#!/bin/sh
#!/bin/sh
echo Starting firewall.
#
# The following is to ensure we use ipchains on kernel 2.4
modprobe ipchains >/dev/null 2>/dev/null
#
# some definitions for easier maintenance
#
LOCALNET="192.168.68.0/24"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
# The ssh client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
#
# Get IP addresses
. /etc/rc.d/ip
#
#
# Flush input and output
ipchains -F input
ipchains -F output
#
# deny everything incoming, reject everything outgoing
#
ipchains -P input DENY
ipchains -P output REJECT
# This rule thanks to Robert L. Ziegler (rlz.ne.mediaone.net)
# Refuse any connection from sites that have attacked us
# /etc/rc.d/firewall.block contains a list of
# ipchains -A input -i eth0 -s bad-guy's-IP-address -j DENY
#
if [ -f /etc/rc.d/firewall.blocked ]; then
. /etc/rc.d/firewall.blocked
fi
#
# Refuse spoofed packets (my network coming from outside)
#
ipchains -A input -s $LOCALNET -i eth0 -j DENY -l
ipchains -A input -s $IFEXTERN -i eth0 -j DENY -l
ipchains -A input -s 127.0.0.0/255.0.0.0 -i ! lo -j DENY -l
#
# Allow unlimited traffic within the local net
#
ipchains -A input -i eth1 -j ACCEPT
ipchains -A output -i eth1 -j ACCEPT
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
#
# Allow unrestricted ssh
#
ipchains -A input -i eth0 -p tcp --source-port $SSH_REMOTE_PORTS \
-d $IFEXTERN 22 -j ACCEPT
ipchains -A output -i eth0 -p tcp ! -y -s $IFEXTERN 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
# clients
ipchains -A output -i eth0 -p tcp -s $IFEXTERN $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y --source-port 22 \
-d $IFEXTERN $SSH_LOCAL_PORTS -j ACCEPT
#
# ====== External use of our system
#
# Public access for email, WWW, and DNS (add ftp on next line if desired)
ipchains -A input -d $IFEXTERN domain -p tcp -j ACCEPT
ipchains -A input -d $IFEXTERN www -p tcp -j ACCEPT
ipchains -A input -d $IFEXTERN smtp -p tcp -j ACCEPT
ipchains -A input -d $IFEXTERN domain -p udp -j ACCEPT
ipchains -A input -d $IFEXTERN ftp-data -p tcp ! -y -j ACCEPT
ipchains -A output -s $IFEXTERN domain -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN www -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN ftp-data -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN ftp -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN smtp -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN domain -p udp -j ACCEPT
#
#
# ========= Internal use of the Internet
#
# outgoing packets originating from our network
#
# p 344 Building Internet Firewalls FTP-1
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE domain -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE www -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE ftp -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE ftp-data -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE smtp -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE pop-3 -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE telnet -p tcp -j ACCEPT
# p 344 Building Internet Firewalls FTP-3
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -p tcp -j ACCEPT
ipchains -A output -s $LOCALNET $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -p tcp -j ACCEPT
#
# Authorization for DNS
#
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE domain -p udp -j ACCEPT
ipchains -A input -s $ANYWHERE domain -d $IFEXTERN $UNPRIVPORTS -p udp -j ACCEPT
ipchains -A output -s $LOCALNET $UNPRIVPORTS -d $ANYWHERE domain -p udp -j ACCEPT
ipchains -A input -s $ANYWHERE domain -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
#
# Incoming packets
# allow returning packets of sessions originated internally. The ! -y option
# allows only those packets with the ACK bit set, which means that the
# packet is being returned by the remote process.
#
ipchains -A input -s $ANYWHERE www -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
ipchains -A input -s $ANYWHERE pop-3 -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
ipchains -A input -s $ANYWHERE smtp -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
ipchains -A input -s $ANYWHERE telnet -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
ipchains -A input -s $ANYWHERE ftp -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
#
# P 344 Building Internet Firewalls FTP-4
ipchains -A input -s $ANYWHERE $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -p tcp ! -y -j ACCEPT
#
# internal incoming remote ftp dir, get, and put
ipchains -A input -s $ANYWHERE ftp-data -d $LOCALNET $UNPRIVPORTS -p tcp -j ACCEPT
ipchains -A input -s $ANYWHERE ftp-data -d $IFEXTERN $UNPRIVPORTS -p tcp -j ACCEPT
# Unlimited NTP (network time protocol) traffic
ipchains -A output -s $IFEXTERN -d $ANYWHERE ntp -p udp -j ACCEPT
ipchains -A input -s $ANYWHERE ntp -d $IFEXTERN -p udp -j ACCEPT
ipchains -A input -s $ANYWHERE ntp -d $IFEXTERN $UNPRIVPORTS -p udp -j ACCEPT
# let SSL (secure transactions) 443 through
ipchains -A input -s $ANYWHERE 443 -d $IFEXTERN $UNPRIVPORTS -p tcp -j ACCEPT
ipchains -A input -s $ANYWHERE 443 -d $LOCALNET $UNPRIVPORTS -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN $UNPRIVPORTS -d $ANYWHERE 443 -p tcp -j ACCEPT
ipchains -A output -s $LOCALNET $UNPRIVPORTS -d $ANYWHERE 443 -p tcp -j ACCEPT
# Unlimited ICMP traffic (not particularly recommended, but used by PING)
ipchains -A input -p icmp -j ACCEPT
ipchains -A output -p icmp -j ACCEPT
ipchains -A forward -p icmp -j ACCEPT
# authorization/identification (auth) -- used/required by some ftp sites
ipchains -A input -s $ANYWHERE $UNPRIVPORTS -d $IFEXTERN auth -p tcp -j ACCEPT
ipchains -A output -s $IFEXTERN auth -d $ANYWHERE $UNPRIVPORTS -p tcp -j ACCEPT
#
# list out what we have done
#
#ipchains -L
echo firewall ON.
echo "Firewall ON." >/var/log/firewall
# From IPCHAINS-HOWTO
# TOS Name Value Typical Uses
#
# Minimum Delay 0x01 0x10 ftp, telnet
# Maximum Throughput 0x01 0x08 ftp-data
# Maximum Reliability 0x01 0x04 snmp
# Minimum Cost 0x01 0x02 nntp