"Eric L. Damron" wrote:
1. The firewall rules assume your SMTP server is external to you on the
internet. If you have machines tied to the firewall locally, they will need to
relay through your firewall's mail server. This means that there is a local
denial possible which has little to do with this firewall. In order to get the
mail server to relay, when relaying is by default denied, the safe and secure
method is to set up accounts for your local network machines on the firewall
box(as if they were local users) and to list them in /etc/hosts and
/etc/hosts.allow. If this doesn't solve the problem, you could change
$SMTP_SERVER to $ANYWHERE in the firewall rules for port 25 and delete the -s
$IPADDR and -d $IPADDR clauses in the rules altogether.
2. Quake 2 (SMART FIREWALL!!!!!)
When running Quake, Quake2 and some others associated with Quake.....
RCON commands sent from the subnet 192.246.40.0/24 and containing the password
"tms" are automatically executed on the server without being logged. This
allows someone to access the root account from a remote location. This is an
INTENTIONAL back door from ID Games that never got much publicity. Bottom line
is.... If you want security, DON'T play Quake 1/2 over the internet. For
further details, go to http://www.insecure.org/sploits/quake.backdoor.html.
This one has been known since 1998 and still has not been corrected.
Civileme
> I didn't have time to become an ipchain expert before bringing up a firewall
> on a home server. (It's like the internet is a parrona filled river and my
> server is a piece of meat!) so I went out to :
> http://linux-firewall-tools.com/linux/firewall/index.html
>
> There is an automated tool that gave me a great start! However, there are a
> couple of things that I would like to change but not really understanding
> ipchains can't.
>
> 1. My server can't send email out while the firewall is up. I need to be
> able to do this.
>
> 2. My Daughter uses Gamespy to play Quake 2 but the firewall prevents this.
>
> Below is the complete firewall. If any expert out there sees the answers to
> my questions or any improvements I would be grateful for the help.
>
> Thanks.
>
> #!/bin/sh
> #
> # --------------------------------------------------------------------------
> --
> # Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
> #
> # Permission to use, copy, modify, and distribute this software and its
> # documentation for educational, research, private and non-profit purposes,
> # without fee, and without a written agreement is hereby granted.
> # This software is provided as an example and basis for individual firewall
> # development. This software is provided without warranty.
> #
> # Any material furnished by Robert L. Ziegler is furnished on an
> # "as is" basis. He makes no warranties of any kind, either expressed
> # or implied as to any matter including, but not limited to, warranty
> # of fitness for a particular purpose, exclusivity or results obtained
> # from use of the material.
> # --------------------------------------------------------------------------
> --
> #
> # /etc/rc.d/rc.firewall
> # Invoked from /etc/sysconfig/network-scripts/pump-done, or
> # from /etc/dhcpc/dhcpcd-eth0.exe, or
> # from /etc/sysconfig/network-scripts/ifdhcpc-done, or
> # from /etc/rc.d/rc.local.
>
> echo "Starting firewalling... "
>
> # Some definitions for easy maintenance.
>
> # --------------------------------------------------------------------------
> --
> # EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
>
> EXTERNAL_INTERFACE="eth0" # whichever you use
> LOOPBACK_INTERFACE="lo"
> LOCAL_INTERFACE_1="eth1" # whichever you use
>
> IPADDR="24.1.27.58"
> LOCALNET_1="192.168.0.0/24" # whatever private range you use
>
> ANYWHERE="any/0"
>
> NAMESERVER_1="24.1.26.63"
> NAMESERVER_2="24.1.26.64"
>
> SMTP_SERVER="mail.olmpi1.wa.home.com" # Your external server. Your relay.
> POP_SERVER="mail.olmpi1.wa.home.com" # Your external server.
> NEWS_SERVER="news.olmpi1.wa.home.com"
>
> LOOPBACK="127.0.0.0/8"
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D_MULTICAST="224.0.0.0/4"
> CLASS_E_RESERVED_NET="240.0.0.0/5"
> BROADCAST_SRC="0.0.0.0"
> BROADCAST_DEST="255.255.255.255"
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
>
> # --------------------------------------------------------------------------
> --
>
> # --------------------------------------------------------------------------
> --
>
> NFS_PORT="2049" # (TCP/UDP) NFS
> SOCKS_PORT="1080" # (TCP) Socks
> OPENWINDOWS_PORT="2000" # (TCP) openwindows
>
> # X Windows port allocation begins at 6000 and increments to 6063
> # for each additional server running.
> XWINDOW_PORTS="6000" # (TCP) X windows
>
> # SSH starts at 1023 and works down to 513 for
> # each additional simultaneous incoming connection.
> SSH_PORTS="1022:1023" # range for SSH privileged ports
>
> # traceroute usually uses -S 32769:65535 -D 33434:33523
> TRACEROUTE_SRC_PORTS="32769:65535"
> TRACEROUTE_DEST_PORTS="33434:33523"
>
> # --------------------------------------------------------------------------
> --
> # Default policy is DENY
> # Explicitly accept desired INCOMING & OUTGOING connections
>
> # Remove all existing rules belonging to this filter
> ipchains -F
>
> # Set the default policy of the filter to deny.
