[EMAIL PROTECTED] wrote:
> I have @home cable service and would like to log all hits from within @homes ip
> address block. Will the following chain do it or am I leaving something open
> with this?
> ipchains -A input -p all -l -s 24.0.0.0/8 -i eth0 -d 0.0.0.0/0
It will log their access attempts to your box, but it will also leave
your computer open. You haven't told it to do anything but log :)
Perhaps you would like to try my firewalling script? It's totally l337!
MSG
#!/bin/sh
# Source functions
. /etc/rc.d/init.d/functions
#
# <CONFIGURATION>
#
IPCHAINS="/sbin/ipchains"
IPMASQADM="/usr/sbin/ipmasqadm"
#
# The following variables accept space separated lists of items
#
SPOOF_PROTECTION_ON="ALL"
PARANOID_DEV="eth1"
PARANOIA_ALLOWS_PORTS="22 25 443 993"
PARANOIA_EXTRA_PORTS="2049 3306"
# Prove paranoia:
LOG_DENIED="TRUE"
MASQ_NET="192.168.1.0/24"
FORWARD_NET="192.168.10.0/24"
#
# This is a little weird, but I wanted to provide a simple way to
# do it, so here's the best you get:
# format: local_ip(local_port)-remote_ip(remote_port)
# e.g.: 192.168.0.2(21)-192.168.1.5(21)
#
PORT_FORWARDS="192.168.0.2(5155)-192.168.1.5(22)"
# To use ALLOW or DENY, the device must be a "PARANOID_DEV"
#ETH1_ALLOW="206.43.48.6()-192.168.0.2(:1024)"
#ETH1_DENY="206.43.48.3()-192.168.0.2()"
#
# </CONFIGURATION>
#
configure_system() {
# Turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
if [ "$SPOOF_PROTECTION_ON" = "ALL" ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done"
fi
else
echo "SPOOF PROTECTION NOT AVAILABLE ON THIS SYSTEM."
fi
if [ ! -f /proc/sys/net/ipv4/ip_forward ] ; then
echo "/proc/sys/net/ipv4/ip_forward is missing --" \
"cannot control IP forwarding" >&2
return 1
fi
if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then
echo "Routing has not been enabled." >&2
echo "Please set FORWARD_IPV4=\"yes\" in /etc/sysconfig/network" >&2
echo " or use your network configuration tool to enable ip
forwarding." >&2
return 1
fi
#
# Flush the old rules, so that we don't duplicate them.
# This is important if the rules have changed.
#
action "Flushing old firewalling rules" $IPCHAINS -F
[ -x $IPMASQADM ] && \
action "Flushing forwarded ports" $IPMASQADM portfw -f
#
# Set the default for packet forwarding to REJECT. We only want to
# forward packets for those in our own network.
#
action "Denying packet forwarding by default" \
$IPCHAINS -P forward REJECT
action "Extending default timouts for masqueraded IP connections" \
$IPCHAINS -M -S 14400 0 0
# Load all available ip_masq modules
OLD_DIR="$PWD"
