Alan Mead wrote: > Wow, I just sat down to ask this question! I want to run some services > that are accessible locally but which do not appear to be running from the > outside. I have a Linux 6.1 machine Masq'ing a small LAN on the @Home > network. "Servers" are forbidden on this network and they scan me 12 times > each day looking for illegitimate servers, only port 119 so far. I would > like to run news (I want to gate some mail lists to INN and look into > sucking a feed) and http. The local LAN is 192.168.0.x with .1 as the > gateway and I have a static IP for the second interface connected to the > cable modem. OK, take a look at the attached script. Install it in /etc/rc.d/init.d if you feel that it will do what you want it to do. I wrote it to make it easy for me to easily firewall some of my machines. All the configuration is done with a few environment variables at the head of the script, nothing below them should need editing, unless you want something specific changed. If you have questions, ask :) MSG
#!/bin/sh # # firewall Configures Linux firewall services # # # chkconfig: 2345 11 89 # description: Configure firewalling and ip forwarding using ipchains # Source functions . /etc/rc.d/init.d/functions # # <CONFIGURATION> # IPCHAINS="/sbin/ipchains" IPMASQADM="/usr/sbin/ipmasqadm" # # All of the following variables accept space separated lists of items # # SPOOF_PROTECTION can be set to a device name, or "ALL" SPOOF_PROTECTION_ON="ALL" # PARANOID_DEV and PARANOID_ADDR allow you to specify interfaces which should # be as closed as possible. These interfaces will have all ports under 1024 # closed, as well as 6000-6010. Under some situations, specifying a dev # doesn't work well, particularly on routers. In other cases, like web servers # with many addr's on a single interface, the dev is much simpler. In order to # use a port on a paranoid dev/addr, you must specifically open that port using # PARANOIA_ALLOWS_PORTS. PARANOIA_EXTRA_PORTS can be used to close specific # ports in addition to those normally closed (stuff like MySQL or NFS). PARANOID_DEV="eth1" # PARANOID_ADDR="232.123.123.123" PARANOIA_ALLOWS_PORTS="22" PARANOIA_EXTRA_PORTS="2049 3306" # Prove paranoia: REJECT'ed packets will be logged to syslog if set to TRUE LOG_DENIED="TRUE" # MASQ_NET allows you to specify hosts or networks that should be masqueraded. MASQ_NET="192.168.1.0/24" # FORWARD_NET allows you to specify networks whose IP traffic will be # forwarded/routed. ONLY networks listed here will be forwarded. # FORWARD_NET="192.168.10.0/24" # # This is a little weird, but I wanted to provide a simple way to # do it, so here's the best you get: # format: local_ip(local_port)-remote_ip(remote_port) # e.g.: 192.168.0.2(21)-192.168.1.5(21) # # PORT_FORWARDS="192.168.0.2(5155)-192.168.1.5(22)" # These rules allow you to specify additional rules for host based access # control. # To allow 232.123.123.6 to access all privliged ports, even on paranoid # devices, and deny all access to 232.123.123.3, use the following: #HOSTS_ALLOW="232.123.123.6()-192.168.0.2(:1024)" #HOSTS_DENY="232.123.123.3()-192.168.0.2()" # # </CONFIGURATION> # configure_system() { # Turn on Source Address Verification and get # spoof protection on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then if [ "$SPOOF_PROTECTION_ON" = "ALL" ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done" fi else echo "SPOOF PROTECTION NOT AVAILABLE ON THIS SYSTEM." fi if [ ! -f /proc/sys/net/ipv4/ip_forward ] ; then echo "/proc/sys/net/ipv4/ip_forward is missing --" \ "cannot control IP forwarding" >&2 return 1 fi if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then echo "Routing has not been enabled." >&2 echo "Please set FORWARD_IPV4=\"yes\" in /etc/sysconfig/network" >&2 echo " or use your network configuration tool to enable ip forwarding." >&2 return 1 fi # # Flush the old rules, so that we don't duplicate them. # This is important if the rules have changed. # action "Flushing old firewalling rules" $IPCHAINS -F [ -x $IPMASQADM ] && \ action "Flushing forwarded ports" $IPMASQADM portfw -f # # Set the default for packet forwarding to REJECT. We only want to # forward packets for those in our own network. # action "Denying packet forwarding by default" \ $IPCHAINS -P forward REJECT #action "Extending default timouts for masqueraded IP connections" \ # $IPCHAINS -M -S 14400 0 0 # Load all available ip_masq modules. Red Hat 6.2's modutils package # (version 2.3.9-6) will not modprobe if the given argument has the # trailing ".o", so strip it off with sed. OLD_DIR="$PWD" cd /lib/modules/`uname -r`/ipv4/ ls ip_masq* | sed 's/.o$//' | while read masqmod ; do action "Loading masquerade module $masqmod " \ modprobe "$masqmod" done cd "$OLD_DIR" } lock_down_dev() { LOG="" if [ "$LOG_DENIED" = "TRUE" ]; then LOG=" -l " fi action "Disallowing incoming connections on $ARG_PARANOID_DEV" \ ipchains -A input -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port :1023 -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port :1023 -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port 6000:6010 -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port 6000:6010 -j REJECT $LOG [ -n "$PARANOIA_EXTRA_PORTS" ] && for PORTS in $PARANOIA_EXTRA_PORTS; do action " including extra port $PORTS" \ ipchains -A input -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port "$PORTS" -j REJECT $LOG ipchains -A input -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port "$PORTS" -j REJECT $LOG done [ -n "$PARANOIA_ALLOWS_PORTS" ] && for PORTS in $PARANOIA_ALLOWS_PORTS; do action " except for port $PORTS" \ ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \ -p TCP --destination-port "$PORTS" -j ACCEPT ipchains -I input 1 -i "$ARG_PARANOID_DEV" \ -p UDP --destination-port "$PORTS" -j ACCEPT done [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] && for DEV in "$SPOOF_PROTECTION_ON"; do [ "$DEV" = "$ARG_PARANOID_DEV" ] && action "Setting up IP spoofing protection on $ARG_PARANOID_DEV" \ echo 1 > /proc/sys/net/ipv4/conf/"$ARG_PARANOID_DEV"/rp_filter done } lock_down_addr() { LOG="" if [ "$LOG_DENIED" = "TRUE" ]; then LOG=" -l " fi action "Disallowing incoming connections on $ARG_PARANOID_ADDR" \ ipchains -A input -d "$ARG_PARANOID_ADDR" -y \ -p TCP --destination-port :1023 -j REJECT $LOG ipchains -A input -d "$ARG_PARANOID_ADDR" \ -p UDP --destination-port :1023 -j REJECT $LOG ipchains -A input -d "$ARG_PARANOID_ADDR" -y \ -p TCP --destination-port 6000:6010 -j REJECT $LOG ipchains -A input -d "$ARG_PARANOID_ADDR" \ -p UDP --destination-port 6000:6010 -j REJECT $LOG [ -n "$PARANOIA_EXTRA_PORTS" ] && for PORTS in $PARANOIA_EXTRA_PORTS; do action " including extra port $PORTS" \ ipchains -A input -d "$ARG_PARANOID_ADDR" -y \ -p TCP --destination-port "$PORTS" -j REJECT $LOG ipchains -A input -d "$ARG_PARANOID_ADDR" \ -p UDP --destination-port "$PORTS" -j REJECT $LOG done [ -n "$PARANOIA_ALLOWS_PORTS" ] && for PORTS in $PARANOIA_ALLOWS_PORTS; do action " except for port $PORTS" \ ipchains -I input 1 -d "$ARG_PARANOID_ADDR" -y \ -p TCP --destination-port "$PORTS" -j ACCEPT ipchains -I input 1 -d "$ARG_PARANOID_ADDR" \ -p UDP --destination-port "$PORTS" -j ACCEPT done [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] && for DEV in "$SPOOF_PROTECTION_ON"; do [ "$DEV" = "$ARG_PARANOID_ADDR" ] && action "Setting up IP spoofing protection on $ARG_PARANOID_ADDR" \ echo 1 > /proc/sys/net/ipv4/conf/"$ARG_PARANOID_ADDR"/rp_filter done } do_hosts_deny() { for DENY in $HOSTS_DENY; do LOCAL_DENY=`echo $DENY | cut -f2 -d-` REMOTE_DENY=`echo $DENY | cut -f1 -d-` LOCAL_IP=`echo $LOCAL_DENY | sed "s/(.