LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Simple firewall script. pls help (https://www.linuxquestions.org/questions/slackware-14/simple-firewall-script-pls-help-147424/)

Wags 02-17-2004 09:59 PM
Simple firewall script. pls help
 
Hi,

I've been having a bit of trouble getting my firewall to work correctly. I was wondering if anyone had a script I could use.

What I'm looking for is a script which has a simple masc statment to share my connection ppp0 from my linux box 192.168.1.1 to my windows 192.168.1.2 on eth0 with all the usual stuff and leave port 22 open for ssh. Heres What I got, any suggestions. It comes up with errors when I add it to RC.M

I did the chmod a+x for execution
Thx guys


#!/bin/sh

echo Firewall Starting...

#set TCP/IP stack options

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians


#Flush all chains
/sbin/iptables -F
/sbin/iptables -Z
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F PREROUTING


#Set default policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

#Accept any connections from lan
/sbin/iptables -A INPUT -s 192.168.1.0/16 -j ACCEPT

#ICMP
#/sbin/iptables -A INPUT -p icmp -j ACCEPT

#SSH
/sbin/iptables -A INPUT -p tcp -dport 22 -j ACCEPT

#allow packets from established connections in
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT

#drop any other attempted connections
/sbin/iptables -A INPUT -j LOG --log-prefix "DROPPED PACKET"
/sbin/iptables -A INPUT -j DROP

#masquerade for lan
/sbin/iptables -t nat -A POSTROUTING -i eth0 -o ppp0 -j MASQUERADE

echo Firewall Started

subekk0 02-17-2004 10:12 PM
Sure! Here's one. Enjoy
 
http://www.ntlab.net/linux/public/rc.firewall

you will need guarddog as well:
http://www.simonzone.com/software/guarddog/

It it is too much.... sorry.

benjithegreat98 02-17-2004 10:19 PM
Here's an rc.firewall that I made....
I didn't leave port 22 open. I forward it to my linux box and then I can ssh from there to my router if I need to. Hope it helps!

Code:
#!/bin/bash
#
# stops and start the firewall definitions

firewall_start() {
  echo "Starting Firewall..."

  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

  EXTERNAL=eth0
  INTERNAL=eth1 

  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT

  iptables -A INPUT -i lo -p all -j ACCEPT
  iptables -A OUTPUT -o lo -p all -j ACCEPT

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -m state --state NEW -i ! $EXTERNAL -j ACCEPT
  iptables -A FORWARD -s 10.0.0.0/8 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -s 176.16.0.0/12 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -s 192.168.0.0/16 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -p tcp -d 176.16.1.3 -s 216.76.29.66 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
#  iptables -A FORWARD -p tcp -d 176.16.1.2 -s 149.149.0.0/16 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#  iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -j REJECT

  iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to-destination 176.16.1.3
  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 22 -j DNAT --to-destination 176.16.1.2
#  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 21 -j DNAT --to-destination 176.16.1.2
#  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 176.16.1.2

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT
  iptables -A INPUT -i $INTERNAL -j ACCEPT
  iptables -A INPUT -j REJECT

  iptables -A OUTPUT -j ACCEPT
}

firewall_stop()  {
  echo "Disabling Firewall..."
  iptables -t filter --flush
  iptables -t filter --delete-chain
  iptables -t nat --flush
  iptables -t nat --delete-chain
  iptables -t nat -X
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
}

firewall_restart()  {
  firewall_stop
  sleep 1
  firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

Wags 02-17-2004 11:00 PM
Thx guys I'll have a go at it.

Got a nit worried about the watch dog script but luck enough theres a gui.

flashingcurser 02-18-2004 03:24 PM
Go to this site, walk through the prompts. Cut and past into a newly created /etc/rc.d/rc.firewall

Edit the line that has the location of iptables---it will default to /usr/local/sbin us slackware people need to change that to /usr/sbin

The firewall will be excellently commented--so custom editing is extremely easy.

Then type from cli /usr/rc.d/rc.firewall start

Voila--15 min tops


Happy slacking

:)

Wags 02-18-2004 04:13 PM
Thx, u guys have been helpful. Got it all running like a charm. :)))


All times are GMT -5. The time now is 07:42 PM.