# Interfaces and their IPs and networks ANY="0.0.0.0/0" InsideIP="10.0.0.1" InsideNet="10.0.0.0/24" InsideNetMask="10.0.0.255/24" InsideFace="eth1" OutsideIP="$1" OutsideNet="${OutsideIP}/24" OutsideFace="eth0" DR="REJECT" # DR="DENY" HighPorts="1024:5999 6050:65535" TheirHighPorts="1024:65535" LowPorts="1:1023" TimeServers="192.5.41.239 146.246.250.251 129.127.28.4 128.105.201.11 140.142.16.34 18.72.0.3 18.26.4.105 16.1.0.4 204.123.2.5" # Outside general services SSL and web OutsideServices="443 80 8080" # people I wish to be impolite to - none to start with BADFOLKS="" # Illegal address ranges ILLADD="10.0.0.0/8 192.168.0.0/16 172.16.0.0/11" # Ignore these addresses IGNORETHEM="" # we will allow ICMP for these folks ICMPAllow="$InsideIP" # enable ipchains if it is here /sbin/modprobe ipchains /sbin/depmod -a /sbin/modprobe ip_masq_ftp echo "1" > /proc/sys/net/ipv4/ip_always_defrag # setup default denies /sbin/ipchains -P input $DR /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward $DR # delete previous rules - Flush the chains /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo -n "Bad folks: " for bad in $BADFOLKS $ILLADD do echo -n "$bad " /sbin/ipchains -A input -s $bad -j $DR /sbin/ipchains -A output -s $bad -j $DR done echo -n "Shunned folks: (not logged)" for bad in $IGNORETHEM do echo -n "$bad " /sbin/ipchains -A input -s $bad -j $DR /sbin/ipchains -A output -s $bad -j $DR done echo # masquerading - forward from eth1 to eth0 and get responses # already done: /sbin/ipchains -S 7200 10 160 /sbin/ipchains -P forward $DR echo -n "masquerading " echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A forward -s $InsideNetMask -j MASQ echo "on" echo -n "ICMP: " echo -n "Inface: ACCEPT " /sbin/ipchains -A input -p icmp -i $InsideFace -j ACCEPT /sbin/ipchains -A output -p icmp -i $InsideFace -j ACCEPT /sbin/ipchains -A input -p icmp -i lo -j ACCEPT /sbin/ipchains -A output -p icmp -i lo -j ACCEPT # allow icmp on these inputs echo -n "Outface friends:" for i in $ICMPAllow $InsideNet do echo -n "$i " /sbin/ipchains -A input -s $i -p icmp -i $OutsideFace -j ACCEPT /sbin/ipchains -A output -d $i -p icmp -i $OutsideFace -j ACCEPT done echo echo -n " ICMP type 3s (unreachables)" # dest unreachable inbound /sbin/ipchains -A input -p icmp -s $ANY 3 -j ACCEPT # ping out echo -n " type 8+0+11 (ping/traceroute)" /sbin/ipchains -A output -p icmp -s $ANY 8 -j ACCEPT /sbin/ipchains -A input -p icmp -s $ANY 0 -j ACCEPT /sbin/ipchains -A input -p icmp -s $ANY 11 -j ACCEPT echo -n " $DR rest " /sbin/ipchains -A input -p icmp -s $ANY -i $OutsideFace -j $DR /sbin/ipchains -A output -p icmp -s $ANY -i $OutsideFace -j $DR echo echo -n "UDP ntp (123) for " for TS in $TimeServers do for Face in $InsideFace $OutsideFace do /sbin/ipchains -A input -p UDP -s $TS 123 -d $InsideNet -i $Face -j ACCEPT /sbin/ipchains -A input -p UDP -s $InsideNet -d $TS 123 -i $Face -j ACCEPT /sbin/ipchains -A output -p UDP -s $TS 123 -d $InsideNet -i $Face -j ACCEPT /sbin/ipchains -A output -p UDP -s $InsideNet -d $TS 123 -i $Face -j ACCEPT done /sbin/ipchains -A input -p UDP -s $TS 123 -d $OutsideIP -j ACCEPT /sbin/ipchains -A output -p UDP -s $OutsideIP -d $TS 123 -j ACCEPT echo -n "$TS " done echo "Time Servers Rigged" echo -n "DNS (53) outbound only: " /sbin/ipchains -A input -p UDP -s $ANY -d $ANY 53 -i $InsideFace -j ACCEPT /sbin/ipchains -A output -p UDP -s $ANY 53 -d $ANY -i $InsideFace -j ACCEPT # inside - we ask our own DNS... /sbin/ipchains -A input -p UDP -s $ANY 53 -d $ANY -i $InsideFace -j ACCEPT # outside we can ask, not them /sbin/ipchains -A input -p UDP -s $ANY 53 -d $ANY -i $OutsideFace -j ACCEPT /sbin/ipchains -A output -p UDP -s $ANY -d $ANY 53 -i $OutsideFace -j ACCEPT echo "DNS set up" echo "Rigging $InsideNet to the world: " # inside interface echo -n "Inside face does anything - " /sbin/ipchains -A input -p TCP -s $InsideNet -i $InsideFace -j ACCEPT /sbin/ipchains -A output -p TCP -d $InsideNet -i $InsideFace -j ACCEPT # outside interface /sbin/ipchains -A input -p TCP -s $InsideNet -i $OutsideFace -j ACCEPT /sbin/ipchains -A output -p TCP -d $InsideNet -i $OutsideFace -j ACCEPT # accept TCP from and to insider face regardless echo -n "TCP from and to inside face Allowed - " /sbin/ipchains -A input -p TCP -i $InsideFace -j ACCEPT /sbin/ipchains -A output -p TCP -i $InsideFace -j ACCEPT # output to outside face is always allowed echo -n "output to outside face allowed " /sbin/ipchains -A output -p TCP -i $OutsideFace -j ACCEPT /sbin/ipchains -A output -p UDP -i $OutsideFace -j ACCEPT /sbin/ipchains -A output -p ICMP -i $OutsideFace -j ACCEPT echo # refuse other inbound to low ports and Xwindows ports echo "Refuse X11 and other low port inbound requests from outside" /sbin/ipchains -A input -p TCP -d $ANY 1:1023 -i $OutsideFace -j $DR /sbin/ipchains -A input -p TCP -s $ANY 6000:6050 -i $OutsideFace -j $DR # FOR THIS WALL ONLY!!! all high port destinations refused into outside face (except as previously allowed) echo -n "Refusing all inbound TCP on $OutsideFace to $OutsideIP ports: " for portset in $TheirHighPorts do echo -n "$portset " /sbin/ipchains -A input -p TCP -s $ANY -d $OutsideIP $portset -i $OutsideFace -j $DR done echo # high ports allowed into outside face if not SYN packets echo -n "high ports if not SYN packets: " for portset in $HighPorts do echo -n "$portset " /sbin/ipchains -A input -p TCP -s $ANY $portset -i $OutsideFace -j ACCEPT ! -y done /sbin/ipchains -A input -p TCP -s $ANY -i $OutsideFace -j ACCEPT ! -y echo /sbin/ipchains -A input -i eth0 -j $DR /sbin/ipchains -A output -i eth0 -j ACCEPT /sbin/ipchains -A forward -i eth0 -j $DR