LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-17-2004, 09:59 PM   #1
Wags
LQ Newbie
 
Registered: Aug 2003
Location: Australia mate
Distribution: Slackware 9.1
Posts: 23

Rep: Reputation: 15
Simple firewall script. pls help


Hi,

I've been having a bit of trouble getting my firewall to work correctly. I was wondering if anyone had a script I could use.

What I'm looking for is a script which has a simple masc statment to share my connection ppp0 from my linux box 192.168.1.1 to my windows 192.168.1.2 on eth0 with all the usual stuff and leave port 22 open for ssh. Heres What I got, any suggestions. It comes up with errors when I add it to RC.M

I did the chmod a+x for execution
Thx guys


#!/bin/sh

echo Firewall Starting...

#set TCP/IP stack options

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians


#Flush all chains
/sbin/iptables -F
/sbin/iptables -Z
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F PREROUTING


#Set default policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

#Accept any connections from lan
/sbin/iptables -A INPUT -s 192.168.1.0/16 -j ACCEPT

#ICMP
#/sbin/iptables -A INPUT -p icmp -j ACCEPT

#SSH
/sbin/iptables -A INPUT -p tcp -dport 22 -j ACCEPT

#allow packets from established connections in
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT

#drop any other attempted connections
/sbin/iptables -A INPUT -j LOG --log-prefix "DROPPED PACKET"
/sbin/iptables -A INPUT -j DROP

#masquerade for lan
/sbin/iptables -t nat -A POSTROUTING -i eth0 -o ppp0 -j MASQUERADE

echo Firewall Started
 
Old 02-17-2004, 10:12 PM   #2
subekk0
Member
 
Registered: Sep 2003
Location: Dallas, TX.
Distribution: Slacking since '94
Posts: 153

Rep: Reputation: 32
Sure! Here's one. Enjoy

http://www.ntlab.net/linux/public/rc.firewall

you will need guarddog as well:
http://www.simonzone.com/software/guarddog/

It it is too much.... sorry.
 
Old 02-17-2004, 10:19 PM   #3
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Here's an rc.firewall that I made....
I didn't leave port 22 open. I forward it to my linux box and then I can ssh from there to my router if I need to. Hope it helps!

Code:
#!/bin/bash
#
# stops and start the firewall definitions

firewall_start() {
  echo "Starting Firewall..."

  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

  EXTERNAL=eth0
  INTERNAL=eth1  

  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT

  iptables -A INPUT -i lo -p all -j ACCEPT
  iptables -A OUTPUT -o lo -p all -j ACCEPT

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -m state --state NEW -i ! $EXTERNAL -j ACCEPT
  iptables -A FORWARD -s 10.0.0.0/8 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -s 176.16.0.0/12 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -s 192.168.0.0/16 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -p tcp -d 176.16.1.3 -s 216.76.29.66 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
#  iptables -A FORWARD -p tcp -d 176.16.1.2 -s 149.149.0.0/16 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#  iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -j REJECT

  iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to-destination 176.16.1.3
  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 22 -j DNAT --to-destination 176.16.1.2
#  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 21 -j DNAT --to-destination 176.16.1.2
#  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 176.16.1.2

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT
  iptables -A INPUT -i $INTERNAL -j ACCEPT
  iptables -A INPUT -j REJECT

  iptables -A OUTPUT -j ACCEPT
}

firewall_stop()  {
  echo "Disabling Firewall..."
  iptables -t filter --flush
  iptables -t filter --delete-chain
  iptables -t nat --flush
  iptables -t nat --delete-chain
  iptables -t nat -X
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
}

firewall_restart()  {
  firewall_stop
  sleep 1
  firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac
 
Old 02-17-2004, 11:00 PM   #4
Wags
LQ Newbie
 
Registered: Aug 2003
Location: Australia mate
Distribution: Slackware 9.1
Posts: 23

Original Poster
Rep: Reputation: 15
Thx guys I'll have a go at it.

Got a nit worried about the watch dog script but luck enough theres a gui.

Last edited by Wags; 02-17-2004 at 11:19 PM.
 
Old 02-18-2004, 03:24 PM   #5
flashingcurser
Member
 
Registered: Jan 2003
Distribution: many win/nix/mac
Posts: 259

Rep: Reputation: 32
Go to this site, walk through the prompts. Cut and past into a newly created /etc/rc.d/rc.firewall

Edit the line that has the location of iptables---it will default to /usr/local/sbin us slackware people need to change that to /usr/sbin

The firewall will be excellently commented--so custom editing is extremely easy.

Then type from cli /usr/rc.d/rc.firewall start

Voila--15 min tops


Happy slacking

 
Old 02-18-2004, 04:13 PM   #6
Wags
LQ Newbie
 
Registered: Aug 2003
Location: Australia mate
Distribution: Slackware 9.1
Posts: 23

Original Poster
Rep: Reputation: 15
Thx, u guys have been helpful. Got it all running like a charm. ))
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
this is simple i think but im a newwb pls help rasiel Mandriva 15 11-24-2004 06:26 AM
Trouble running firewall script - pls help Wags Linux - Security 1 07-29-2004 08:19 AM
Simple firewall script not working for me Gates1026 Linux - Newbie 4 04-16-2004 09:40 PM
Mplayer again...pls help... simple one yenonn Linux - Software 2 08-19-2003 11:06 PM
can't use simple firewall script (it worked before) tigerflag Linux - Security 2 06-23-2003 12:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration