[EMAIL PROTECTED] wrote: > I have @home cable service and would like to log all hits from within @homes ip > address block. Will the following chain do it or am I leaving something open > with this? > ipchains -A input -p all -l -s 24.0.0.0/8 -i eth0 -d 0.0.0.0/0 It will log their access attempts to your box, but it will also leave your computer open. You haven't told it to do anything but log :) Perhaps you would like to try my firewalling script? It's totally l337! MSG
#!/bin/sh # Source functions . /etc/rc.d/init.d/functions # # <CONFIGURATION> # IPCHAINS="/sbin/ipchains" IPMASQADM="/usr/sbin/ipmasqadm" # # The following variables accept space separated lists of items # SPOOF_PROTECTION_ON="ALL" PARANOID_DEV="eth1" PARANOIA_ALLOWS_PORTS="22 25 443 993" PARANOIA_EXTRA_PORTS="2049 3306" # Prove paranoia: LOG_DENIED="TRUE" MASQ_NET="192.168.1.0/24" FORWARD_NET="192.168.10.0/24" # # This is a little weird, but I wanted to provide a simple way to # do it, so here's the best you get: # format: local_ip(local_port)-remote_ip(remote_port) # e.g.: 192.168.0.2(21)-192.168.1.5(21) # PORT_FORWARDS="192.168.0.2(5155)-192.168.1.5(22)" # To use ALLOW or DENY, the device must be a "PARANOID_DEV" #ETH1_ALLOW="206.43.48.6()-192.168.0.2(:1024)" #ETH1_DENY="206.43.48.3()-192.168.0.2()" # # </CONFIGURATION> # configure_system() { # Turn on Source Address Verification and get # spoof protection on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then if [ "$SPOOF_PROTECTION_ON" = "ALL" ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done" fi else echo "SPOOF PROTECTION NOT AVAILABLE ON THIS SYSTEM." fi if [ ! -f /proc/sys/net/ipv4/ip_forward ] ; then echo "/proc/sys/net/ipv4/ip_forward is missing --" \ "cannot control IP forwarding" >&2 return 1 fi if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then echo "Routing has not been enabled." >&2 echo "Please set FORWARD_IPV4=\"yes\" in /etc/sysconfig/network" >&2 echo " or use your network configuration tool to enable ip forwarding." >&2 return 1 fi # # Flush the old rules, so that we don't duplicate them. # This is important if the rules have changed. # action "Flushing old firewalling rules" $IPCHAINS -F [ -x $IPMASQADM ] && \ action "Flushing forwarded ports" $IPMASQADM portfw -f # # Set the default for packet forwarding to REJECT. We only want to # forward packets for those in our own network. # action "Denying packet forwarding by default" \ $IPCHAINS -P forward REJECT action "Extending default timouts for masqueraded IP connections" \ $IPCHAINS -M -S 14400 0 0 # Load all available ip_masq modules OLD_DIR="$PWD" cd /lib/modules/`uname -r`/ipv4/ for masqmod in ip_masq* ; do # # I'm only using insmod here because the version of # modprobe distributed with Red Hat no longer works # the way it used to. insmod will throw errors on # subsequent uses of this script. Either ignore them # or go back to the old modutils package. # action "Loading masquerade module $masqmod " \ insmod "$masqmod" done cd "$OLD_DIR" } lock_down_dev() { LOG="" if [ "$LOG_DENIED" = "TRUE" ]; then LOG=" -l " fi action "Disallowing incoming connections on $ARG_PARANOID_DEV" \ ipchains -A input -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port :1023 -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port :1023 -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port 6000:6010 -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port 6000:6010 -j REJECT $LOG [ -n "$PARANOIA_EXTRA_PORTS" ] && for PORTS in $PARANOIA_EXTRA_PORTS; do action " including extra port $PORTS" \ ipchains -A input -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port "$PORTS" -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port "$PORTS" -j REJECT $LOG done [ -n "$PARANOIA_ALLOWS_PORTS" ] && for PORTS in $PARANOIA_ALLOWS_PORTS; do action " except for port $PORTS" \ ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port "$PORTS" -j ACCEPT ipchains -I input 1 -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port "$PORTS" -j ACCEPT done [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] && for DEV in "$SPOOF_PROTECTION_ON"; do [ "$DEV" = "$ARG_PARANOID_DEV" ] && action "Setting up IP spoofing protection on $ARG_PARANOID_DEV" \ echo 1 > /proc/sys/net/ipv4/conf/"$ARG_PARANOID_DEV"/rp_filter done UP_DEV=`echo "$ARG_PARANOID_DEV" | tr [a-z] [A-Z]` eval "DEV_DENY=\$${UP_DEV}_DENY" [ -n "$DEV_ALLOW" ] && for DENY in $DEV_DENY; do LOCAL_DENY=`echo $DENY | cut -f2 -d-` REMOTE_DENY=`echo $DENY | cut -f1 -d-` LOCAL_IP=`echo $LOCAL_DENY | sed "s/(.*)//g"` LOCAL_PORT=`echo $LOCAL_DENY | sed "s/.*(\|)//g"` REMOTE_IP=`echo $REMOTE_DENY | sed "s/(.*)//g"` REMOTE_PORT=`echo $REMOTE_DENY | sed "s/.*(\|)//g"` action " removing access from $REMOTE_IP $REMOTE_PORT to $LOCAL_IP $LOCAL_PORT" \ ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \ -p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT $LOG ipchains -I input 1 -i "$ARG_PARANOID_DEV" \ -p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT $LOG done eval "DEV_ALLOW=\$${UP_DEV}_ALLOW" [ -n "$DEV_ALLOW" ] && for ALLOW in $DEV_ALLOW; do LOCAL_ALLOW=`echo $ALLOW | cut -f2 -d-` REMOTE_ALLOW=`echo $ALLOW | cut -f1 -d-` LOCAL_IP=`echo $LOCAL_ALLOW | sed "s/(.*)//g"` LOCAL_PORT=`echo $LOCAL_ALLOW | sed "s/.*(\|)//g"` REMOTE_IP=`echo $REMOTE_ALLOW | sed "s/(.*)//g"` REMOTE_PORT=`echo $REMOTE_ALLOW | sed "s/.*(\|)//g"` action " allowing $REMOTE_IP $REMOTE_PORT to access $LOCAL_IP $LOCAL_PORT" \ ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \ -p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT ipchains -I input 1 -i "$ARG_PARANOID_DEV" \ -p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT done } masq_network() { action "Activating masquerading for network $ARG_MASQ_NET" \ $IPCHAINS -A forward -s $ARG_MASQ_NET -d 0/0 -j MASQ } forward_network() { action "Allowing network $ARG_FWD_NET to be forwarded" \ $IPCHAINS -A forward -b -s $ARG_FWD_NET -d 0/0 -j ACCEPT } do_port_forward() { [ ! -x $IPMASQADM ] && { echo "Please install ipmasqadm for port forwarding" >&2 return 1 } LOCAL_F=`echo $ARG_PORT_FORWARD | cut -f1 -d-` REMOTE_F=`echo $ARG_PORT_FORWARD | cut -f2 -d-` LOCAL_IP=`echo $LOCAL_F | sed "s/(.*)//g"` LOCAL_PORT=`echo $LOCAL_F | sed "s/.*(\|)//g"` REMOTE_IP=`echo $REMOTE_F | sed "s/(.*)//g"` REMOTE_PORT=`echo $REMOTE_F | sed "s/.*(\|)//g"` action "Forwarding $LOCAL_F to $REMOTE_F" \ $IPMASQADM portfw -a -P tcp \ -L "$LOCAL_IP" "$LOCAL_PORT" -R "$REMOTE_IP" "$REMOTE_PORT" } #----------------------- configure_system [ -n "$PARANOID_DEV" ] && for PD in $PARANOID_DEV; do ARG_PARANOID_DEV="$PD" lock_down_dev done [ -n "$MASQ_NET" ] && for MN in $MASQ_NET; do ARG_MASQ_NET=$MN masq_network done [ -n "$FORWARD_NET" ] && for FN in $FORWARD_NET; do ARG_FWD_NET=$FN forward_network done [ -n "$PORT_FORWARDS" ] && for PF in $PORT_FORWARDS ; do ARG_PORT_FORWARD=$PF do_port_forward done # Port sentry: if ( ! /sbin/pidof portsentry > /dev/null ); then if [ -x /usr/local/psionic/portsentry/portsentry ]; then action "Starting portsentry watching tcp" \ /usr/local/psionic/portsentry/portsentry -atcp action "Starting portsentry watching udp" \ /usr/local/psionic/portsentry/portsentry -audp fi fi