LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-23-2003, 05:21 AM   #1
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Rep: Reputation: 30
Could you look over my firewall script please...


This is my firewall script so far:
Code:
iptables="/usr/sbin/iptables"


# This is the external interface
EXT_IF="ppp0"
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\  -f1`


# This is the internal interface
INT_IF="eth0"
INT_NET="192.168.0.0/24"


# Set default policy
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT



# Flush Input Tables.
$iptables -F INPUT


# We should never see these private addresses coming in from outside
# to our external interface. (IP Spoofing)
$iptables -A INPUT -i $EXT_IF -s 10.0.0.0/8      -j DROP
$iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12   -j DROP
$iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16  -j DROP
$iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8     -j DROP
$iptables -A INPUT -i $EXT_IF -s 169.254.0.0/16  -j DROP
$iptables -A INPUT -i $EXT_IF -s 224.0.0.0/4     -j DROP
$iptables -A INPUT -i $EXT_IF -s 240.0.0.0/5     -j DROP
# Bogus routing
$iptables -A INPUT -s 255.255.255.255 -d 0/0 -j DROP


#Allow Established or related connections through, drop the rest.
$iptables -A INPUT -i $EXT_IF --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -m state --state NEW, INVALID -i ppp0 -j DROP
$iptables -A INPUT -p tcp --tcp-flags SYN, ACK, FIN, SYN -j DROP



$iptables --table mangle --append OUTPUT --proto tcp --jump TOS --set-tos Minimize-Delay


#  LOG and DENY everything else
$iptables -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: "


#Setup Masquerading
$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


echo 1 >/proc/sys/net/ipv4/ip_forward
That's it so far...I've written this in Windows with notepad...well, mostly taken pieces from other scripts (geez it'd be good if i could write something like that on my own )

The problem is...I've tried transferring this to my linux box and running it, but i don't think notepad saves it in absolute plain text or something...it just gives me errors, but when i view it in vim it doesn't have any extra characters....
(i remember a while ago when i wrote something in notepad and transferred it across, i viewed it in VI and it had some extra characters at the end of each line...but i can't find them this time, maybe it has something to do with vim?)


All idea's or suggestions are welcome
 
Old 03-23-2003, 05:52 AM   #2
mandeltuete
Member
 
Registered: Mar 2003
Location: Switzerland
Distribution: Fedora 3
Posts: 75

Rep: Reputation: 15
You can use fromdos.
Code:
fromdos < mydostxtfile.txt > unixtextfile.txt
in your case:
Code:
fromdos < rc.firewall > rc.firewall
fromdos is included in most unix distros, else search for unix2dos


HTH
mandeltuete
 
Old 03-23-2003, 06:31 AM   #3
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
The netserver is a Debian distro...

It doesn't have either of those that you suggested and i tried apt-get install for them both but it couldn't find em...
 
Old 03-23-2003, 08:39 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Open the script in vi, type (all w/o quotes) ":%s/<ctrl-v><enter>//g" to replace. Now type ":wq" or ":zz" to save.
 
Old 03-24-2003, 06:23 AM   #5
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
Ok I'll give that a shot unSpawn...

Btw, how does the script look to you? Anything you'd like to add?
 
Old 03-24-2003, 08:14 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'd add this to the DROP target
# Baaaahhhd flags
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Muchos fragmentos
iptables -A INPUT -i eth0 -f -j DROP
# Note if you're running this as a shellscript, there's a function

# "synchain" for later when you want to run services. To activate it

# just add a line (where appropriate) with the word "synchain" on it.
synchain() { # SYN stuff, have separate chaintarget
iptables -N SYN
iptables -A INPUT -i eth0 -p tcp --syn -j SYN
iptables -A SYN -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SYN -j DROP ; }
# Open up necessary ICMP stuph
iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
# but also do some limiting
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1
just to be sure.

I don't have to remind you I'm no Iptables guru.
 
Old 03-25-2003, 11:20 AM   #7
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Arctic
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820

Rep: Reputation: 46
Nice rules Unspawn, but shouldn't they be directed at ppp0, the external interface, instead of eth0, the internal? Just curious..
 
Old 03-25-2003, 07:18 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Yeah, you're absolutely right Pcghost.
 
Old 03-26-2003, 04:33 AM   #9
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Original Poster
Rep: Reputation: 30
lol, i can't understand one bit of that script of yours unSpawn...hehe

I've decided to change my network topology a little, and have a firewall as OpenBSD...I'll start a new thread for this one as i have a few other different questions to ask
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall script simcox1 Linux - Security 7 11-13-2005 01:08 PM
Where should this firewall script be placed? wardialer Linux - Security 84 02-14-2005 08:06 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Firewall script help!!!! cirkut5732 Linux - Newbie 8 04-17-2003 07:09 PM
Firewall script help jfall Linux - Networking 6 10-23-2002 04:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration