Linux Setup

  Home Page

Linux Notes 

Samba

ISDN

E-mail

Firewall

Firewall set up

Disclaimer

These are only sample firewall scripts. Test them to see if they do what you require. If you lock yourself, or your other users out of your system then at least you know they can work. There is no such thing as total security. These scripts should help to keep out most people, but the services running on open ports are still a way in. Applications must be fully patched and not have exploitable vulnerabilities. Some form of intrusion detection should be employed on important servers. If an experienced cracker is determined to get in then ....

Security is an on going process.

If you use an ISP that provides dynamic IP's then you will not know what IP numbers to plug into your firewall until your link comes up. No problems - put your firewall rules in /etc/ppp/ip-up.local which is passed the remote and local IP's as parameters and you are OK.

To clear the rules when the link goes down add the 'Flush all rules' lines to ip-down.local as well.

The principle behind these rules is to deny access to services that may be running on your server to any other system except those you specifically allow. For example: we use Demon Internet and they 'push' email out to port 25, so their email servers are allowed to connect to our port 25 (on which sendmail sits listening for emails) but no other host. Also - to browse using Netscape etc, you will attach to a remote sites' port 80, but you do not need to allow access to your port 80 for browsing, as the return information comes back to a non-specified port - above 1024.

The modules that need to be loaded to allow ftp etc with IP Masquerading are loaded at boot time by adding 'insmod ip_masq_ftp' to /etc/rc.d/rc.local.

To allow correct operation with dynamic IP's remember to add the line
'echo "1" > /proc/sys/net/ipv4/ip_dynaddr' to /etc/rc.d/rc.local as well.


For Linux kernel 2.4.xx you should use 'iptables'

For more details do 'man iptables' and read the Netfilter HOWTO.


For Linux kernel 2.2.xx you use 'ipchains'

For more details do 'man ipchains', and read /usr/doc/HOWTO/IPCHAINS-HOWTO.

> These rules can work with dynamic IP's by adjusting the commented lines at the top of the file and including these rules in /etc/ppp/ip-up.local.
By changing the Ext_Intrface line to ppp0 these rules will work with a normal modem
########## fwrules ##########
#!/bin/bash
#Local_IP=$4 - for use when called by /etc/ppp/ip-up.local
#Remote_IP=$5
Local_IP="xxx.xxx.xxx.xxx"
Ext_Intrface="ippp0"
Int_Nw="192.168.1.0/24"
All_Adr="0.0.0.0/0"
# -A Append a rule
# -P Policy
# -p protocol
# -i interface name
# -s source
# -d destination
# -l log
# -j jump to 'target' ie ACCEPT, REJECT, DENY etc or another rule
# Flush rules
/sbin/ipchains -F input
/sbin/ipchains -F forward
/sbin/ipchains -F output
# Avoid 'spoofing' - deny packets with a local IP coming in on Ext_Intrface
/sbin/ipchains -A input -i $Ext_Intrface -s $Int_Nw -d $All_Adr -l -j DENY
# Avoid 'spoofing' - deny packets with our Local_IP coming in on Ext-Intrface
/sbin/ipchains -A input -i $Ext_Intrface -s $Local_IP -d $All_Adr -l -j DENY
# Avoid 'spoofing' - deny packets with 0.0.0.0 coming in on Ext-Intrface
/sbin/ipchains -A input -i $Ext_Intrface -s 0.0.0.0 -d $All_Adr -l -j DENY
# Prevent 'smurf' attacks. /sbin/ipchains -A input -p icmp -i $Ext_Intrface -s $All_Adr -d 192.168.1.0 -l -j DENY
/sbin/ipchains -A input -p icmp -i $Ext_Intrface -s $All_Adr -d 192.168.1.255 -l -j DENY
# Accept connections to Port 25 - sendmail, only from Local_IP's and post.demon.co.uk
/sbin/ipchains -A input -p tcp -i eth0 -s $Int_Nw -d 192.168.1.5 25 -j ACCEPT
/sbin/ipchains -A input -p tcp -i $Ext_Intrface -s 194.217.242.0/24 -d $Local_IP 25 -j ACCEPT
# Deny connections to Port 25 from anywhere else
/sbin/ipchains -A input -p tcp -i $Ext_Intrface -s $All_Adr -d $Local_IP 25 -l -j DENY
# Deny telnet connections via Ext_Intrface to Port 23
/sbin/ipchains -A input -p tcp -i $Ext_Intrface -s $All_Adr -d $Local_IP 23 -l -j DENY
# Deny connections to Port numbers <1024 except those already allowed above
/sbin/ipchains -A input -p tcp -i $Ext_Intrface -s $All_Adr -d $Local_IP :1023 -j DENY
/sbin/ipchains -A input -p udp -i $Ext_Intrface -s $All_Adr -d $Local_IP :1023 -j DENY
# Deny connections to Port numbers 6000 to 6010 Xwindows ports
/sbin/ipchains -A input -p tcp -i $Ext_Intrface -s $All_Adr -d $Local_IP 6000:6010 -j DENY
/sbin/ipchains -A input -p udp -i $Ext_Intrface -s $All_Adr -d $Local_IP 6000:6010 -j DENY
# Filter out netbios data going out
/sbin/ipchains -A output -p tcp -i $Ext_Intrface -s $Int_Nw 137:139 -d $All_Adr -j DENY
/sbin/ipchains -A output -p udp -i $Ext_Intrface -s $Int_Nw 137:138 -d $All_Adr -j DENY
# Masquerading - set timeouts and enable Masquerading
/sbin/ipchains -M -S 7200 10 60
/sbin/ipchains -A forward -i $Ext_Intrface -s $Int_Nw -d $All_Adr -j MASQ
/sbin/ipchains -A forward -s $All_Adr -d $All_Adr -j REJECT
# Turn on Source Address Verification - only works with kernel 2.2.x etc
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

########## end of fwrules ##########

For Linux kernel 2.0.xx you need 'ipfwadm'

For more details do 'man ipfwadm', and read /usr/doc/HOWTO/mini/IP-Masquerade.