*)//g"` LOCAL_PORT=`echo $LOCAL_DENY | sed "s/.*(\|)//g"` REMOTE_IP=`echo $REMOTE_DENY | sed "s/(.*)//g"` REMOTE_PORT=`echo $REMOTE_DENY | sed "s/.*(\|)//g"` action " removing access from $REMOTE_IP $REMOTE_PORT to $LOCAL_IP $LOCAL_PORT" \ ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \ -p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT $LOG ipchains -I input 1 -i "$ARG_PARANOID_DEV" \ -p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j REJECT $LOG done } do_hosts_allow() { for ALLOW in $HOSTS_ALLOW; do LOCAL_ALLOW=`echo $ALLOW | cut -f2 -d-` REMOTE_ALLOW=`echo $ALLOW | cut -f1 -d-` LOCAL_IP=`echo $LOCAL_ALLOW | sed "s/(.*)//g"` LOCAL_PORT=`echo $LOCAL_ALLOW | sed "s/.*(\|)//g"` REMOTE_IP=`echo $REMOTE_ALLOW | sed "s/(.*)//g"` REMOTE_PORT=`echo $REMOTE_ALLOW | sed "s/.*(\|)//g"` action " allowing $REMOTE_IP $REMOTE_PORT to access $LOCAL_IP $LOCAL_PORT" \ ipchains -I input 1 -i "$ARG_PARANOID_DEV" -y \ -p TCP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT ipchains -I input 1 -i "$ARG_PARANOID_DEV" \ -p UDP -s $REMOTE_IP $REMOTE_PORT -d $LOCAL_IP $LOCAL_PORT -j ACCEPT done } masq_network() { action "Activating masquerading for network $ARG_MASQ_NET" \ $IPCHAINS -A forward -s $ARG_MASQ_NET -d 0/0 -j MASQ } forward_network() { action "Allowing network $ARG_FWD_NET to be forwarded" \ $IPCHAINS -A forward -b -s $ARG_FWD_NET -d 0/0 -j ACCEPT } do_port_forward() { [ ! -x $IPMASQADM ] && { echo "Please install ipmasqadm for port forwarding" >&2 return 1 } LOCAL_F=`echo $ARG_PORT_FORWARD | cut -f1 -d-` REMOTE_F=`echo $ARG_PORT_FORWARD | cut -f2 -d-` LOCAL_IP=`echo $LOCAL_F | sed "s/(.*)//g"` LOCAL_PORT=`echo $LOCAL_F | sed "s/.*(\|)//g"` REMOTE_IP=`echo $REMOTE_F | sed "s/(.*)//g"` REMOTE_PORT=`echo $REMOTE_F | sed "s/.*(\|)//g"` action "Forwarding $LOCAL_F to $REMOTE_F" \ $IPMASQADM portfw -a -P tcp \ -L "$LOCAL_IP" "$LOCAL_PORT" -R "$REMOTE_IP" "$REMOTE_PORT" } #----------------------- case "$1" in start) configure_system [ -n "$PARANOID_DEV" ] && for PD in $PARANOID_DEV; do ARG_PARANOID_DEV="$PD" lock_down_dev done [ -n "$PARANOID_ADDR" ] && for PD in $PARANOID_ADDR; do ARG_PARANOID_ADDR="$PD" lock_down_addr done [ -n "$HOSTS_ALLOW" ] && do_hosts_allow [ -n "$HOSTS_DENY" ] && do_hosts_deny [ -n "$MASQ_NET" ] && for MN in $MASQ_NET; do ARG_MASQ_NET=$MN masq_network done [ -n "$FORWARD_NET" ] && for FN in $FORWARD_NET; do ARG_FWD_NET=$FN forward_network done [ -n "$PORT_FORWARDS" ] && for PF in $PORT_FORWARDS ; do ARG_PORT_FORWARD=$PF do_port_forward done ;; stop) action "Flushing old firewalling rules" $IPCHAINS -F ;; status) echo "Current firewalling rules are:" ; $IPCHAINS -L ;; restart) $0 stop $0 start ;; *) echo "Usage: firewall {start|stop|restart|status}" exit 1 esac # Port sentry: #if ( ! /sbin/pidof portsentry > /dev/null ); then # # if [ -x /usr/local/psionic/portsentry/portsentry ]; then # action "Starting portsentry watching tcp" \ # /usr/local/psionic/portsentry/portsentry -atcp # action "Starting portsentry watching udp" \ # /usr/local/psionic/portsentry/portsentry -audp # fi # #fi