTABLES -t nat -A PREROUTING -j ACCEPT ; fi if [ ${ALLOW_ALL_HIP} -eq 1 ] ; then $IPTABLES -t nat -A PREROUTING -p tcp --dport 1024: -j ACCEPT ; $IPTABLES -t nat -A PREROUTING -p udp --dport 1024: -j ACCEPT ; fi if [ ${ALLOW_ALL_HIP_BUT_XWIN} -eq 1 ] ; then $IPTABLES -t nat -A PREROUTING -p tcp --dport 1024:5999 -j ACCEPT ; $IPTABLES -t nat -A PREROUTING -p tcp --dport 6064: -j ACCEPT ; $IPTABLES -t nat -A PREROUTING -p udp --dport 1024:5999 -j ACCEPT ; $IPTABLES -t nat -A PREROUTING -p udp --dport 6064: -j ACCEPT ; fi # media streams # before the "spoof"-test to allow from local net # -> POSSIBLE SECURITY RISK if used for packets from ppp+ if [ ${ALLOW_REALPLAY} -eq 1 ] ; then for rpx in ${REALPLAY_IN_PORTS} ; do $IPTABLES -t nat -A PREROUTING -p udp --dport $rpx -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp --dport $rpx -j ACCEPT ; done ; fi # Port 8000,8184 = WinMedia if [ ${ALLOW_WINMEDIA} -eq 1 ] ; then $IPTABLES -t nat -A PREROUTING -p udp --destination-port 8000 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p udp --destination-port 8184 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp --destination-port 8000 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp --destination-port 8184 -j ACCEPT ; fi # Do some checks for obviously spoofed IP's # (local net adresses not accepted from ppp+) # THIS HAS TO BE MODIFIED WHEN ACTING AS ROUTER FOR THE LOCAL NET if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j LOG --log-level DEBUG --log-prefix "DROP.PREROUTING-nat:" ; $IPTABLES -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j LOG --log-level DEBUG --log-prefix "DROP.PREROUTING-nat:" ; $IPTABLES -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j LOG --log-level DEBUG --log-prefix "DROP.PREROUTING-nat:" ; fi $IPTABLES -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP ##################################################################### ### INPUT TABLE ##################################################################### if [ ${ALLOW_ALL} -eq 1 ] ; then $IPTABLES -A INPUT -j ACCEPT ; fi if [ ${ALLOW_ALL_HIP} -eq 1 ] ; then $IPTABLES -A INPUT -p udp --dport 1024:5999 -j ACCEPT ; $IPTABLES -A INPUT -p udp --dport 6064: -j ACCEPT ; $IPTABLES -A INPUT -p tcp --dport 1024:5999 -j ACCEPT ; $IPTABLES -A INPUT -p tcp --dport 6000: -j ACCEPT ; fi # allow any traffic inside local net for lhx in ${LOCALNETHOSTS} ; do $IPTABLES -A INPUT -i ! ppp+ -p ALL -d $lhx -j ACCEPT ; done # media streams # media streams maybe WITHOUT SYN !! (-> direct accept) if [ ${ALLOW_REALPLAY} -eq 1 ] ; then for rpx in ${REALPLAY_IN_PORTS} ; do $IPTABLES -A INPUT -p udp --dport $rpx -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $rpx -j ACCEPT ; done ; fi # Port 8000,8184 = WinMedia if [ ${ALLOW_WINMEDIA} -eq 1 ] ; then $IPTABLES -A INPUT -p udp --destination-port 8000 -j ACCEPT $IPTABLES -A INPUT -p udp --destination-port 8184 -j ACCEPT $IPTABLES -A INPUT -p tcp --destination-port 8000 -j ACCEPT $IPTABLES -A INPUT -p tcp --destination-port 8184 -j ACCEPT ; fi # Take care of bad TCP packets that we don't want $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn (INPUT.DROP):" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Rules for incoming packets from the internet # process them in the protocol-specific chains $IPTABLES -A INPUT -p icmp -i ppp+ -j icmp_packets $IPTABLES -A INPUT -p tcp -i ppp+ -j tcp_packets $IPTABLES -A INPUT -p udp -i ppp+ -j udpincoming_packets # allow any output from localnet $IPTABLES -A INPUT -p icmp -i ! ppp+ -j ACCEPT $IPTABLES -A INPUT -p tcp -i ! ppp+ -j ACCEPT $IPTABLES -A INPUT -p udp -i ! ppp+ -j ACCEPT # from another system... # There are not syn-ed accesses from lo to lo:3128 (squid) # (part of local traffic) #$IPTABLES -A INPUT -p udp -i ! ppp+ --destination-port 3128 -j ACCEPT #$IPTABLES -A INPUT -p tcp -i ! ppp+ --destination-port 3128 -j ACCEPT # allow un-syn-ed tcp's from lo to lo:3128 (squid) # anything else wil be dropped (different protocols) if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "DROP.INPUT:" ; fi $IPTABLES -A INPUT -j DROP ##################################################################### ### OUTPUT TABLE ##################################################################### if [ ${ALLOW_ALL} -eq 1 ] ; then $IPTABLES -A OUTPUT -j ACCEPT ; fi if [ ${ALLOW_ALL_HIP} -eq 1 ] ; then $IPTABLES -A OUTPUT -p udp --sport 1024:5999 -j ACCEPT ; $IPTABLES -A OUTPUT -p udp --sport 6064: -j ACCEPT ; $IPTABLES -A OUTPUT -p tcp --sport 1024:5999 -j ACCEPT ; $IPTABLES -A OUTPUT -p tcp --sport 6064: -j ACCEPT ; fi # allow any traffic inside local net for lhx in ${LOCALNETHOSTS} ; do $IPTABLES -A OUTPUT -o ! ppp+ -p all -s $lhx -j ACCEPT ; done ; # media streams # maybe not SYN-ed (?) if [ ${ALLOW_REALPLAY} -eq 1 ] ; then for rpx in ${REALPLAY_OUT_PORTS} ; do $IPTABLES -A OUTPUT -p udp --dport $rpx -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport $rpx -j ACCEPT ; done ; fi # Port 8000,8184 = WinMedia if [ ${ALLOW_WINMEDIA} -eq 1 ] ; then $IPTABLES -A OUTPUT -p udp --destination-port 8000 -j ACCEPT $IPTABLES -A OUTPUT -p udp --destination-port 8184 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 8000 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 8184 -j ACCEPT ; fi # drop not-SYNchronized tcp packets trying to instantiate new connection $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "DROP.OUTPUT (New not syn):" $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP # Experiences from another system... # allow only local host to send everything via ppp+ # MAKES ONLY SENSE WITH PROXY (squid) # $IPTABLES" -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT" # There are not syn-ed accesses from lo to lo:3128 (squid) # (ALL local traffic allowed) #$IPTABLES -A OUTPUT -o ! ppp+ -p udp --destination-port 3128 -j ACCEPT #$IPTABLES -A OUTPUT -o ! ppp+ -p tcp --destination-port 3128 -j ACCEPT # limit test #$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ #--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "- #allow any not yet dropped output $IPTABLES -A OUTPUT -p ALL -j ACCEPT # anything else will be dropped #if [ ${DEBUG_DROP} -eq 1 ] ; then #$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "DROP.OUTPUT:" ; #fi #$IPTABLES -A OUTPUT -j DROP ##################################################################### ### FORWARD TABLE ### makes sense _only_ for Linux boxes running as router for a local net ### or sharing the internet connection (THEN it may be modified/restricted) ### ROUTED TRHOUGH THIS BOX ### _NO_ need to define for stand-alone systems ##################################################################### if [ ${ALLOW_FORWARD} -eq 1 ] ; then if [ ${ALLOW_ALL} -eq 1 ] ; then $IPTABLES -A FORWARD -j ACCEPT ; fi if [ ${ALLOW_ALL_HIP} -eq 1 ] ; then $IPTABLES -A FORWARD -p udp --dport 1024:5999 -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 6064: -j ACCEPT $IPTABLES -A FORWARD -i ! ppp+ -p udp --sport 1024:5999 -j ACCEPT $IPTABLES -A FORWARD -i ! ppp+ -p udp --sport 6064: -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 1024:5999 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 6064: -j ACCEPT $IPTABLES -A FORWARD -i ! ppp+ -p tcp --sport 1024:5999 -j ACCEPT ; $IPTABLES -A FORWARD -i ! ppp+ -p tcp --sport 6064: -j ACCEPT ; fi # Local net ok $IPTABLES -A FORWARD -i ! ppp+ -o ! ppp+ -j ACCEPT # music streams if [ ${ALLOW_REALPLAY} -eq 1 ] ; then for rpx in ${REALPLAY_IN_PORTS} ; do $IPTABLES -A FORWARD -p udp --dport $rpx -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport $rpx -j ACCEPT ; done for rpx in ${REALPLAY_OUT_PORTS} ; do $IPTABLES -A FORWARD -p udp --dport $rpx -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport $rpx -j ACCEPT ; done ; fi # win media player : port 8000 and 8184 if [ ${ALLOW_WINMEDIA} -eq 1 ] ; then $IPTABLES -A FORWARD -i ppp+ -p tcp --source-port 8000 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --source-port 8000 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --source-port 8000 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --source-port 8000 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p tcp --source-port 8184 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --source-port 8184 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --source-port 8184 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --source-port 8184 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p tcp --destination-port 8000 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --destination-port 8000 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --destination-port 8000 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --destination-port 8000 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p tcp --destination-port 8184 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --destination-port 8184 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --destination-port 8184 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --destination-port 8184 -j ACCEPT ; fi # in conjunction with ip_conntrack_xxx $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ### smtp $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p tcp --destination-port 25 -j ACCEPT $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p udp --destination-port 25 -j ACCEPT # _only_ if localnet has mail server (sendmail et al) $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p tcp --source-port 25 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p udp --source-port 25 -j ACCEPT ### dns $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p tcp --destination-port 53 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p tcp --source-port 53 -j ACCEPT $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p udp --destination-port 53 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p udp --source-port 53 -j ACCEPT ### pop3 $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p tcp --destination-port 110 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p tcp --source-port 110 -j ACCEPT #$IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p udp --destination-port 110 -j ACCEPT #$IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p udp --source-port 110 -j ACCEPT ### pop3s (SSL/TLS) $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p tcp --destination-port 995 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p tcp --source-port 995 -j ACCEPT #$IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p udp --destination-port 995 -j ACCEPT #$IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p udp --source-port 995 -j ACCEPT ### ftp-data $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p tcp --destination-port 20 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p tcp --source-port 20 -j ACCEPT ### ftp-control $IPTABLES -A FORWARD -i ! ppp+ -o ppp+ -p tcp --destination-port 21 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -o ! ppp+ -p tcp --source-port 21 -j ACCEPT # http # hint: _OLD_ real player versions: port 80 instead of 8080 $IPTABLES -A FORWARD -i ppp+ -p tcp --source-port 80 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --source-port 80 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p tcp --destination-port 80 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --destination-port 80 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --source-port 80 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --source-port 80 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --destination-port 80 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --destination-port 80 -j ACCEPT # port 443 for regular https $IPTABLES -A FORWARD -i ppp+ -p tcp --source-port 443 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --source-port 443 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p tcp --destination-port 443 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p tcp --destination-port 443 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --source-port 443 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --source-port 443 -j ACCEPT $IPTABLES -A FORWARD -i ppp+ -p udp --destination-port 443 -j ACCEPT $IPTABLES -A FORWARD -o ppp+ -p udp --destination-port 443 -j ACCEPT ## D-A-N-G-E-R ???? -- WHAT _IS_ port 46 ? ## -> "Message Processing Module (MPM)- default send" ## needed when connected to win machines only (?) #$IPTABLES -A FORWARD -i eth+ -o ppp+ -p 46 -j ACCEPT #$IPTABLES -A FORWARD -o eth+ -i ppp+ -p 46 -j ACCEPT # anything else will be dropped if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "DROP.FORWARD:" ; fi $IPTABLES -A FORWARD -j DROP ; # if allow forward else # check who wants to forward if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "DROP.DISABLED-FORWARD:" ; fi ; fi ##################################################################### ### POSTROUTING TABLE ##################################################################### # # Enable simple IP Forwarding and Network Address Translation # ### if iptables-setup is done by script directly - does _not_ appply to RedHat 7.3 ! ### not here, because not started as script (to get dyn-Ip_adr), but as parameter-set ###IPTBLS_ARG=" -t nat -A POSTROUTING -o ppp+ -j SNAT --to-source "${DYN_IP_ADR} ### use the MASQUERADE target instead to make _anything_ out of ppp+ have source addr $IPTABLES -t nat -A POSTROUTING -o ppp+ -j MASQUERADE ##################################################################### ### define icmp_packets table ##################################################################### # # ICMP rules for INPUT traffic # if [ ${ALLOW_ALL} -eq 1 ] ; then $IPTABLES -A icmp_packets -j ACCEPT ; fi if [ ${ALLOW_ECHOPING} -eq 1 ] ; then $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT ; fi $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A icmp_packets -j LOG --log-level DEBUG --log-prefix "DROP.icmp_packets:" ; fi $IPTABLES -A icmp_packets -j DROP ##################################################################### ### define udpincoming_packets table ##################################################################### # domain name server # block DNS-request from internet $IPTABLES -A udpincoming_packets -i ppp+ -p udp -s 0/0 --destination-port 53 -j DROP #allow DNS-request from local net $IPTABLES -A udpincoming_packets -i ! ppp+ -p udp -s 0/0 --destination-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p udp -s 0/0 --source-port 53 -j ACCEPT # network time protocol #$IPTABLES -A udpincoming_packets -p udp -s 0/0 --source-port 123 -j ACCEPT ##$IPTABLES -A udpincoming_packets -p udp -s 0/0 --destination-port 123 -j ACCEPT ## PORT 2074 WHAT FOR ? CHAT? # $IPTABLES -A udpincoming_packets -p udp -s 0/0 --source-port 2074 -j ACCEPT # PORT 4000 also used by ICQ # $IPTABLES -A udpincoming_packets -p udp -s 0/0 --source-port 4000 -j ACCEPT if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A udpincoming_packets -j LOG --log-level DEBUG --log-prefix "DROP.udpincoming_packets:" ; fi $IPTABLES -A udpincoming_packets -j DROP ##################################################################### ### define tcp_packets table: TCP-INPUT FROM ppp+ only ##################################################################### ## PROXY squid: D-A-N-G-E-R ? -> Less, TCPallowed keeps track via ESTABLISHED/RELATED # squid tcp receive port (not constant) from any http(s) ###$IPTABLES -A tcp_packets -p tcp -s 0/0 --sport 80 --dport 1024: -j TCPallowed ###$IPTABLES -A tcp_packets -p tcp -s 0/0 --sport 443 --dport 1024: -j TCPallowed # FTP--data to local ftp server #$IPTABLES -A tcp_packets -p tcp --destination-port 20 -j TCPallowed # FTP-control to local ftp server # block