LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Mandriva (https://www.linuxquestions.org/questions/mandriva-30/)
-   -   firewall for dial up modem (https://www.linuxquestions.org/questions/mandriva-30/firewall-for-dial-up-modem-265880/)

aus9 12-13-2004 07:11 AM
firewall for dial up modem
 
I have modified this file link below to suit a Mdk 10.1
http://www.linuxquestions.org/questi...irewall+simple


Steps
1) root powers go into firewall and config to NO firewall
2) rename /etc/rc.d/rc.local to a name with -old suffix
3) copy and paste the below into a text editor and save as the etc file with rwx r-x r-x assuming you are a home based dial up.
4) reboot b4 testing please

I have tested it at www.auditmypc.com
and www.grc.com
the quick test for www.pcflank.com now Hangs I have No response to pings

######copy starts here
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

[ -f /etc/sysconfig/system ] && source /etc/sysconfig/system
[ -f /etc/sysconfig/msec ] && source /etc/sysconfig/msec
[ -z "$SECURE_LEVEL" ] && SECURE_LEVEL=3
[ -f /etc/sysconfig/init ] && source /etc/sysconfig/init
if [ $SECURE_LEVEL -lt 4 ]; then
[ -z "$REWRITEISSUE" ] && REWRITEISSUE=rewrite
if [ $SECURE_LEVEL -lt 3 ]; then
[ -z "$REWRITEISSUENET" ] && REWRITEISSUENET=rewrite
fi
fi

SYSTEM=${SYSTEM=Mandrakelinux}

# Source functions
. /etc/init.d/functions

if [ "$REWRITEISSUE" = "rewrite" -a -f /etc/mandrake-release ]; then
R=$(cat /etc/mandrake-release)

arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac

NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
[ "$NUMPROC" = "2" ] && \
SMP="Dual-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.

if [ -x /usr/bin/linux_logo ]; then
/usr/bin/linux_logo -n -f | sed -e 's|\\|\\\\|g' > /etc/issue
echo "" >> /etc/issue
else
> /etc/issue
fi
echo "$R" >> /etc/issue
echo "Kernel $(uname -r) on $a $SMP$(uname -m) / \l" >> /etc/issue

if [ "$REWRITEISSUENET" = "rewrite" ]; then
echo "Welcome to ${HOST}" > /etc/issue.net
echo "$R" >> /etc/issue.net
echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue.net
else
NAME="$SYSTEM"
gprintf "Welcome to %s\n" "$NAME" > /etc/issue.net
echo "-------------------------" >> /etc/issue.net
fi
else
if [ -f /etc/security/msec/issue.$SECURE_LEVEL ]; then
cat /etc/security/msec/issue.$SECURE_LEVEL > /etc/issue
elif [ -f /etc/security/msec/issue ]; then
cat /etc/security/msec/issue > /etc/issue
else
rm -f /etc/issue
fi
if [ -f /etc/security/msec/issue.net.$SECURE_LEVEL ]; then
cat /etc/security/msec/issue.net.$SECURE_LEVEL > /etc/issue.net
elif [ -f /etc/security/msec/issue.net ]; then
cat /etc/security/msec/issue.net > /etc/issue.net
else
rm -f /etc/issue.net
fi
fi

touch /var/lock/subsys/local

#IPTABLES Firewall script - created by Ben Birnbaum and modified for # Mdk by aus9
# "--dport" is the same as "--destination-port"

# PROOF READ TIPS

# -F is hypen capital F means flush
# -P is hypen capital P means create the policy (default standard)
# -X is hypen capital X means delete a rule named whatever and if
# nothing specified then the X deletes all rules

# -j ACCEPT is hypen lowercase j and capital accept and
# means this rule is a winner and don't look for any more rules
# accept it and hope for the best

#Set to the location of the iptables executable and "Z" is a code to save typing "iptables"
Z="/sbin/iptables"
# you are likely to need a script to start this script, the one you are reading,
# edit your /etc/rc.d/(or rc.4 etc) /rc.local and copy this to your local script
# of course it may be started by rc.inet scripts but who cares as long as it goes
# if you copied this text to a text file, you will need to make it a executabe and
# ownership for over writing made to be root but users need to have execute permissions
# so root rwx group r-x others r-x could be ok if you are a normal home where you
# trust all users

#Set up spoofing protection
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
# No more replys to pings next line
sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 1 > /proc/sys/net/ipv4/ip_forward
####echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max


echo -n "Loading Firewall Rules....."

#Set default policies
$Z -F
$Z -X
$Z -F -t nat
$Z -P INPUT DROP

#Set-up the "firewall-chain" rules
$Z -N firewall
$Z -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: "
$Z -A firewall -j DROP


#Stuff to stop SYN Floods
$Z -N syn-flood
$Z -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
$Z -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood Stopped: "
$Z -A syn-flood -j DROP
$Z -A INPUT -p tcp --syn -j syn-flood


#State matching stuff - to accept related and established connections.
$Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#ICMP Stuff
$Z -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$Z -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT
$Z -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$Z -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT
$Z -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$Z -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$Z -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT
$Z -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT
# $Z -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# $Z -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

# Allow loopback traffic.
$Z -A INPUT -i lo -j ACCEPT
$Z -A OUTPUT -o lo -j ACCEPT

#Some deny stuff that we dont want to log
$Z -A INPUT -p udp --dport 137 -j DROP
$Z -A INPUT -p udp --dport 138 -j DROP
$Z -A INPUT -p udp --dport 67 -j DROP
$Z -A INPUT -p udp --dport 68 -j DROP

#Send everything else to the firewall chain - DENY it and LOG it.
$Z -A INPUT -p icmp -j firewall
$Z -A INPUT -p tcp --syn -j firewall
$Z -A INPUT -p udp -j firewall

echo "DONE"

########end of file


All times are GMT -5. The time now is 05:41 AM.