########## ip-up.local ##########
#!/bin/bash
LOCAL_IP=$4
REMOTE_IP=$5
# The test below allows for dialing into another Linux machine and being allocated 192.168.1.1 when I don't want the firewall implemented
if [ "$LOCAL_IP" != "192.168.1.1" ] ; then
# Firewall and IP Masquerading rules.
# -V - address of interface via which packets are transfered
# -S/mask - source address
# -D/mask - destination address
# -P - protocol - tcp, udp, icmp or all.
# -a - append rule.
# -m - masquerade option.
# -k - only match TCP packets with the ACK bit set - data returned in
# response to a request by us.
# -p - policy - one of accept, deny, or reject. Deny is safer as no response
# is given to alert an intruder to our presence.
# Flush all rules first -
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
# Set initial blanket 'deny' commands
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -O -p deny
/sbin/ipfwadm -F -p deny
# Prevent 'Spoofing' IP packets from outside.
# Deny packets with a local network address from outside
/sbin/ipfwadm -I -a deny -V $LOCAL_IP -S 192.168.1.0/24 -D 0.0.0.0/0 -o
# Deny packets with our IP address coming from outside
/sbin/ipfwadm -I -a deny -V $LOCAL_IP -S $LOCAL_IP -D 0.0.0.0/0 -o
# Deny packets with 0 address coming from outside
/sbin/ipfwadm -I -a deny -V $LOCAL_IP -S 0.0.0.0 -D -0.0.0.0/0 -o
#Allow localhost to operate.
/sbin/ipfwadm -I -a accept -W lo -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
/sbin/ipfwadm -O -a accept -W lo -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# Allow unlimited internal access.
/sbin/ipfwadm -I -a accept -W eth0 -V 192.168.1.1 -S 0.0.0.0/0 -D 0.0.0.0/0
/sbin/ipfwadm -O -a accept -W eth0 -V 192.168.1.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# Control telnet access - port 23 is telnet.
/sbin/ipfwadm -I -a accept -P tcp -S 192.168.1.0/24 telnet -D 0.0.0.0/0 23
# change line below to allow access for a defined host via Internet.
#/sbin/ipfwadm -I -a accept -P tcp -S xxx.xxx.xxx.xxx -D 0.0.0.0/0 23
/sbin/ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 23 -o
# Allow access to port 25 (SMTP) to Demon only
/sbin/ipfwadm -I -a accept -P tcp -S 194.217.242.0/24 -D $LOCAL_IP 25
# Filter out netbios output
/sbin/ipfwadm -O -a deny -P tcp -S $LOCAL_IP 137:139 -D 0.0.0.0/0 -o
/sbin/ipfwadm -O -a deny -P udp -S $LOCAL_IP 137:138 -D 0.0.0.0/0 -o
# Unlimited output for tcp
/sbin/ipfwadm -O -a accept -P tcp -S $LOCAL_IP -D 0.0.0.0/0
/sbin/ipfwadm -O -a accept -P udp -S $LOCAL_IP -D 0.0.0.0/0
# Prevent "smurf" attacks - requests to ..0 or ..255 .
/sbin/ipfwadm -I -a deny -P icmp -D 192.168.1.0 -S 0/0 0 8 -o
/sbin/ipfwadm -I -a deny -P icmp -D 192.168.1.255 -S 0/0 0 8 -o
/sbin/ipfwadm -I -a accept -P icmp -S 0.0.0.0/0 -D $LOCAL_IP
/sbin/ipfwadm -O -a accept -P icmp -S $LOCAL_IP -D 0.0.0.0/0
# Deny connections to 6000 to 6010 X windows ports
/sbin/ipfwadm -I -a deny -P tcp -V $LOCAL_IP -S 0.0.0.0/0 -D $LOCAL_IP 6000:6010
/sbin/ipfwadm -I -a deny -P udp -V $LOCAL_IP -S 0.0.0.0/0 -D $LOCAL_IP 6000:6010
# Accept connections to high port numbers.
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D $LOCAL_IP 1024:65535
/sbin/ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D $LOCAL_IP 1024:65535
# Allow auth input - Port 113
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D $LOCAL_IP auth
# Limit finger to returns from my command - -k.
/sbin/ipfwadm -I -a accept -P tcp -k -S 0.0.0.0/0 finger -D $LOCAL_IP 1024:65535
/sbin/ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D $LOCAL_IP finger -o
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D $LOCAL_IP ftp-data
# Deny connections to low port numbers
/sbin/ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D $LOCAL_IP 0:1023 -o
/sbin/ipfwadm -I -a deny -P udp -S 0.0.0.0/0 -D $LOCAL_IP 0:1023 -o
# Deny any other input
/sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
# Forward/masquerade rule.
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
fi
########## end of ip-up.local ##########