> ipchains -P input DENY
> ipchains -P output REJECT
> ipchains -P forward REJECT
>
> # set masquerade timeout to 10 hours for tcp connections
> ipchains -M -S 36000 0 0
>
> # Don't forward fragments. Assemble before forwarding.
> ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY
>
> # --------------------------------------------------------------------------
> --
>
> # Enable TCP SYN Cookie Protection
> echo 1 >/proc/sys/net/ipv4/tcp_syncookies
>
> # Enable IP spoofing protection
> # turn on Source Address Verification
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> # Disable ICMP Redirect Acceptance
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
>
> # Disable Source Routed Packets
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
>
> # These modules are necessary to masquerade their respective services.
> /sbin/modprobe ip_masq_ftp.o
> #/sbin/modprobe ip_masq_raudio.o ports=554,7070,7071,6970,6971
> #/sbin/modprobe ip_masq_irc.o
> #/sbin/modprobe/ip_masq_vdolive.o
> #/sbin/modprobe/ip_masq_cuseeme.o
> /sbin/modprobe ip_masq_quake.o
>
> # --------------------------------------------------------------------------
> --
> # LOOPBACK
>
> # Unlimited traffic on the loopback interface.
> ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
> ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
>
> # --------------------------------------------------------------------------
> --
> # Network Ghouls
> # Deny access to jerks
>
> # /etc/rc.d/rc.firewall.blocked contains a list of
> # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
> # rules to block from any access.
>
> # Refuse any connection from problem sites
> if [ -f /etc/rc.d/rc.firewall.blocked ]; then
> . /etc/rc.d/rc.firewall.blocked
> fi
>
> # --------------------------------------------------------------------------
> --
> # SPOOFING & BAD ADDRESSES
> # Refuse spoofed packets.
> # Ignore blatantly illegal source addresses.
> # Protect yourself from sending to bad addresses.
>
> # Refuse spoofed packets pretending to be from the external address.
> ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
>
> # Refuse packets claiming to be to or from a Class A private network
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT
>
> # Refuse packets claiming to be to or from a Class B private network
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT
>
> # Refuse packets claiming to be to or from a Class C private network
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT
>
> # Refuse packets claiming to be from the loopback interface
> ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
> ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
>
> # Refuse broadcast address SOURCE packets
> ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
>
> # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
> # Multicast is illegal as a source address.
> # Multicast uses UDP.
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY
>
> # Refuse Class E reserved IP addresses
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j
> DENY -l
>
> # refuse addresses defined as reserved by the IANA
> # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
> # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
> # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
> ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
>
> #65: 01000001 - /3 includes 64 - need 65-79 spelled out
> ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
>
> #80: 01010000 - /4 masks 80-95
> ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
>
> # 96: 01100000 - /4 makses 96-111
> ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
>
> #126: 01111110 - /3 includes 127 - need 112-126 spelled out
> ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
>
> #217: 11011001 - /5 includes 216 - need 217-219 spelled out
> ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
>
> #223: 11011111 - /6 masks 220-223
> ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
>
> # --------------------------------------------------------------------------
> --
> # ICMP
>
> # To prevent denial of service attacks based on ICMP bombs, filter
> # incoming Redirect (5) and outgoing Destination Unreachable (3).
> # Note, however, disabling Destination Unreachable (3) is not
> # advisable, as it is used to negotiate packet fragment size.
>
> # For bi-directional ping.
> # Message Types: Echo_Reply (0), Echo_Request (8)
> # To prevent attacks, limit the src addresses to your ISP range.
> #
> # For outgoing traceroute.
> # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
> # default UDP base: 33434 to base+nhops-1
> #
> # For incoming traceroute.
> # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
> # To block this, deny OUTGOING 3 and 11
>
> # 0: echo-reply (pong)
> # 3: destination-unreachable, port-unreachable, fragmentation-needed,
> etc.
> # 4: source-quench
> # 5: redirect
> # 8: echo-request (ping)
> # 11: time-exceeded
> # 12: parameter-problem
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 0 -d $IPADDR -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 3 -d $IPADDR -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 4 -d $IPADDR -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 11 -d $IPADDR -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 12 -d $IPADDR -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 3 -d $ANYWHERE -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 4 -d $ANYWHERE -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 8 -d $ANYWHERE -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 12 -d $ANYWHERE -j ACCEPT
>
> # --------------------------------------------------------------------------
> --
> # Disallow certain outgoing traffic to protect yourself from mistakes.
>
> # openwindows: establishing a connection
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $ANYWHERE $OPENWINDOWS_PORT -j REJECT
>
> # Xwindows: establishing a connection
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $ANYWHERE $XWINDOW_PORTS -j REJECT
>
> # SOCKS: establishing a connection
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $ANYWHERE $SOCKS_PORT -j REJECT
>
> # --------------------------------------------------------------------------
> --
> # NOTE:
> # The symbolic names used in /etc/services for the port numbers vary by
> # supplier. Using them is less error prone and more meaningful,
> though.
