#!/bin/bash # # /etc/init.d/ipchains.gateway # # Start ipchains as a masquarading Internet gateway for a local # network, (of private IP address range, 10.2.2.0/24,) supporting # no external services, (the Internet visable IP of the gateway is # dynamically assigned from the IP address range, 123.123.123.0/24, # which is domain somewhere.com.) The gateway should NOT provide # smtp services, dns services, etc., (or any other service,) for # the Internet-use separate machines to provide those services. # # To configure, search forward for 10\.2\., somewhere\.com, # eth.+, and 123\., and insert specific values. # # Notes: # # RFC 1700 states that the include file, /usr/include/netinet/in.h, # defines a constant, IPPORT_RESERVED, to be 1024. Port numbers 0 to # 1023, inclusive, are reserved for privileged processes, eg., # root. Port numbers 1024 to 65535 are assumed reserved for processes # not necessarily privileged. This means that non-privileged ports are # specified 1024:65535. # # The Linux specific range of port numbers used for masquerading, from # /usr/src/kernel-headers-2.2.12/include/net/ip_masq.h, PORT_MASQ_BEGIN, # and, PORT_MASQ_END: 61000-65096 # # The Linux specific range of local return port numbers, from # /proc/sys/net/ipv4/ip_local_port_range: 1024-4999 # # Meaning that for Linux, 1024:65535 could be replaced with 1024:4999 # and 61000:65096. # # Additionally, the following Linux proc file system control is not # used: # # ############################################################################### # # # # Installation of dynamic IP address hacking in IP MASQ: # # # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # # # ############################################################################### # # Additionally, the following ipchains command for fragmentation was # not used: # # ############################################################################### # # # # Installation of disallowing fragmented packets: # # # ipchains -A input -f -i ${INIP} -j DENY # # # ############################################################################### # # RFC 1918 defines the Private Internet address ranges: # # 10.0.0.0 - 10.255.255.255 (10/8 prefix) # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) # # This address range should be used for Network Address # Translation/masquarading of internal networks; 10.2/12 in this # rule set. # # The IANA reserved address space is listed in # http://www.iana.org/assignments/ipv4-address-space. # # These address ranges should be blocked, in addition to the unused # private Internet ranges. # # Written by John Conover . # # Simple firewall and IP masquarading gateway rules. # PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin export PATH test -x /sbin/ipchains || exit 1 # case $1 in start|restart|force-reload) echo "Starting firewall and IP masquerading gateway" # # Start the firewall rules: # # External interface: # EXIF="eth1" # # Internal interface: # INIF="eth0" # # Static IP of the external interface, EXIF: # EXIP="123.123.123.0" # # Static IP of the internal interface, INIF: # INIP="10.2.2.150" # # The internal network: # INNET="10.2.2.0/24" # ############################################################################### # # Blocking rules, block everything while the firewall is being installed, # and remove after chains are installed-lo is enabled: # ipchains -F ipchains -X ipchains -F input ipchains -F output ipchains -F forward ipchains -I input 1 -j DENY ipchains -I output 1 -j DENY ipchains -I forward 1 -j DENY # ############################################################################### # # Enable the local interface: # ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT # ############################################################################### # # Default policies on all three chains is to DENY: # ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # ############################################################################### # # Installation of masquerading: # depmod -a > /dev/null modprobe ip_masq_ftp echo "1" > /proc/sys/net/ipv4/ip_forward ipchains -M -S 3600 10 50 # ############################################################################### # # Installation of TCP SYN cookie protection: # echo "1" > /proc/sys/net/ipv4/tcp_syncookies # ############################################################################### # # Installation of IP ICMP broadcast echo protection: # echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # ############################################################################### # # Installation of IP bogus error response protection: # echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # ############################################################################### # # Installation of anti-spoofing: # for file in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > ${file} done # ############################################################################### # # Installation of disabling ICMP redirect acceptance: # for file in /proc/sys/net/ipv4/conf/*/accept_redirects do echo "0" > ${file} done # ############################################################################### # # Installation of disabling source-routed packets: # for file in /proc/sys/net/ipv4/conf/*/accept_source_route do echo "0" > ${file} done # ############################################################################### # # Custom chain for handling ICMP, first purge any existing ICMP packets: # ipchains -N icmperr ipchains -A icmperr -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A icmperr -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmperr -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmperr -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmperr -p icmp --icmp-type parameter-problem -j ACCEPT # # PING rules, from internal network to anywhere, and back: # ipchains -A input -p icmp --icmp-type echo-request -i ! ${EXIF} -j ACCEPT ipchains -A output -p icmp --icmp-type echo-request -j ACCEPT ipchains -A input -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A output -p icmp --icmp-type echo-reply -j ACCEPT # # Useful icmp values that should be permitted, ie., those in icmperr: # ipchains -A input -p icmp -j icmperr ipchains -A output -p icmp -j icmperr # ############################################################################### # # Input blocks: # # Any packet that claims to be from the internal network entering # from the Internet is a spoof, and, any packet that claims to not # be from the internal network entering the local interface is a # spoof: # ipchains -A input -i ${EXIF} -s ${INNET} -j DENY -l ipchains -A input -i ${INIF} -s ! ${INNET} -j DENY -l # ############################################################################### # # IANA reserved address ranges: # ipchains -A input -s 0.0.0.0/8 -j DENY -l ipchains -A output -d 0.0.0.0/8 -j DENY -l ipchains -A input -s 1.0.0.0/8 -j DENY -l ipchains -A output -d 1.0.0.0/8 -j DENY -l ipchains -A input -s 2.0.0.0/8 -j DENY -l ipchains -A output -d 2.0.0.0/8 -j DENY -l ipchains -A input -s 5.0.0.0/8 -j DENY -l ipchains -A output -d 5.0.0.0/8 -j DENY -l ipchains -A input -s 7.0.0.0/8 -j DENY -l ipchains -A output -d 7.0.0.0/8 -j DENY -l ipchains -A input -s 23.0.0.0/8 -j DENY -l ipchains -A output -d 23.0.0.0/8 -j DENY -l ipchains -A input -s 27.0.0.0/8 -j DENY -l ipchains -A output -d 27.0.0.0/8 -j DENY -l ipchains -A input -s 31.0.0.0/8 -j DENY -l ipchains -A output -d 31.0.0.0/8 -j DENY -l # # 36/7 = 36.0.0.0, (00100100) - 37.255.255.255, (00100101) # ipchains -A input -s 36.0.0.0/7 -j DENY -l ipchains -A output -d 36.0.0.0/7 -j DENY -l ipchains -A input -s 39.0.0.0/8 -j DENY -l ipchains -A output -d 39.0.0.0/8 -j DENY -l ipchains -A input -s 41.0.0.0/8 -j DENY -l ipchains -A output -d 41.0.0.0/8 -j DENY -l ipchains -A input -s 42.0.0.0/8 -j DENY -l ipchains -A output -d 42.0.0.0/8 -j DENY -l # # 58/7 = 58.0.0.0, (00111010) - 59.255.255.255, (00111011) # ipchains -A input -s 58.0.0.0/7 -j DENY -l ipchains -A output -d 58.0.0.0/7 -j DENY -l ipchains -A input -s 60.0.0.0/8 -j DENY -l ipchains -A output -d 60.0.0.0/8 -j DENY -l ipchains -A input -s 69.0.0.0/8 -j DENY -l ipchains -A output -d 69.0.0.0/8 -j DENY -l # # 70/7 = 70.0.0.0, (01000110) - 71.255.255.255, (01000111) # ipchains -A input -s 70.0.0.0/7 -j DENY -l ipchains -A output -d 70.0.0.0/7 -j DENY -l # # 72/5 = 72.0.0.0, (01001000) - 79.255.255.255, (01001111) # ipchains -A input -s 72.0.0.0/5 -j DENY -l ipchains -A output -d 72.0.0.0/5 -j DENY -l # # 82/7 = 82.0.0.0, (01010010) - 83.255.255.255, (01010011) # ipchains -A input -s 82.0.0.0/7 -j DENY -l ipchains -A output -d 82.0.0.0/7 -j DENY -l # # 84/6 = 84.0.0.0, (01010100) - 87.255.255.255, (01010111) # ipchains -A input -s 84.0.0.0/6 -j DENY -l ipchains -A output -d 84.0.0.0/6 -j DENY -l # # 88/5 = 88.0.0.0, (01011000) - 95.255.255.255, (01011111) # ipchains -A input -s 88.0.0.0/5 -j DENY -l ipchains -A output -d 88.0.0.0/5 -j DENY -l # # 96/3 = 96.0.0.0, (01100000) - 127.255.255.255, (01111111) # ipchains -A input -s 96.0.0.0/3 -j DENY -l ipchains -A output -d 96.0.0.0/3 -j DENY -l ipchains -A input -s 197.0.0.0/8 -j DENY -l ipchains -A output -d 197.0.0.0/8 -j DENY -l ipchains -A input -s 201.0.0.0/8 -j DENY -l ipchains -A output -d 201.0.0.0/8 -j DENY -l # # 220/6 = 220.0.0.0, (11011100) - 223.255.255.255, (11011111) # ipchains -A input -s 220.0.0.0/6 -j DENY -l ipchains -A output -d 220.0.0.0/6 -j DENY -l # # 240/4 = 240.0.0.0, (11110000) - 255.255.255.255, (11111111) # ipchains -A input -s 240.0.0.0/4 -j DENY -l ipchains -A output -d 240.0.0.0/4 -j DENY -l # ############################################################################### # # Private Internet address ranges: # ipchains -A input -s 192.168.0.0/16 -j DENY -l ipchains -A output -d 192.168.0.0/16 -j DENY -l ipchains -A input -s 172.16.0.0/12 -j DENY -l ipchains -A output -d 172.16.0.0/12 -j DENY -l # ipchains -A input -s 10.0.0.0/8 -j DENY -l # ipchains -A output -d 10.0.0.0/8 -j DENY -l # ipchains -A input -i ${EXIF} -s 10.0.0.0/8 -j DENY -l ipchains -A output -i ${EXIF} -d 10.0.0.0/8 -j DENY -l # ############################################################################### # # Malformed broadcast packets: # ipchains -A input -d 0.0.0.0 -j DENY -l ipchains -A output -s 255.255.255.255 -j DENY -l # ############################################################################### # # Class D multicast packets, multicast is only legal as a source # address, and uses UDP: # ipchains -A input -s 224.0.0.0/4 -j DENY -l ipchains -A output -s 224.0.0.0/4 -j DENY -l # ############################################################################### # # Masquerade the internal network: # ipchains -A forward -i ${EXIF} -s ${INNET} -d ! ${INNET} -j MASQ # ############################################################################### # # Internal and External services permitted: # # tcp services, (external nntp, irc, pop-3, should be ssh tunnels; # nntp is open for posting, only, to a single specific host): # for SERVICE in domain auth ftp www https smtp ssh whois nntp # telnet pop-3 irc ntp do # # To/from the external interface on this machine to/from the # Internet: # ipchains -A output -i ${EXIF} -p tcp -s ${INNET} 1024:65535 -d ! ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${EXIF} -p tcp -s ${EXIP} 1024:65535 -d ! ${EXIP} ${SERVICE} -j ACCEPT ipchains -A input -i ${EXIF} -p tcp -s ! ${INNET} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT ! -y ipchains -A input -i ${EXIF} -p tcp -s ! ${EXIP} ${SERVICE} -d ${EXIP} 1024:65535 -j ACCEPT ! -y # # To/from the internal interface on this machine to/from the # Internet: # ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ! ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${INIF} -p tcp -s ! ${INNET} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT ! -y # # To/from the local network interface on this machine to/from # the local network: # ipchains -A output -i ${INIF} -p tcp -s ${INIP} 1024:65535 -d ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${INIF} -p tcp -s ${INIP} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT ! -y ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ${INIP} ${SERVICE} -j ACCEPT ipchains -A input -i ${INIF} -p tcp -s ${INNET} ${SERVICE} -d ${INIP} 1024:65535 -j ACCEPT ! -y done # # udp services, (external icq, port 4000, should be an ssh tunnel): # for SERVICE in domain # ntp 4000 do # # To/from the external interface on this machine to/from the # Internet: # ipchains -A output -i ${EXIF} -p udp -s ${INNET} 1024:65535 -d ! ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${EXIF} -p udp -s ${EXIP} 1024:65535 -d ! ${EXIP} ${SERVICE} -j ACCEPT ipchains -A input -i ${EXIF} -p udp -s ! ${INNET} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT ipchains -A input -i ${EXIF} -p udp -s ! ${EXIP} ${SERVICE} -d ${EXIP} 1024:65535 -j ACCEPT # # To/from the internal interface on this machine to/from the # Internet: # ipchains -A input -i ${INIF} -p udp -s ${INNET} 1024:65535 -d ! ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${INIF} -p udp -s ! ${INNET} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT # # To/from the local network interface on this machine to/from # the local network: # ipchains -A output -i ${INIF} -p udp -s ${INIP} 1024:65535 -d ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${INIF} -p udp -s ${INIP} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT ipchains -A input -i ${INIF} -p udp -s ${INNET} 1024:65535 -d ${INIP} ${SERVICE} -j ACCEPT ipchains -A input -i ${INIF} -p udp -s ${INNET} ${SERVICE} -d ${INIP} 1024:65535 -j ACCEPT done # # Additions for passive ftp service, to/from the external interface on # this machine to/from the Internet, (Note: Linux, use pftp(1) instead # of ftp(1); Internet Explorer->Tools->Internet Options->Advanced->Use # Passive FTP for compatibility with some firewalls and DSL modems): # ipchains -A output -i ${EXIF} -p tcp -s ${EXIP} 1024:65535 -d ! ${EXIP} 1024:65535 -j ACCEPT ipchains -A input -i ${EXIF} -p tcp -s ! ${EXIP} 1024:65535 -d ${EXIP} 1024:65535 -j ACCEPT ! -y # # Additions for passive ftp service, to/from the internal interface on # this machine to/from the Internet: # ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ! ${INNET} 1024:65535 -j ACCEPT ipchains -A output -i ${INIF} -p tcp -s ! ${INNET} 1024:65535 -d ${INNET} 1024:65535 -j ACCEPT ! -y # # Additions for passive ftp service, to/from the local network interface # on this machine to/from the local network: # # ipchains -A output -i ${INIF} -p tcp -s ${INIP} 1024:65535 -d ${INNET} 1024:65535 -j ACCEPT # ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ${INIP} 1024:65535 -j ACCEPT ! -y # # # Additions for active ftp-data service, to/from the external interface # # on this machine to/from the Internet: # # # ipchains -A input -i ${EXIF} -p tcp -s ! ${EXIP} ftp-data -d ${EXIP} 1024:65535 -j ACCEPT # ipchains -A output -i ${EXIF} -p tcp -s ${EXIP} 1024:65535 -d ! ${EXIP} ftp-data -j ACCEPT ! -y # # # # Additions for active ftp-data service, to/from the internal interface # # on this machine to/from the Internet: # # # ipchains -A output -i ${INIF} -p tcp -s ! ${INNET} ftp-data -d ${INNET} 1024:65535 -j ACCEPT # ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ! ${INNET} ftp-data -j ACCEPT ! -y # # # # Additions for active ftp-data service, to/from the local network # # interface on this machine to/from the local network: # # # # ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ${INIP} ftp-data -j ACCEPT ! -y # # ipchains -A input -i ${INIF} -p tcp -s ${INNET} ftp-data -d ${INIP} 1024:65535 -j ACCEPT # # ipchains -A output -i ${INIF} -p tcp -s ${INIP} 1024:65535 -d ${INNET} ftp-data -j ACCEPT ! -y # # ipchains -A output -i ${INIF} -p tcp -s ${INIP} ftp-data -d ${INNET} 1024:65535 -j ACCEPT # # # # Additions for traceroute service, to/from the external interface on # # this machine to/from the Internet: # # # ipchains -A output -i ${EXIF} -p udp -s ${EXIP} 1024:65535 -d ! ${EXIP} 1024:65535 -j ACCEPT # ipchains -A output -i ${EXIF} -p udp -s ${INNET} 1024:65535 -d ! ${INNET} 1024:65535 -j ACCEPT # # # # Additions for traceroute service, to/from the internal interface on # # this machine to/from the Internet: # # # ipchains -A output -i ${INIF} -p udp -s ${INNET} 1024:65535 -d ! ${INNET} 1024:65535 -j ACCEPT # ipchains -A input -i ${INIF} -p udp -s ${INNET} 1024:65535 -d ! ${INNET} 1024:65535 -j ACCEPT # # # # Additions for traceroute service, to/from the internal interface on # # this machine to/from the local network: # # # ipchains -A output -i ${INIF} -p udp -s ${INIP} 1024:65535 -d ${INNET} 1024:65535 -j ACCEPT # ipchains -A input -i ${INIF} -p udp -s ${INNET} 1024:65535 -d ${INIP} 1024:65535 -j ACCEPT # # # # Additions for 123.123.123.123, which is the NNTP server at # # somewhere.com, and demands authentication via identd: # # # ipchains -A input -i ${EXIF} -p tcp -s 123.123.123.123 1024:65535 -d ${INNET} auth -j ACCEPT # ipchains -A input -i ${EXIF} -p tcp -s 123.123.123.123 1024:65535 -d ${EXIP} auth -j ACCEPT # ipchains -A output -i ${EXIF} -p tcp -s ${INNET} auth -d 123.123.123.123 1024:65535 -j ACCEPT ! -y # ipchains -A output -i ${EXIF} -p