#!/bin/sh # 00firewall for non-dialup copyright 2001 by cpbotha@ieee.org, for dutidad # $Id: 00firewall,v 1.7 2002/02/12 17:00:59 cpbotha Exp $ echo "00firewall starting..." IPTABLES="/sbin/iptables" # our hosts are all in 130.161.157.1 - 130.161.157.128 # i.e. 130.161.157.0/255.255.255.128, i.e. /25 TRUSTED_HOSTS=130.161.157.0/25 # make sure we have spoof protection on if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done fi # make sure we have IP forwarding turned OFF if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 0 > /proc/sys/net/ipv4/ip_forward fi # and make sure we ignore all source routed packets if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done fi # we have to load at least this modprobe ip_tables modprobe ip_nat_ftp # flush all previous rules $IPTABLES -t filter -F INPUT $IPTABLES -t filter -F FORWARD $IPTABLES -t filter -F OUTPUT $IPTABLES -t nat -F PREROUTING $IPTABLES -t nat -F POSTROUTING $IPTABLES -t nat -F OUTPUT # allow ssh connections to be made from the big bad internet # (we have this here for fool-proofing reasons...) $IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # set default policies to paranoid $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P FORWARD DROP $IPTABLES -t filter -P OUTPUT ACCEPT # except this one # use this as target instead of DROP if you'd like to log $IPTABLES -N DROPLOG 2> /dev/null $IPTABLES -F DROPLOG # do the log target $IPTABLES -A DROPLOG -j LOG -m limit --limit 5/minute --log-level 4 --log-prefix "00firewall default drop " # then drop the packet (LOG is not final) $IPTABLES -A DROPLOG -j DROP # GENERIC RULES # localhost, doh, should be allowed $IPTABLES -t filter -A INPUT -i lo -j ACCEPT # followups or related connections should be allowed (e.g. answer to a DNS query) $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # stuff from MonMotha (allow ping, but not flood ping... $IPTABLES -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT # ...and the rest of icmp) $IPTABLES -t filter -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT # hmmm, don't drop packets to identd, but reject them, else we wait forever # for irc to start $IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 113 -j REJECT --reject-with tcp-reset # then some immediate drops that we don't want to log (we see too much of # this on the local network) # ntp $IPTABLES -t filter -A INPUT -i eth0 -p udp --dport 123 -j DROP # netbios $IPTABLES -t filter -A INPUT -i eth0 -p udp --dport 137:139 -j DROP # snmp $IPTABLES -t filter -A INPUT -i eth0 -p udp --dport 161 -j DROP # who $IPTABLES -t filter -A INPUT -i eth0 -p udp --dport 513 -j DROP # SPECIFIC RULES # ftp #$IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT # and http $IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT # and https (we don't need this right now) #$IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT # the CVS pserver (for DIPEX stuff mostly) $IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 2401 -j ACCEPT # prboom $IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 5030 -j ACCEPT $IPTABLES -t filter -A INPUT -i eth0 -p udp --dport 5030 -j ACCEPT # ruud uses RPD for maintenance etc. so we allow it only from dutids # FIXME: change to new ip number $IPTABLES -t filter -A INPUT -s 130.161.157.71 -i eth0 -p tcp --dport 4660 -j ACCEPT # --------------------------------------------------------------------------- # and now all the NFS shit (allow specific ports only from our subnet) # first the portmapper (udp + tcp) $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p udp --dport 111 -j ACCEPT $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p tcp --dport 111 -j ACCEPT # nfsd (udp + tcp) $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p udp --dport 2049 -j ACCEPT $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p tcp --dport 2049 -j ACCEPT # apparently we also need to allow second and further fragments of # fragmented packets else NFS goes tits-up on large transfers $IPTABLES -t filter -A INPUT -f -j ACCEPT # mountd, lockd, statd normally float around, their port numbers decided # by the portmapper. We don't like this, so we have invoked all of them with # the -p switch to fix ports (lockd is invoked by the kernel however!) # 1. mountd (tcp on 32770, udp on 32772, sampled from netstat) # added RPCMOUNTDOPTS=-p 32770 to /etc/init.d/nfs-kernel-server $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p udp --dport 32770 -j ACCEPT $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p tcp --dport 32770 -j ACCEPT # 2. statd (udp and tcp on 32768, sampled from netstat) # added -p 32768 to start-stop-daemon line $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p udp --dport 32768 -j ACCEPT $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p tcp --dport 32768 -j ACCEPT # 3. lockd (start kernel with parameter "lockd.udpport=32774 lockd.tcpport=32774" e.g.) $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p udp --dport 32774 -j ACCEPT $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 -p tcp --dport 32774 -j ACCEPT # rpc.nfsd is on port 924, will it stay there? (NO) # ruud says we don't need this anymore, so, bye-bye # $IPTABLES -t filter -A INPUT -s $TRUSTED_HOSTS -i eth0 --dport 924 -j ACCEPT # --------------------------------------------------------------------------- # THE BUCK STOPS HERE # if it wasn't matched by now, we do the drop and log thing # (yes, we have default policies on dropping) $IPTABLES -t filter -A INPUT -j DROPLOG $IPTABLES -t filter -A FORWARD -j DROPLOG