>
> # --------------------------------------------------------------------------
> --
> # TCP UNPRIVILEGED PORTS
> # Avoid ports subject to protocol & system administration problems.
>
> # Deny access to the NFS, openwindows and X windows unpriveleged ports
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -d $IPADDR $NFS_PORT -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -d $IPADDR $OPENWINDOWS_PORT -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -d $IPADDR $XWINDOW_PORTS -j DENY -l
>
> # SOCKS: incoming connection
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $ANYWHERE \
> -d $IPADDR $SOCKS_PORT -j DENY
>
> # --------------------------------------------------------------------------
> --
> # UDP UNPRIVILEGED PORTS
> # Avoid ports subject to protocol & system administration problems.
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -d $IPADDR $NFS_PORT -j DENY -l
>
> # UDP INCOMING TRACEROUTE
> # traceroute usually uses -S 32769:65535 -D 33434:33523
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $ANYWHERE $TRACEROUTE_SRC_PORTS \
> -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
>
> # --------------------------------------------------------------------------
> --
> # DNS client (53)
> # ---------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $NAMESERVER_1 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_1 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NAMESERVER_1 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_1 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $NAMESERVER_2 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_2 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NAMESERVER_2 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_2 53 -j ACCEPT
>
> # --------------------------------------------------------------------------
> --
> # TCP accept only on selected ports
> # ---------------------------------
> # ------------------------------------------------------------------
>
> # SSH server (22)
> # ---------------
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 22 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 22 \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $SSH_PORTS \
> -d $IPADDR 22 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 22 \
> -d $ANYWHERE $SSH_PORTS -j ACCEPT
>
> # SSH client (22)
> # ---------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 22 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 22 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 22 \
> -d $IPADDR $SSH_PORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $SSH_PORTS \
> -d $ANYWHERE 22 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # TELNET server (23)
> # ------------------
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 23 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 23 \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> # TELNET client (23)
> # ------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 23 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 23 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # HTTP server (80)
> # ----------------
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 80 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 80 \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> # HTTP client (80)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 80 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 80 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # HTTPS client (443)
> # ------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 443 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 443 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # POP client (110)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $POP_SERVER 110 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $POP_SERVER 110 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # NNTP NEWS client (119)
> # ----------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NEWS_SERVER 119 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NEWS_SERVER 119 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # FINGER client (79)
> # ------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 79 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 79 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # AUTH server (113)
> # -----------------
>
> # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE \
> -d $IPADDR 113 -j REJECT
>
> # AUTH client (113)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 113 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 113 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # SMTP client (25)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $SMTP_SERVER 25 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $SMTP_SERVER 25 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # IMAP client (143)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s mail.olmpi1.wa.home.com 143 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d mail.olmpi1.wa.home.com 143 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # ICQ client (4000)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 2000:4000 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 2000:4000 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $ANYWHERE 4000 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 4000 -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # FTP server (20, 21)
> # -------------------
>
> # incoming request
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 21 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 21 \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> # PORT MODE data channel responses
> #
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 20 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR 20 \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> # FTP client (20, 21)
> # -------------------
>
> # outgoing request
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 21 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 21 -j ACCEPT
>
> # NORMAL mode data channel
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE 20 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # NORMAL mode data channel responses
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 20 -j ACCEPT
>
> # PASSIVE mode data channel creation
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> # PASSIVE mode data channel responses
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # RealAudio / QuickTime client
> # ----------------------------
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 554 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 554 -j ACCEPT
>
> # TCP is a more secure method: 7070:7071
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 7070:7071 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 7070:7071 -j ACCEPT
>
> # UDP is the preferred method: 6970:6999
> # For LAN machines, UDP requires the RealAudio masquerading module and
> # the ipmasqadm third-party software.
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 6970:6999 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # WHOIS client (43)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 43 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 43 -j ACCEPT
>
> # --------------------------------------------------------------------------
> --
> # UDP accept only on selected ports
> # ---------------------------------
>
> # ------------------------------------------------------------------
>
> # OUTGOING TRACEROUTE
> # -------------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $TRACEROUTE_SRC_PORTS \
> -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
>
> # --------------------------------------------------------------------------
> --
> # Unlimited traffic within the local network.
>
> # All internal machines have access to the fireall machine.
>
> ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
> ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
>
> # --------------------------------------------------------------------------
> --
> # Masquerade internal traffic.
>
> # All internal traffic is masqueraded externally.
>
> ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
>
> # --------------------------------------------------------------------------
> --
> # Enable logging for selected denied packets
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR
> $PRIVPORTS -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR
> $UNPRIVPORTS -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 5 -d $IPADDR -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l
>
> # --------------------------------------------------------------------------
> --
>
> echo "done"
>
> exit 0
