Re: IPChains Firewall Example

Sat, 1 Jan 2000 13:30:06 -0800 

Hi,

I'm not running DSL but, if you have a look at my scripts you will be able
to see exactly what you need to do, if you have any further questions,
come back to me.

Andy



#!/bin/bash

# Flush All Existing Rules and Create Default Policys
ipchains -F input
ipchains -P input DENY
ipchains -F output
ipchains -P output DENY
ipchains -F forward
ipchains -P forward DENY

# Prevent *any* data comming over the ppp connection claiming a local IP
ipchains -A input -j DENY -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -l
ipchains -A input -j DENY -i ppp0 -s 172.16.0.0/12 -d 0.0.0.0/0 -l
ipchains -A input -j DENY -i ppp0 -s 192.168.0.0/16 -d 0.0.0.0/0 -l

# Open up *valid* ports to remote connection, DNS, HTTP, FTP
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 7
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 9
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 13
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 20
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 21
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 53
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 80
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 7
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 9
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 13
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 20
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 21
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 53
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 80
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 518

# Open up SMTP port only to ISP's Mail Punts
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 194.217.242.0/24 -d 0.0.0.0/0 25

# Deny any remote source from using unauthorised ports
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8080 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8081 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 901 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8080 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8081 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 901 -l

# Allow any remote connections to the PPP address
ipchains -A input -j ACCEPT -i ppp0 -s 0.0.0.0/0 -d 194.222.168.226

# Stop Outbound packets from PPP going to Local Net (Routing Problems)
ipchains -A output -j DENY -i ppp0 -s 0.0.0.0/0 -d 192.168.0.0/16 -l

# Stop Outbound packets from Local Net going across PPP (Masquarding Problems)
ipchains -A output -j DENY -i ppp0 -s 192.168.0.0/16 -d 0.0.0.0/0 -l

# Stop Outbound packets going to Banner Sites
ipchains -A output -j DENY -i ppp0 -s 0.0.0.0/0 -d 206.253.217.6 -l

# All other outbound traffice is fine
ipchains -A output -j ACCEPT -i ppp0 -s 194.222.168.226 -d 0.0.0.0/0

# All local to local traffic is fine (Two network card setup, YMMV)
ipchains -A input -j ACCEPT -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0
ipchains -A output -j ACCEPT -i eth0 -s 0.0.0.0/0 -d 192.168.0.0/16
ipchains -A input -j ACCEPT -i eth1 -s 192.168.0.0/16 -d 0.0.0.0/0
ipchains -A output -j ACCEPT -i eth1 -s 0.0.0.0/0 -d 192.168.0.0/16

# All loopback traffic is fine
ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0

# Stop netbios traffic from bringing up dial-on-demand 
# (Win9x Client browsing SAMBA shares)
ipchains -A forward -j DENY -p tcp -s 0.0.0.0/0 137:139
ipchains -A forward -j DENY -p udp -s 0.0.0.0/0 137:139

# No Masquarding between local computers
ipchains -A forward -j ACCEPT -s 192.168.0.0/16 -d 192.168.0.0/16
ipchains -A forward -j MASQ -s 192.168.0.0/16 -d 0.0.0.0/0

# Safety Net for all other rules, catch them and log them
ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l

# Local Stuff for Testing
ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 224.0.0.0/0 -l

# by Andrew Taylor ([EMAIL PROTECTED]). 1999

Reply via email to