Next Previous Contents

15. APPENDEX A - Example Scripts

15.1 RC Script useing GFCC

#!/bin/bash
#
# Firewall Script - Version 0.9.1
#
# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel
# Set for testing
# set -x
#
# NOTES:
#
#  This script is written for RedHat 6.1 or better.
#
#  Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
#  1. place this file in /etc/rc.d/init.d  (you'll have to be root..)
#     call it something like "firewall"    :-)
#     make it root owned -->  "chown root.root (filename)"
#     make it executable -->  "chmod 755 (filename)"
#
#  2. use GFCC to create your firewall rules and export them to a file
#     named /etc/gfcc/rules/firewall.rule.sh.
#
#  3. add the firewall to the RH init structure --> "chkconfig --add (filename)"
#     next time the router boots, things should happen automagically!
#     sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
#   30 Jan, 2000 - Changed to GFCC script 
#   11 Dec, 1999 - updated by Mark Grennan <[email protected]>
#   20 July, 1999 - initial writing - Anthony Ball <[email protected]>
#

################################################

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we are called
case "$1" in

  start)
        # Start providing access
        action "Starting firewall: " /bin/true
        /etc/gfcc/rules/firewall.rule.sh
        echo
        ;;

  stop)
        action "Stoping firewall: " /bin/true
        echo 0 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward

        echo
        ;;

  restart)
        action "Restarting firewall: " /bin/true
        $0 stop
        $0 start

        echo
        ;;

  status)
        # List out all settings
        /sbin/ipchains -L
        ;;

  test)
        action "Test Mode firewall: " /bin/true
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward
        echo 1 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -A input -j ACCEPT
        /sbin/ipchains -A output -j ACCEPT
        /sbin/ipchains -P forward DENY
        /sbin/ipchains -A forward -i $PUBLIC -j MASQ

        echo
        ;;

  *)
        echo "Usage: $0 {start|stop|restart|status|test}"
        exit 1

esac

15.2 GFCC script

This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set.


#!/bin/sh
# Generated by Gtk+ firewall control center

IPCHAINS=/sbin/ipchains


localnet="192.168.1.0/24"
firewallhost="192.168.1.1/32"
localhost="172.0.0.0/8"
DNS1="24.94.163.119/32"
DNS2="24.94.163.124/32"
Broadcast="255.255.255.255/32"
Multicast="224.0.0.0/8"
Any="0.0.0.0/0"
mail_grennan_com="192.168.1.1/32"
mark_grennan_com="192.168.1.3/32"

$IPCHAINS -P input DENY
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT

$IPCHAINS -F
$IPCHAINS -X

# input rules
$IPCHAINS -A input -s $Any -d $Broadcast -j DENY 
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY 
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY 
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY 
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY 
$IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY 
$IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY 
$IPCHAINS -A input -s $Multicast -d $Any -j DENY 
$IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT 
$IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT 
$IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT 
$IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y 
$IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT 
$IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT 
$IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT 
$IPCHAINS -A input -s $Any -d $Any -j DENY -l 

# forward rules
$IPCHAINS -A forward -s $localnet -d $Any -j MASQ 

# output rules

15.3 RC Script without GFCC This is the firewall rules set built my hand. It does not use GFCC.

#!/bin/bash
#
# Firewall Script - Version 0.9.0

# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel

# Set for testing
# set -x

#
# NOTES:
#
#  This script is written for RedHat 6.0 or better.
#
#  This firewall script should work for most routers, dial-up or cable modem.
#  It was written for RedHat distributions. 
#
#  Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
#  1. This file planned for a RedHat system.  It would work
#     on other distro's with perhaps no modification, but again...
#     Who knows?!!?  These instructions apply to RedHat systems.
#
#  2. place this file in /etc/rc.d/init.d  (you'll have to be root..)
#     call it something like "firewall"    :-)
#     make it root owned -->  "chown root.root <filename>"
#     make it executable -->  "chmod 755 <filename>"
#
#  3. set the values for your network, internal interface, and DNS servers
#     uncomment lines further down to enable optional in-bound services
#     make sure "eth0" is your internal NIC (or change the value below)
#     test it -->  "/etc/rc.d/init.d/<filename> start"
#     you can list the rules -->  "ipchains -L -n"
#     fix anything that broke...  :-)
#
#  4. add the firewall to the RH init structure --> "chkconfig --add <filename>"
#     next time the router boots, things should happen automagically!
#     sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
#   20 July, 1999 - initial writing - Anthony Ball <[email protected]>
#   11 Dec, 1999 - updated by Mark Grennan <[email protected]>
#

################################################
#  Fill in the values below to match your
#  local network.