ftp-requests from internet $IPTABLES -A tcp_packets -i ppp+ -p tcp --destination-port 21 -j DROP # allow ftp-requests from local net $IPTABLES -A tcp_packets -i ! ppp+ -p tcp --destination-port 21 -j TCPallowed $IPTABLES -A tcp_packets -p tcp --source-port 21 -j TCPallowed # to send ftp data as a server $IPTABLES -A tcp_packets -p tcp --source-port 20 -j TCPallowed # smtp $IPTABLES -A tcp_packets -p tcp --sport 25 -j TCPallowed # domain name server # block DNS-requests from internet $IPTABLES -A tcp_packets -i ppp+ -p tcp -s 0/0 --destination-port 53 -j DROP # allow DNS-requests from local net $IPTABLES -A tcp_packets -i ! ppp+ -p tcp -s 0/0 --destination-port 53 -j TCPallowed $IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 53 -j TCPallowed # http webserver # block http-requests from internet $IPTABLES -A tcp_packets -i ppp+ -p tcp -s 0/0 --destination-port 80 -j DROP # allow http-requests from local net $IPTABLES -A tcp_packets -i ! ppp+ -p tcp -s 0/0 --destination-port 80 -j TCPallowed $IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 80 -j TCPallowed # https webserver # block http-requests from internet $IPTABLES -A tcp_packets -i ppp+ -p tcp -s 0/0 --destination-port 443 -j DROP # allow http-requests from local net $IPTABLES -A tcp_packets -i ! ppp+ -p tcp -s 0/0 --destination-port 443 -j TCPallowed $IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 443 -j TCPallowed # pop3 $IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 110 -j TCPallowed #$IPTABLES -A tcp_packets -p tcp -s 0/0 --destination-port 110 -j TCPallowed # network time protocol #$IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 123 -j TCPallowed #$IPTABLES -A tcp_packets -p tcp -s 0/0 --destination-port 123 -j TCPallowed # pop3s $IPTABLES -A tcp_packets -p tcp --source-port 995 -j TCPallowed #$IPTABLES -A tcp_packets -p tcp -s 0/0 --destination-port 995 -j TCPallowed ## PORT 2074 WHAT FOR ? CHAT? # $IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 2074 -j ACCEPT # $IPTABLES -A tcp_packets -p tcp -s 0/0 --destination-port 2074 -j ACCEPT # PORT 4000 also used by ICQ # $IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 4000 -j ACCEPT # $IPTABLES -A tcp_packets -p tcp -s 0/0 --destination-port 4000 -j ACCEPT # REMOTE LOGIN SSH #$IPTABLES -A tcp_packets -p tcp -s 0/0 --sport 22 -j TCPallowed # ident & auth # JUST FOR IRC??? #$IPTABLES -A tcp_packets -p tcp -s 0/0 --source-port 113 -j TCPallowed if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A tcp_packets -j LOG --log-level DEBUG --log-prefix "DROP.tcp_packets:" ; fi $IPTABLES -A tcp_packets -j DROP ##################################################################### ### define TCPallowed table ##################################################################### # # The allowed chain for TCP connections # # accept request to initiate new TCP connection $IPTABLES -A TCPallowed -p tcp --syn -j ACCEPT # ESTABLISHED=packets have already been sent in both directions # RELATED=new connection that is associated with already existing connection $IPTABLES -A TCPallowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT if [ ${DEBUG_DROP} -eq 1 ] ; then $IPTABLES -A TCPallowed -j LOG --log-level DEBUG --log-prefix "DROP.TCPallowed:" ; fi $IPTABLES -A TCPallowed -j DROP ##################################################################### ##################################################################### # installation ##################################################################### # save config echo "saving config to ${CONFNAME} ..." $IPTABLES_SAVE -c > $CONFNAME # save existing config echo "backing up $DESTNAME to ${DESTNAME}.${STAMP} ..." cp -f $DESTNAME "${DESTNAME}.