LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices

Reply
 
Search this Thread
Old 12-13-2004, 08:11 AM   #1
aus9
Guru
 
Registered: Oct 2003
Posts: 5,060

Rep: Reputation: Disabled
firewall for dial up modem


I have modified this file link below to suit a Mdk 10.1
http://www.linuxquestions.org/questi...irewall+simple


Steps
1) root powers go into firewall and config to NO firewall
2) rename /etc/rc.d/rc.local to a name with -old suffix
3) copy and paste the below into a text editor and save as the etc file with rwx r-x r-x assuming you are a home based dial up.
4) reboot b4 testing please

I have tested it at www.auditmypc.com
and www.grc.com
the quick test for www.pcflank.com now Hangs I have No response to pings

######copy starts here
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

[ -f /etc/sysconfig/system ] && source /etc/sysconfig/system
[ -f /etc/sysconfig/msec ] && source /etc/sysconfig/msec
[ -z "$SECURE_LEVEL" ] && SECURE_LEVEL=3
[ -f /etc/sysconfig/init ] && source /etc/sysconfig/init
if [ $SECURE_LEVEL -lt 4 ]; then
[ -z "$REWRITEISSUE" ] && REWRITEISSUE=rewrite
if [ $SECURE_LEVEL -lt 3 ]; then
[ -z "$REWRITEISSUENET" ] && REWRITEISSUENET=rewrite
fi
fi

SYSTEM=${SYSTEM=Mandrakelinux}

# Source functions
. /etc/init.d/functions

if [ "$REWRITEISSUE" = "rewrite" -a -f /etc/mandrake-release ]; then
R=$(cat /etc/mandrake-release)

arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac

NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
[ "$NUMPROC" = "2" ] && \
SMP="Dual-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.

if [ -x /usr/bin/linux_logo ]; then
/usr/bin/linux_logo -n -f | sed -e 's|\\|\\\\|g' > /etc/issue
echo "" >> /etc/issue
else
> /etc/issue
fi
echo "$R" >> /etc/issue
echo "Kernel $(uname -r) on $a $SMP$(uname -m) / \l" >> /etc/issue

if [ "$REWRITEISSUENET" = "rewrite" ]; then
echo "Welcome to ${HOST}" > /etc/issue.net
echo "$R" >> /etc/issue.net
echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue.net
else
NAME="$SYSTEM"
gprintf "Welcome to %s\n" "$NAME" > /etc/issue.net
echo "-------------------------" >> /etc/issue.net
fi
else
if [ -f /etc/security/msec/issue.$SECURE_LEVEL ]; then
cat /etc/security/msec/issue.$SECURE_LEVEL > /etc/issue
elif [ -f /etc/security/msec/issue ]; then
cat /etc/security/msec/issue > /etc/issue
else
rm -f /etc/issue
fi
if [ -f /etc/security/msec/issue.net.$SECURE_LEVEL ]; then
cat /etc/security/msec/issue.net.$SECURE_LEVEL > /etc/issue.net
elif [ -f /etc/security/msec/issue.net ]; then
cat /etc/security/msec/issue.net > /etc/issue.net
else
rm -f /etc/issue.net
fi
fi

touch /var/lock/subsys/local

#IPTABLES Firewall script - created by Ben Birnbaum and modified for # Mdk by aus9
# "--dport" is the same as "--destination-port"

# PROOF READ TIPS

# -F is hypen capital F means flush
# -P is hypen capital P means create the policy (default standard)
# -X is hypen capital X means delete a rule named whatever and if
# nothing specified then the X deletes all rules

# -j ACCEPT is hypen lowercase j and capital accept and
# means this rule is a winner and don't look for any more rules
# accept it and hope for the best

#Set to the location of the iptables executable and "Z" is a code to save typing "iptables"
Z="/sbin/iptables"
# you are likely to need a script to start this script, the one you are reading,
# edit your /etc/rc.d/(or rc.4 etc) /rc.local and copy this to your local script
# of course it may be started by rc.inet scripts but who cares as long as it goes
# if you copied this text to a text file, you will need to make it a executabe and
# ownership for over writing made to be root but users need to have execute permissions
# so root rwx group r-x others r-x could be ok if you are a normal home where you
# trust all users

#Set up spoofing protection
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
# No more replys to pings next line
sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 1 > /proc/sys/net/ipv4/ip_forward
####echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max


echo -n "Loading Firewall Rules....."

#Set default policies
$Z -F
$Z -X
$Z -F -t nat
$Z -P INPUT DROP

#Set-up the "firewall-chain" rules
$Z -N firewall
$Z -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: "
$Z -A firewall -j DROP


#Stuff to stop SYN Floods
$Z -N syn-flood
$Z -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
$Z -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood Stopped: "
$Z -A syn-flood -j DROP
$Z -A INPUT -p tcp --syn -j syn-flood


#State matching stuff - to accept related and established connections.
$Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#ICMP Stuff
$Z -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$Z -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT
$Z -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$Z -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT
$Z -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$Z -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$Z -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT
$Z -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT
# $Z -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# $Z -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

# Allow loopback traffic.
$Z -A INPUT -i lo -j ACCEPT
$Z -A OUTPUT -o lo -j ACCEPT

#Some deny stuff that we dont want to log
$Z -A INPUT -p udp --dport 137 -j DROP
$Z -A INPUT -p udp --dport 138 -j DROP
$Z -A INPUT -p udp --dport 67 -j DROP
$Z -A INPUT -p udp --dport 68 -j DROP

#Send everything else to the firewall chain - DENY it and LOG it.
$Z -A INPUT -p icmp -j firewall
$Z -A INPUT -p tcp --syn -j firewall
$Z -A INPUT -p udp -j firewall

echo "DONE"

########end of file
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dial-In PPP dial-in server/ Cable-modem & LAN / Setting up "dannyboyOnline" dannyboy259 Linux - Networking 2 01-12-2007 01:40 AM
SUSE 9.2 detect my [B]ADSL USB-Ethernet Modem-Router [/B] as a [B]Dial up modem[/B]. myprecius Linux - Hardware 0 06-27-2005 10:21 AM
Modem to Modem connection to test dial-up webcam server dazz Linux - Newbie 2 06-01-2005 05:43 AM
Modem Dial-in treedstang Linux - Hardware 1 09-22-2004 07:37 PM
simple firewall for dial up modem (Slackware 10) aus9 Linux - Security 3 08-28-2004 02:09 PM


All times are GMT -5. The time now is 03:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration