Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-23-2003, 05:21 AM
|
#1
|
Member
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399
Rep:
|
Could you look over my firewall script please...
This is my firewall script so far:
Code:
iptables="/usr/sbin/iptables"
# This is the external interface
EXT_IF="ppp0"
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\ -f1`
# This is the internal interface
INT_IF="eth0"
INT_NET="192.168.0.0/24"
# Set default policy
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT
# Flush Input Tables.
$iptables -F INPUT
# We should never see these private addresses coming in from outside
# to our external interface. (IP Spoofing)
$iptables -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
$iptables -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$iptables -A INPUT -i $EXT_IF -s 224.0.0.0/4 -j DROP
$iptables -A INPUT -i $EXT_IF -s 240.0.0.0/5 -j DROP
# Bogus routing
$iptables -A INPUT -s 255.255.255.255 -d 0/0 -j DROP
#Allow Established or related connections through, drop the rest.
$iptables -A INPUT -i $EXT_IF --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -m state --state NEW, INVALID -i ppp0 -j DROP
$iptables -A INPUT -p tcp --tcp-flags SYN, ACK, FIN, SYN -j DROP
$iptables --table mangle --append OUTPUT --proto tcp --jump TOS --set-tos Minimize-Delay
# LOG and DENY everything else
$iptables -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: "
#Setup Masquerading
$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward
That's it so far...I've written this in Windows with notepad...well, mostly taken pieces from other scripts (geez it'd be good if i could write something like that on my own )
The problem is...I've tried transferring this to my linux box and running it, but i don't think notepad saves it in absolute plain text or something...it just gives me errors, but when i view it in vim it doesn't have any extra characters....
(i remember a while ago when i wrote something in notepad and transferred it across, i viewed it in VI and it had some extra characters at the end of each line...but i can't find them this time, maybe it has something to do with vim?)
All idea's or suggestions are welcome
|
|
|
03-23-2003, 05:52 AM
|
#2
|
Member
Registered: Mar 2003
Location: Switzerland
Distribution: Fedora 3
Posts: 75
Rep:
|
You can use fromdos.
Code:
fromdos < mydostxtfile.txt > unixtextfile.txt
in your case:
Code:
fromdos < rc.firewall > rc.firewall
fromdos is included in most unix distros, else search for unix2dos
HTH
mandeltuete
|
|
|
03-23-2003, 06:31 AM
|
#3
|
Member
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399
Original Poster
Rep:
|
The netserver is a Debian distro...
It doesn't have either of those that you suggested and i tried apt-get install for them both but it couldn't find em...
|
|
|
03-23-2003, 08:39 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Open the script in vi, type (all w/o quotes) ":%s/<ctrl-v><enter>//g" to replace. Now type ":wq" or ":zz" to save.
|
|
|
03-24-2003, 06:23 AM
|
#5
|
Member
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399
Original Poster
Rep:
|
Ok I'll give that a shot unSpawn...
Btw, how does the script look to you? Anything you'd like to add?
|
|
|
03-24-2003, 08:14 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
I'd add this to the DROP target
# Baaaahhhd flags
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Muchos fragmentos
iptables -A INPUT -i eth0 -f -j DROP
# Note if you're running this as a shellscript, there's a function
# "synchain" for later when you want to run services. To activate it
# just add a line (where appropriate) with the word "synchain" on it.
synchain() { # SYN stuff, have separate chaintarget
iptables -N SYN
iptables -A INPUT -i eth0 -p tcp --syn -j SYN
iptables -A SYN -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SYN -j DROP ; }
# Open up necessary ICMP stuph
iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
# but also do some limiting
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1
just to be sure.
I don't have to remind you I'm no Iptables guru.
|
|
|
03-25-2003, 11:20 AM
|
#7
|
Senior Member
Registered: Feb 2003
Location: The Arctic
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820
Rep:
|
Nice rules Unspawn, but shouldn't they be directed at ppp0, the external interface, instead of eth0, the internal? Just curious..
|
|
|
03-25-2003, 07:18 PM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Yeah, you're absolutely right Pcghost.
|
|
|
03-26-2003, 04:33 AM
|
#9
|
Member
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399
Original Poster
Rep:
|
lol, i can't understand one bit of that script of yours unSpawn...hehe
I've decided to change my network topology a little, and have a firewall as OpenBSD...I'll start a new thread for this one as i have a few other different questions to ask
|
|
|
All times are GMT -5. The time now is 05:44 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|