${STAMP}" echo "installing new: $DESTNAME ..." cp -f $CONFNAME $DESTNAME echo "restarting iptables ..." #/sbin/service iptables stop /sbin/service iptables start echo "terminated." ##################################################################### exit ##################################################################### ##################################################################### # Some port definitions # see also /etc/services and the "names and numbers"-RFC docs ##################################################################### # # 7 echo # 20 ftp-data # 21 ftp # ssh 22/tcp # SSH Remote Login Protocol # ssh 22/udp # SSH Remote Login Protocol # 25 smtp # -> RFC821 # 42 # host name sever # 46 # Message Processing Module (MPM)- default send # 53 # domain name server # 80 http # 110 pop3 # ident 113/tcp # auth 113/tcp # Authentication Service # auth 113/udp # Authentication Service # ntp 123/tcp # Network Time Protocol # ntp 123/udp # Network Time Protocol # 137 # Netbios calls port # sgmp 153/tcp # SGMP # sgmp 153/udp # SGMP # 443 https # pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL -> RFC 2487, 2246 # pop3s 995/udp spop3 # pop3 protocol over TLS/SSL # 2074 ? # (another chat-o-mat ?) # terabase 4000/tcp # Terabase # terabase 4000/udp # Terabase # PORT 4000 also used by ICQ ##################################################################### # # informations found about RealPlayer: # # TCP-ports 7070 for connecting to pre-G2 servers # TCP-ports 554 and 7070 for connecting to G2 servers # UDP-ports [6970-7170] for incoming traffic # PNA-requests to G2-server-port 7070 # default pna-proxy port 1090 # RTSP-requests to G2-server-port 5540 (default, changeable by server-admin) # HTTP-requests to G2-server-port 8080 # for older real player versions port 80 (==webserver) instead of 8080 # RTSP-ports: # rtsp 554/tcp # rtsp 554/udp # rtsp-alt 8554/tcp # rtsp-alt 8554/udp #RTP standard ports: 5004, 5005 # what should handle anything (base for restrictions): # -> OUTPUT: TCP 554, 5540, 7070, 8080, 8554 # -> OUTPUT UPD 554, 5540, 7070, 8080, 8554 # -> INPUT: TCP 554, [6970-7170], 8554 # -> INPUT: UDP 554, [6970-7170], 8554 # 554 5004 5005 5540 6070:7170 8080 8554 # plugin-mime types (2 of many): # audio/x-pn-realaudio ram,rm,ra # audio/x-pn-realaudio-plugin rpm # application/x-rpm rpm # pnm:// - protocol to requiere rm-files # RTSP (RealTimeStreamingProtocol) RFC 2326 ##################################################################### # Win Media Player # Port 8000,8184 = WinMedia ##################################################################### #Table 1. ICMP types #TYPE CODE Description Query Error #0 0 Echo Reply x #3 0 Network Unreachable x #3 1 Host Unreachable #3 2 Protocol Unreachable #3 3 Port Unreachable #3 4 Fragmentation needed but no frag. bit set #3 5 Source routing failed #3 6 Destination network unknown #3 7 Destination host unknown #3 8 Source host isolated (obsolete) #3 9 Destination network administratively prohibited #3 10 Destination host administratively prohibited #3 11 Network unreachable for TOS #3 12 Host unreachable for TOS #3 13 Communication administratively prohibited by filtering #3 14 Host precedence violation #3 15 Precedence cutoff in effect #4 0 Source quelch #5 0 Redirect for network #5 1 Redirect for host #5 2 Redirect for TOS and network #5 3 Redirect for TOS and host #8 0 Echo request x #9 0 Router advertisement #10 0 Route sollicitation #11 0 TTL equals 0 during transit x #11 1 TTL equals 0 during reassembly #12 0 IP header bad (catchall error) #12 1 Required options missing #13 0 Timestamp request (obsolete) #14 0 Timestamp reply (obsolete) #15 0 Information request (obsolete) #16 0 Information reply (obsolete) #17 0 Address mask request #18 0 Address mask reply ##################################################################### # For more information on this, i suggest reading the following # sites and reports : # The Internet Control Message Protocol ICMP RFC792 ##################################################################### # eof #####################################################################