cd /lib/modules/`uname -r`/ipv4/
for masqmod in ip_masq* ; do
#
# I'm only using insmod here because the version of
# modprobe distributed with Red Hat no longer works
# the way it used to. insmod will throw errors on
# subsequent uses of this script. Either ignore them
# or go back to the old modutils package.
#
action "Loading masquerade module $masqmod " \
insmod "$masqmod"
done
cd "$OLD_DIR"
}
lock_down_dev() {
LOG=""
if [ "$LOG_DENIED" = "TRUE" ]; then
LOG=" -l "
fi
action "Disallowing incoming connections on $ARG_PARANOID_DEV" \
ipchains -A input -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port :1023 -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port :1023 -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port 6000:6010 -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port 6000:6010 -j REJECT $LOG
[ -n "$PARANOIA_EXTRA_PORTS" ] && for PORTS in $PARANOIA_EXTRA_PORTS; do
action " including extra port $PORTS" \
ipchains -A input -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port "$PORTS" -j REJECT $LOG
ipchains -A input -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port "$PORTS" -j REJECT $LOG
done
[ -n "$PARANOIA_ALLOWS_PORTS" ] && for PORTS in $PARANOIA_ALLOWS_PORTS; do
action " except for port $PORTS" \
ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \
-p TCP --destination-port "$PORTS" -j ACCEPT
ipchains -I input 1 -i "$ARG_PARANOID_DEV" \
-p UDP --destination-port "$PORTS" -j ACCEPT
done
[ -e /proc/sys/net/ipv4/conf/all/rp_filter ] &&
for DEV in "$SPOOF_PROTECTION_ON"; do
[ "$DEV" = "$ARG_PARANOID_DEV" ] &&
action "Setting up IP spoofing protection on
$ARG_PARANOID_DEV" \
echo 1 >
/proc/sys/net/ipv4/conf/"$ARG_PARANOID_DEV"/rp_filter
done
UP_DEV=`echo "$ARG_PARANOID_DEV" | tr [a-z] [A-Z]`
eval "DEV_DENY=\$${UP_DEV}_DENY"
[ -n "$DEV_ALLOW" ] && for DENY in $DEV_DENY; do
LOCAL_DENY=`echo $DENY | cut -f2 -d-`
REMOTE_DENY=`echo $DENY | cut -f1 -d-`
LOCAL_IP=`echo $LOCAL_DENY | sed "s/(.*)//g"`
LOCAL_PORT=`echo $LOCAL_DENY | sed "s/.*(\|)//g"`
REMOTE_IP=`echo $REMOTE_DENY | sed "s/(.*)//g"`
REMOTE_PORT=`echo $REMOTE_DENY | sed "s/.*(\|)//g"`
action " removing access from $REMOTE_IP $REMOTE_PORT to $LOCAL_IP
$LOCAL_PORT" \
ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \
-p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT
$LOG
ipchains -I input 1 -i "$ARG_PARANOID_DEV" \
-p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT
$LOG
done
eval "DEV_ALLOW=\$${UP_DEV}_ALLOW"
[ -n "$DEV_ALLOW" ] && for ALLOW in $DEV_ALLOW; do
LOCAL_ALLOW=`echo $ALLOW | cut -f2 -d-`
REMOTE_ALLOW=`echo $ALLOW | cut -f1 -d-`
LOCAL_IP=`echo $LOCAL_ALLOW | sed "s/(.*)//g"`
LOCAL_PORT=`echo $LOCAL_ALLOW | sed "s/.*(\|)//g"`
REMOTE_IP=`echo $REMOTE_ALLOW | sed "s/(.*)//g"`
REMOTE_PORT=`echo $REMOTE_ALLOW | sed "s/.*(\|)//g"`
action " allowing $REMOTE_IP $REMOTE_PORT to access $LOCAL_IP
$LOCAL_PORT" \
ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \
-p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT
ipchains -I input 1 -i "$ARG_PARANOID_DEV" \
-p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT
done
}
masq_network() {
action "Activating masquerading for network $ARG_MASQ_NET" \
$IPCHAINS -A forward -s $ARG_MASQ_NET -d 0/0 -j MASQ
}
forward_network() {
action "Allowing network $ARG_FWD_NET to be forwarded" \
$IPCHAINS -A forward -b -s $ARG_FWD_NET -d 0/0 -j ACCEPT
}
do_port_forward() {
[ ! -x $IPMASQADM ] && {
echo "Please install ipmasqadm for port forwarding" >&2
return 1
}
LOCAL_F=`echo $ARG_PORT_FORWARD | cut -f1 -d-`
REMOTE_F=`echo $ARG_PORT_FORWARD | cut -f2 -d-`
LOCAL_IP=`echo $LOCAL_F | sed "s/(.*)//g"`
LOCAL_PORT=`echo $LOCAL_F | sed "s/.*(\|)//g"`
REMOTE_IP=`echo $REMOTE_F | sed "s/(.*)//g"`
REMOTE_PORT=`echo $REMOTE_F | sed "s/.*(\|)//g"`
action "Forwarding $LOCAL_F to $REMOTE_F" \
$IPMASQADM portfw -a -P tcp \
-L "$LOCAL_IP" "$LOCAL_PORT" -R "$REMOTE_IP" "$REMOTE_PORT"
}
#-----------------------
configure_system
[ -n "$PARANOID_DEV" ] && for PD in $PARANOID_DEV; do
ARG_PARANOID_DEV="$PD"
lock_down_dev
done
[ -n "$MASQ_NET" ] && for MN in $MASQ_NET; do
ARG_MASQ_NET=$MN
masq_network
done
[ -n "$FORWARD_NET" ] && for FN in $FORWARD_NET; do
ARG_FWD_NET=$FN
forward_network
done
[ -n "$PORT_FORWARDS" ] && for PF in $PORT_FORWARDS ; do
ARG_PORT_FORWARD=$PF
do_port_forward
done
# Port sentry:
if ( ! /sbin/pidof portsentry > /dev/null ); then
if [ -x /usr/local/psionic/portsentry/portsentry ]; then
action "Starting portsentry watching tcp" \
/usr/local/psionic/portsentry/portsentry -atcp
action "Starting portsentry watching udp" \
/usr/local/psionic/portsentry/portsentry -audp
fi
fi
