firewall for dial up modem
I have modified this file link below to suit a Mdk 10.1
http://www.linuxquestions.org/questi...irewall+simple Steps 1) root powers go into firewall and config to NO firewall 2) rename /etc/rc.d/rc.local to a name with -old suffix 3) copy and paste the below into a text editor and save as the etc file with rwx r-x r-x assuming you are a home based dial up. 4) reboot b4 testing please I have tested it at www.auditmypc.com and www.grc.com the quick test for www.pcflank.com now Hangs I have No response to pings ######copy starts here #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. [ -f /etc/sysconfig/system ] && source /etc/sysconfig/system [ -f /etc/sysconfig/msec ] && source /etc/sysconfig/msec [ -z "$SECURE_LEVEL" ] && SECURE_LEVEL=3 [ -f /etc/sysconfig/init ] && source /etc/sysconfig/init if [ $SECURE_LEVEL -lt 4 ]; then [ -z "$REWRITEISSUE" ] && REWRITEISSUE=rewrite if [ $SECURE_LEVEL -lt 3 ]; then [ -z "$REWRITEISSUENET" ] && REWRITEISSUENET=rewrite fi fi SYSTEM=${SYSTEM=Mandrakelinux} # Source functions . /etc/init.d/functions if [ "$REWRITEISSUE" = "rewrite" -a -f /etc/mandrake-release ]; then R=$(cat /etc/mandrake-release) arch=$(uname -m) a="a" case "_$arch" in _a*) a="an";; _i*) a="an";; esac NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat` if [ "$NUMPROC" -gt "1" ]; then SMP="$NUMPROC-processor " [ "$NUMPROC" = "2" ] && \ SMP="Dual-processor " if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then a="an" else a="a" fi fi # This will overwrite /etc/issue at every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. if [ -x /usr/bin/linux_logo ]; then /usr/bin/linux_logo -n -f | sed -e 's|\\|\\\\|g' > /etc/issue echo "" >> /etc/issue else > /etc/issue fi echo "$R" >> /etc/issue echo "Kernel $(uname -r) on $a $SMP$(uname -m) / \l" >> /etc/issue if [ "$REWRITEISSUENET" = "rewrite" ]; then echo "Welcome to ${HOST}" > /etc/issue.net echo "$R" >> /etc/issue.net echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue.net else NAME="$SYSTEM" gprintf "Welcome to %s\n" "$NAME" > /etc/issue.net echo "-------------------------" >> /etc/issue.net fi else if [ -f /etc/security/msec/issue.$SECURE_LEVEL ]; then cat /etc/security/msec/issue.$SECURE_LEVEL > /etc/issue elif [ -f /etc/security/msec/issue ]; then cat /etc/security/msec/issue > /etc/issue else rm -f /etc/issue fi if [ -f /etc/security/msec/issue.net.$SECURE_LEVEL ]; then cat /etc/security/msec/issue.net.$SECURE_LEVEL > /etc/issue.net elif [ -f /etc/security/msec/issue.net ]; then cat /etc/security/msec/issue.net > /etc/issue.net else rm -f /etc/issue.net fi fi touch /var/lock/subsys/local #IPTABLES Firewall script - created by Ben Birnbaum and modified for # Mdk by aus9 # "--dport" is the same as "--destination-port" # PROOF READ TIPS # -F is hypen capital F means flush # -P is hypen capital P means create the policy (default standard) # -X is hypen capital X means delete a rule named whatever and if # nothing specified then the X deletes all rules # -j ACCEPT is hypen lowercase j and capital accept and # means this rule is a winner and don't look for any more rules # accept it and hope for the best #Set to the location of the iptables executable and "Z" is a code to save typing "iptables" Z="/sbin/iptables" # you are likely to need a script to start this script, the one you are reading, # edit your /etc/rc.d/(or rc.4 etc) /rc.local and copy this to your local script # of course it may be started by rc.inet scripts but who cares as long as it goes # if you copied this text to a text file, you will need to make it a executabe and # ownership for over writing made to be root but users need to have execute permissions # so root rwx group r-x others r-x could be ok if you are a normal home where you # trust all users #Set up spoofing protection echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.tcp_max_syn_backlog=256 sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.route.mtu_expires=512 sysctl -w net.ipv4.tcp_keepalive_time=7600 # No more replys to pings next line sysctl -w net.ipv4.icmp_echo_ignore_all=1 sysctl -w net.ipv4.tcp_fin_timeout=360 sysctl -w net.ipv4.tcp_rfc1337=1 echo 1 > /proc/sys/net/ipv4/ip_forward ####echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 128 > /proc/sys/net/ipv4/ip_default_ttl echo 262144 > /proc/sys/net/core/rmem_default echo 262144 > /proc/sys/net/core/rmem_max echo 262144 > /proc/sys/net/core/wmem_default echo 262144 > /proc/sys/net/core/wmem_max echo -n "Loading Firewall Rules....." #Set default policies $Z -F $Z -X $Z -F -t nat $Z -P INPUT DROP #Set-up the "firewall-chain" rules $Z -N firewall $Z -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: " $Z -A firewall -j DROP #Stuff to stop SYN Floods $Z -N syn-flood $Z -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN $Z -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood Stopped: " $Z -A syn-flood -j DROP $Z -A INPUT -p tcp --syn -j syn-flood #State matching stuff - to accept related and established connections. $Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #ICMP Stuff $Z -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT $Z -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT $Z -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT $Z -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT $Z -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $Z -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT $Z -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT $Z -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT # $Z -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # $Z -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT # Allow loopback traffic. $Z -A INPUT -i lo -j ACCEPT $Z -A OUTPUT -o lo -j ACCEPT #Some deny stuff that we dont want to log $Z -A INPUT -p udp --dport 137 -j DROP $Z -A INPUT -p udp --dport 138 -j DROP $Z -A INPUT -p udp --dport 67 -j DROP $Z -A INPUT -p udp --dport 68 -j DROP #Send everything else to the firewall chain - DENY it and LOG it. $Z -A INPUT -p icmp -j firewall $Z -A INPUT -p tcp --syn -j firewall $Z -A INPUT -p udp -j firewall echo "DONE" ########end of file |
All times are GMT -5. The time now is 05:41 AM. |