> I presume you call these scripts from some other
> script? From /etc/init.d/networking perhaps?
No need to. I've never seen documentation on this, but from what I
understand, if you put a script in the if-pre-up.d directory it gets
call automatically just before networking comes up. Also, if you put a
script in the if-post-down.d directory if gets called just after
networking goes down. Can anybody point us to the relevant
documentation?
> Care to share "some" of the contents of your script so
> that I do not have to start from scratch?
Sure, no problem.
You said you were using iptables right. OK. That first part is because
I use both 2.2 and 2.4 kernels, so I have a similar script for 2.2. If
2.6 uses iptables also, you'll have to change the script. Also, I read
on one of these lists that it's not a good idea to drop packets because
it just breaks standards. Any comments on this from anybody. By the
way, on the spoofed packets line, you're going to want to put in your
own ip address.
/etc/network/if-pre-up.d/iptables
#!/bin/sh
if [ `uname -r | cut -b -3` != "2.4" ]; then
# echo "Not a 2.4 kernel. Exiting iptables firewall script.";
exit 0;
fi
# This deletes existing tables
iptables -F
iptables -X
# Drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow all internal network traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Drop spoofed packets
iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
# let ICMP in and out
iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
iptables -A INPUT -i eth0 -j ACCEPT -p ICMP
# let domain (dns) requests out
iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port
domain #53
iptables -A OUTPUT -o eth0 -j ACCEPT -p UDP -d 0.0.0.0/0 --destination-port
domain #53
iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain
#53
iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain
#53
# let ssh out
iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port ssh
#22
iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh
#22
# let ssh in from the local network only
#iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh -d
192.168.0.0/16
#iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 192.168.0.0/16 -d 0.0.0.0/0
--destination-port ssh
/etc/network/if-pre-up.d/iptables
#!/bin/sh
if [ `uname -r | cut -b -3` != "2.4" ]; then
# echo "Not a 2.4 kernel. Exiting iptables firewall script.";
exit 0;
fi
# This deletes existing tables
iptables -F
iptables -X
There you have it. I left out a bunch of rules for running things like
yahoo messenger and letting out ftp and such, but that should be enough
to get you started. Basically, the first script sets things up and the
second script will delete all tables.
By the way, since I did put these rules out here, I'd appreciate
comments on where they could be improved.
--
http://www.torrin.net