tcp -s ${EXIP} auth -d 123.123.123.123 1024:65535 -j ACCEPT ! -y # # Additions to issue a REJECT for all other requests for # authentication via identd on the external interface to the Internet: # ipchains -A input -i ${EXIF} -p tcp -s ! ${INNET} 1024:65535 -d ${INNET} auth -j REJECT -y -l ipchains -A input -i ${EXIF} -p tcp -s ! ${EXIP} 1024:65535 -d ${EXIP} auth -j REJECT -y -l # ############################################################################### # # Internal only services permitted: # for SERVICE in pop-3 # telnet do # # To/from the local network interface on this machine to/from # the local network: # ipchains -A output -i ${INIF} -p tcp -s ${INIP} 1024:65535 -d ${INNET} ${SERVICE} -j ACCEPT ipchains -A output -i ${INIF} -p tcp -s ${INIP} ${SERVICE} -d ${INNET} 1024:65535 -j ACCEPT ! -y ipchains -A input -i ${INIF} -p tcp -s ${INNET} 1024:65535 -d ${INIP} ${SERVICE} -j ACCEPT ipchains -A input -i ${INIF} -p tcp -s ${INNET} ${SERVICE} -d ${INIP} 1024:65535 -j ACCEPT ! -y done # # Printer to/from the local network interface on this machine # to/from the local network: # ipchains -A output -i ${INIF} -p tcp -s ${INIP} -d ${INNET} printer -j ACCEPT ipchains -A output -i ${INIF} -p tcp -s ${INIP} printer -d ${INNET} -j ACCEPT ! -y ipchains -A input -i ${INIF} -p tcp -s ${INNET} -d ${INIP} printer -j ACCEPT ipchains -A input -i ${INIF} -p tcp -s ${INNET} printer -d ${INIP} -j ACCEPT ! -y # ############################################################################### # # Internal network is completely trusted, from the local network, # to the local network, and back: # # DO NOT UNCOMMENT, TEST OF MACHINES ON LOCAL NETWORK WITH NMAP: # # ipchains -A input -i ${INIF} -s ${INNET} -d ${INNET} -j ACCEPT # ipchains -A output -i ${INIF} -s ${INNET} -d ${INNET} -j ACCEPT # ############################################################################### # # Catch-all rules, like policies, but logs: # ipchains -A input -l -j DENY ipchains -A output -l -j DENY ipchains -A forward -l -j DENY # ############################################################################### # # Remove blocking rules, which blocked everything while the firewall was # being installed: # ipchains -D input 1 ipchains -D output 1 ipchains -D forward 1 # ############################################################################### ;; open) echo "Opening firewall and IP masquerading gateway" ############################################################################### # # Reset ipchain rules: # # NEVER DO THIS WITH THE MACHINE CONNECTED TO THE INTERNET, # ALWAYS DISCONNECT THE MACHINE FROM THE INTERNET FIRST-IT # OPENS ALL CONNECTIVITY TO/FROM THE INTERNET: # ipchains -F ipchains -X ipchains -F input ipchains -F output ipchains -F forward # # Default policies on all three chains is to ACCEPT: # ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT # ############################################################################### ;; stop) echo "Stopping firewall and IP masquerading and gateway" ############################################################################### # # Stop the firewall: # # ALWAYS DO THIS WHEN THE MACHINE CONNECTED TO THE INTERNET, # AT THE FIRST SIGN OF TROUBLE-IT SHUTS DOWN CONNECTIVITY: # ipchains -F ipchains -X ipchains -F input ipchains -F output ipchains -F forward # # Default policies on all three chains is to DENY: # ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # ############################################################################### ;; esac # ###################################################################### # # A license is hereby granted to reproduce this software for personal, # non-commercial use. # # THIS PROGRAM IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES # WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF # MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE # AUTHOR DOES NOT WARRANT THAT USE OF THIS PROGRAM DOES NOT INFRINGE THE # INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY. # # So there. # # Copyright (c) 1992-2005, John Conover, , All # Rights Reserved. # # $Revision: 1.0 $ # $Date: 2005/03/11 22:49:21 $ # $Id: ipchains.gateway.txt,v 1.0 2005/03/11 22:49:21 conover Exp $ # $Log: ipchains.gateway.txt,v $ # Revision 1.0 2005/03/11 22:49:21 conover # Initial revision #