PRIVATENET=xxx.xxx.xxx.xxx/xx

PUBLIC=ppp0
PRIVATE=eth0

# your dns servers
DNS1=xxx.xxx.xxx.xxx
DNS2=xxx.xxx.xxx.xxx

################################################

# some handy generic values to use
ANY=0.0.0.0/0
ALLONES=255.255.255.255

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we are called
case "$1" in

  start)
        # Start providing access
        action "Starting firewall: " /bin/true

        ##
        ## Setup Envirement
        ##
        # Flush all lists
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward

        # Plug up everything
        /sbin/ipchains -I input 1 -j DENY

        # set policy to deny (Default is ACCEPT)
        /sbin/ipchains -P input DENY
        /sbin/ipchains -P output ACCEPT
        /sbin/ipchains -P forward ACCEPT

        # Turn on packet forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

        ##
        ## Install Modules 
        ##
        # Insert the active ftp module.  This will allow non-passive ftp to machines
        # on the local network (but not to the router since it is not masq'd)
        if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then
            /sbin/insmod ip_masq_ftp
        fi

        ##
        ## Some Security Stuff
        ##
        # turn on Source Address Verification and get spoof protection
        # on all current and future interfaces.
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
            for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
            done
        else
            echo
            echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED."
            echo
        fi

        # deny bcasts on remaining interfaces
        /sbin/ipchains -A input -d 0.0.0.0 -j DENY
        /sbin/ipchains -A input -d 255.255.255.255 -j DENY

        # deny these without logging 'cause there tend to be a lot...
        /sbin/ipchains -A input -p udp -d $ANY 137 -j DENY   # NetBIOS over IP
        /sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY   #   ""
        /sbin/ipchains -A input -p udp -d $ANY 138 -j DENY   #   ""
        /sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY   #   ""
        /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY    # bootp
        /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY    #   ""
        /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY       # Multicast addresses

        ##
        ## Allow private network out
        ##
        # allow all packets on the loopback interface
        /sbin/ipchains -A input -i lo -j ACCEPT

        # allow all packets from the internal "trusted" interface
        /sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT
        /sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT

        ## 
        ## Allow Outside Services into the firewall (if you dare)
        ##
        # allow ICMP
        /sbin/ipchains -A input -p icmp -j ACCEPT
        # allow TCP
        /sbin/ipchains -A input -p tcp ! -y -j ACCEPT

        # allow lookups to DNS (on firewall)
        /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT
        /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT
        # or (BETTER IDEA) run a caching DNS server on the router and use the 
        # following two lines instead...
        # /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
        # /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT

        # uncomment the following to allow ssh in
        /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT

        # uncomment the following to allow telnet in (BAD IDEA!!)
        /sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT

        # uncomment to allow NTP (network time protocol) to router
        # /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT

        # uncomment to allow SMTP in (not for mail clients - only a server)
        /sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT

        # uncomment to allow POP3 in (for mail clients)
        /sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT

        # allow auth in for sending mail or doing ftp
        /sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT

        # uncomment to allow HTTP in (only if you run a web server on the router)
        /sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT

        # uncomment to allow FTP in
        /sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT

        ##
        ## Masquerading stuff
        ##
        # masquerade packets forwarded from internal network
        /sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ

        ##
        ## deny EVERYthing else and log them to /var/log/messages
        ##
        /sbin/ipchains -A input -l -j DENY

        # Remove the Plug
        /sbin/ipchains -D input 1

        ;;

  stop)
        action "Stoping firewall: " /bin/true
        echo 0 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward

        echo
        ;;

  restart)
        action "Restarting firewall: " /bin/true
        $0 stop
        $0 start

        echo
        ;;

  status)
        # List out settings
        /sbin/ipchains -L
        ;;

  test)
        ##
        ## This is about as simple as it gets
        ##    (This is not secure AT ALL)
        action "WARNING Test Firewall: " /bin/true
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward
        echo 1 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -A input -j ACCEPT
        /sbin/ipchains -A output -j ACCEPT
        /sbin/ipchains -P forward DENY
        /sbin/ipchains -A forward -i $PUBLIC -j MASQ

        echo
        ;;

  *)
        echo "Usage: $0 {start|stop|restart|status|test}"
        exit 1

esac


Next Previous Contents