Firewall and Proxy Server HOWTO

15.1 RC Script useing GFCC

#!/bin/bash # # Firewall Script - Version 0.9.1 # # chkconfig: 2345 09 99 # description: firewall script for 2.2.x kernel # Set for testing # set -x # # NOTES: # # This script is written for RedHat 6.1 or better. # # Be careful about offering public services like web or ftp servers. # # INSTALLATION: # 1. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root (filename)" # make it executable --> "chmod 755 (filename)" # # 2. use GFCC to create your firewall rules and export them to a file # named /etc/gfcc/rules/firewall.rule.sh. # # 3. add the firewall to the RH init structure --> "chkconfig --add (filename)" # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # # RELEASE NOTES # 30 Jan, 2000 - Changed to GFCC script # 11 Dec, 1999 - updated by Mark Grennan <mark at grennan.com> # 20 July, 1999 - initial writing - Anthony Ball <tony at LinuxSIG.org> # ################################################ # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # See how we are called case "$1" in start) # Start providing access action "Starting firewall: " /bin/true /etc/gfcc/rules/firewall.rule.sh echo ;; stop) action "Stoping firewall: " /bin/true echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo ;; restart) action "Restarting firewall: " /bin/true $0 stop $0 start echo ;; status) # List out all settings /sbin/ipchains -L ;; test) action "Test Mode firewall: " /bin/true /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A input -j ACCEPT /sbin/ipchains -A output -j ACCEPT /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $PUBLIC -j MASQ echo ;; *) echo "Usage: $0 {start|stop|restart|status|test}" exit 1 esac

15.2 GFCC script

This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set.

#!/bin/sh # Generated by Gtk+ firewall control center IPCHAINS=/sbin/ipchains localnet="192.168.1.0/24" firewallhost="192.168.1.1/32" localhost="172.0.0.0/8" DNS1="24.94.163.119/32" DNS2="24.94.163.124/32" Broadcast="255.255.255.255/32" Multicast="224.0.0.0/8" Any="0.0.0.0/0" mail_grennan_com="192.168.1.1/32" mark_grennan_com="192.168.1.3/32" $IPCHAINS -P input DENY $IPCHAINS -P forward ACCEPT $IPCHAINS -P output ACCEPT $IPCHAINS -F $IPCHAINS -X # input rules $IPCHAINS -A input -s $Any -d $Broadcast -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY $IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY $IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY $IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY $IPCHAINS -A input -s $Multicast -d $Any -j DENY $IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT $IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT $IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT $IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y $IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT $IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT $IPCHAINS -A input -s $Any -d $Any -j DENY -l # forward rules $IPCHAINS -A forward -s $localnet -d $Any -j MASQ # output rules

15.3 RC Script without GFCC This is the firewall rules set built my hand. It does not use GFCC.

#!/bin/bash # # Firewall Script - Version 0.9.0 # chkconfig: 2345 09 99 # description: firewall script for 2.2.x kernel # Set for testing # set -x # # NOTES: # # This script is written for RedHat 6.0 or better. # # This firewall script should work for most routers, dial-up or cable modem. # It was written for RedHat distributions. # # Be careful about offering public services like web or ftp servers. # # INSTALLATION: # 1. This file planned for a RedHat system. It would work # on other distro's with perhaps no modification, but again... # Who knows?!!? These instructions apply to RedHat systems. # # 2. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root <filename>" # make it executable --> "chmod 755 <filename>" # # 3. set the values for your network, internal interface, and DNS servers # uncomment lines further down to enable optional in-bound services # make sure "eth0" is your internal NIC (or change the value below) # test it --> "/etc/rc.d/init.d/<filename> start" # you can list the rules --> "ipchains -L -n" # fix anything that broke... :-) # # 4. add the firewall to the RH init structure --> "chkconfig --add <filename>" # next time the router boots, things should happen automagically! # sleep better at night knowing you are *LESS* vulnerable than before... # # RELEASE NOTES # 20 July, 1999 - initial writing - Anthony Ball <tony at LinuxSIG.org> # 11 Dec, 1999 - updated by Mark Grennan <mark at grennan.com> # ################################################ # Fill in the values below to match your # local network. PRIVATENET=xxx.xxx.xxx.xxx/xx PUBLIC=ppp0 PRIVATE=eth0 # your dns servers DNS1=xxx.xxx.xxx.xxx DNS2=xxx.xxx.xxx.xxx ################################################ # some handy generic values to use ANY=0.0.0.0/0 ALLONES=255.255.255.255 # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # See how we are called case "$1" in start) # Start providing access action "Starting firewall: " /bin/true ## ## Setup Envirement ## # Flush all lists /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # Plug up everything /sbin/ipchains -I input 1 -j DENY # set policy to deny (Default is ACCEPT) /sbin/ipchains -P input DENY /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT # Turn on packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ## ## Install Modules ## # Insert the active ftp module. This will allow non-passive ftp to machines # on the local network (but not to the router since it is not masq'd) if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then /sbin/insmod ip_masq_ftp fi ## ## Some Security Stuff ## # turn on Source Address Verification and get spoof protection # on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done else echo echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED." echo fi # deny bcasts on remaining interfaces /sbin/ipchains -A input -d 0.0.0.0 -j DENY /sbin/ipchains -A input -d 255.255.255.255 -j DENY # deny these without logging 'cause there tend to be a lot... /sbin/ipchains -A input -p udp -d $ANY 137 -j DENY # NetBIOS over IP /sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY # "" /sbin/ipchains -A input -p udp -d $ANY 138 -j DENY # "" /sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY # "" /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY # bootp /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY # "" /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY # Multicast addresses ## ## Allow private network out ## # allow all packets on the loopback interface /sbin/ipchains -A input -i lo -j ACCEPT # allow all packets from the internal "trusted" interface /sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT /sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT ## ## Allow Outside Services into the firewall (if you dare) ## # allow ICMP /sbin/ipchains -A input -p icmp -j ACCEPT # allow TCP /sbin/ipchains -A input -p tcp ! -y -j ACCEPT # allow lookups to DNS (on firewall) /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT # or (BETTER IDEA) run a caching DNS server on the router and use the # following two lines instead... # /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT # /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT # uncomment the following to allow ssh in /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT # uncomment the following to allow telnet in (BAD IDEA!!) /sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT # uncomment to allow NTP (network time protocol) to router # /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT # uncomment to allow SMTP in (not for mail clients - only a server) /sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT # uncomment to allow POP3 in (for mail clients) /sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT # allow auth in for sending mail or doing ftp /sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT # uncomment to allow HTTP in (only if you run a web server on the router) /sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT # uncomment to allow FTP in /sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT ## ## Masquerading stuff ## # masquerade packets forwarded from internal network /sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ ## ## deny EVERYthing else and log them to /var/log/messages ## /sbin/ipchains -A input -l -j DENY # Remove the Plug /sbin/ipchains -D input 1 ;; stop) action "Stoping firewall: " /bin/true echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo ;; restart) action "Restarting firewall: " /bin/true $0 stop $0 start echo ;; status) # List out settings /sbin/ipchains -L ;; test) ## ## This is about as simple as it gets ## (This is not secure AT ALL) action "WARNING Test Firewall: " /bin/true /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A input -j ACCEPT /sbin/ipchains -A output -j ACCEPT /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $PUBLIC -j MASQ echo ;; *) echo "Usage: $0 {start|stop|restart|status|test}" exit 1 esac

Contents

Free IT Magazines, White Papers, eBooks, and more !

Oracle Magazine

Contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more.

Vulnerability Management for Dummies

Get all the Facts and See How to Implement a Successful Vulnerability Management Program.

Website Magazine

Has tapped premier talent in the Internet industry for our content and each and every issue will contain practical advice and insights for website owners.

Firewall and Proxy Server HOWTO

15. APPENDEX A - Example Scripts

15.1 RC Script useing GFCC

15.2 GFCC script

15.3 RC Script without GFCC This is the firewall rules set built my hand. It does not use GFCC.