#! /bin/sh # # Minimal ipchains startup rules for a Linux 2.2.x based firewall. # # Assumptions: # Local network is 192.168.0.0/24 # Local interface is eth0 # Internet interface is eth1 (yours may be ppp0, etc...) # # Read your logs if something doesn't work ;) #= startup ======================================== # Set the PATH so all commands in this script can be found. PATH=/bin:/sbin INTERNAL=192.168.0.0/24 ANY=0.0.0.0/0 # setting a policy of DENY before flushing the chains should make the firewall # fail in a safe way if something goes wrong further down in this script. ipchains -P input DENY ipchains -F input ipchains -P forward DENY ipchains -F forward # this assumes we trust internal users: ipchains -P output ACCEPT ipchains -F output #= input ========================================== # Turn on Source Address Verification so our network cannot be # used for IP address spoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done #- local ------------------------------------------ # Private LAN is trusted (is this acceptable for your site?) ipchains -A input -i eth0 -j ACCEPT # loopback: all packets with src and dst matching appear here, # not just the ones addressed to 127.0.0.1. ipchains -A input -i lo -j ACCEPT #- Internet --------------------------------------- # The order in which rules are added to a chain is very important! # The most specific rules come first, the most general rule (catchall) # goes last. Incorrect order can lead to disaster! ## Rejet des paquets prétendus provenir d'adresses IP non routables depuis l'interface externe ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY ipchains -A input -i eth1 -s $INTERNAL -j DENY # Allow web server ipchains -A input -i eth1 -p tcp -s 0/0 -d 0/0 80 -j ACCEPT # Allow ftp server ipchains -A input -i eth1 -p tcp -s 0/0 -d 0/0 20 -j ACCEPT ipchains -A input -i eth1 -p tcp -s 0/0 -d 0/0 21 -j ACCEPT # block access to mysql servers from outside. ipchains -A input -i eth1 -p udp -d 0/0 3306 -j DENY --log ipchains -A input -i eth1 -p tcp -d 0/0 3306 -j DENY --log # block access to X11 specifically (if you have it). See above. ipchains -A input -i eth1 -p udp -d 0/0 6000:6063 -j DENY --log ipchains -A input -i eth1 -p tcp -d 0/0 6000:6063 -j DENY --log # block ALL access to privileged ports (below 1024) ipchains -A input -i eth1 -p tcp -d 0/0 0:1023 -j DENY ipchains -A input -i eth1 -p udp -d 0/0 0:1023 -j DENY --log # The privileged ports (<1024) are now blocked # Allow all TCP except incoming connections (no packets w SYN=1,ACK=0). # Blocking incoming connections causes problems only with ftp in active # mode, so use it in passive mode, that is much safer. ipchains -A input -i eth1 -p tcp -d 0/0 1024:65535 ! --syn -j ACCEPT # Allow all UDP above 1023 but make doubly sure that you don't have # unprotected UDP servers in this port range. # If this is uncommented, then you don't need the DNS rule above. ipchains -A input -i eth1 -p udp --dport 1024:65535 -j ACCEPT # ICMP, Internet interface only: # This is needed for error conditions and Path-MTU discovery: for t in echo-reply \ destination-unreachable \ time-exceeded \ parameter-problem do ipchains -A input -i eth1 -p icmp --icmp-type $t -j ACCEPT done # ICMP, all other interfaces: ipchains -A input -i ! eth1 -p icmp -j ACCEPT # The input default policy blocks everything that doesn't match any # rule, but it doesn't give us log messages. That is why we use a # catch-all so we can see what is going on: # ipchains -A input -j DENY --log ipchains -A input -j DENY #= output ========================================= #- Internet --------------------------------------- # Our private network addresses should never appear on the Internet ipchains -A output -i eth1 -d $INTERNAL -j REJECT ipchains -A output -i eth1 -d 10.0.0.0/8 -j REJECT ipchains -A output -i eth1 -d 172.16.0.0/12 -j REJECT #= forward ======================================== # you can load kernel modules for masquerading here if necessary, # for example: #modprobe ip_masq_ftp # Autoriser l'accès à HTTP et HTTPS depuis l'intérieur du réseau ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 80 -p tcp -b -j MASQ ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 443 -p tcp -b -j MASQ # Permettre l'accès au news depuis l'intérieur du réseau ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 119 -p tcp -b -j MASQ # Permettre l'accès POP et IMAP depuis l'intérieur du réseau ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 25 -p tcp -b -j MASQ ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 110 -p tcp -b -j MASQ ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 143 -p tcp -b -j MASQ # Permettre l'accès aux serveurs FTP depuis l'intérieur du réseau ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 21 -p tcp -b -j MASQ # Permettre l'accès TELNET et SSH depuis l'intérieur du réseau ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 22 -p tcp -b -j MASQ ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 23 -p tcp -b -j MASQ # Autoriser les ports non privilégiés --> Ports non privilégiés pour le FTP passif ipchains -A forward -i eth1 -s $INTERNAL -d $ANY 1024: -p tcp -b -j MASQ # The forward default policy blocks everything that doesn't match any # rule, but it doesn't give us log messages. That is why we use a # catch-all rule so we can see what is going on: ipchains -A forward -j REJECT --log # turn on forwarding (better to use sysctl, refer to man sysctl) echo 1 > /proc/sys/net/ipv4/ip_forward