[PLUG] myfirst fw rules(rev.2)

epike on 2002年12月26日 15:41:03 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] myfirst fw rules(rev.2) 

Hi
thanks for all the people who responded, my 
firewall rule script now looks like this.
Suggestions are still welcome and much appreciated
thanks!
jondz / epike
(changes: broadcast address was wrong, changes in ICMP section)
---------------------------------------------------------------
#! /bin/sh 
###################################################################
# SIMPLE FW RULES, 1-ETHERNET, NO FOWARDING, NO MASQ, SERVICES ONLY
#
# OBJECTIVES: 1. Allow standard services (ftp, telnet, web, squid, etc)
# 2. Log everything else thats not allowed, then drop them
#
# JondZ Mon Dec 23 16:12:14 EST 2002
# JondZ Thu Dec 26 14:57:26 EST 2002 revised (thanks to PLUG)
####################################################################
VERSION="JondZ 12/2002"
WAN_DEVICE=eth0
WAN_DEVICE_BROADCAST=192.168.1.255/32
TCP_OPENPORTS=20,21,22,23,25,53,80,110,137,138,139,3128
UDP_OPENPORTS=53,137,138,139
IPTABLES=/sbin/iptables
echo "0ドル ($VERSION): Starting custom firewall..."
###########################################################
# INITIALIZE CHAINS
###########################################################
echo "0ドル: initializing chains..."
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X 
$IPTABLES -Z 
#############################################3
# IMPLEMENT DEFAULT DRACONIAN POLICIES
#############################################3
echo "0ドル: applying default policies..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#############################################
# lo CONNECTIONS
#############################################
echo "0ドル: Accepting lo connections..."
$IPTABLES -A INPUT -i lo -j ACCEPT
#############################################
# LOG FORWARDING ATTEMPTS
#############################################
$IPTABLES -A FORWARD -j LOG --log-prefix "FWD_DETECTED "
#######################################################################
# ENABLE BROADCAST PACKETS
# 
# NOTES
# -----
# On some setups you may want to ACCEPT broadcasts (eg, SAMBA, DHCP)
# On some setups you may want to DENY broadcasts
#######################################################################
echo "0ドル: accepting broadcast packets.."
$IPTABLES -A INPUT -i $WAN_DEVICE -d $WAN_DEVICE_BROADCAST -j ACCEPT
#############################################
# INCOMING TCP CONNECTIONS for WAN_DEVICE
#############################################
echo "0ドル: Allowing TCP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
 -m state --state INVALID -j DROP
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
 -m state --state NEW -m multiport \
 --destination-port $TCP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p tcp \
 -m limit --limit 3/s -j LOG --log-prefix "TCP_IN "
#################################################
# INCOMING UDP CONNECTIONS for WAN_DEVICE
#################################################
echo "0ドル: Allowing UDP Services..."
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
 -m state --state NEW -m multiport \
 --destination-port $UDP_OPENPORTS -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p udp \
 -m limit --limit 3/s -j LOG --log-prefix "UDP_IN "
#############################################
# INCOMING ICMP CONNECTIONS
#############################################
echo "0ドル: allowing some ICMP Connections..."
########################################################################
# ICMP TYPES (incomplete)
# --------------------------
# (ideas gathered from fw script of vogt@hansenet.com)
#
# 0 - echo reply
# 3 - Destination Unreachable
# 4 - source quench
# 5 - redirect 
# 8 - echo
# 11 - Time Exceeded
# 30 - Traceroute
#
# Ping - udp types 0,8
# destination unreachable - 3
# traceroute - 11,30
#
# NOTES - icmp type 5 is needed for routing with other network segments!
# - icmp type 4 source quench - when packets arrive too fast to
# be processed type 4 is sent (??). 
########################################################################
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
 --icmp-type 0 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp \
 --icmp-type 3 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
 --icmp-type 4 -m limit --limit 3/s -j ACCEPT
# $IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
# --icmp-type 5 -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
 --icmp-type 8 -m limit --limit 3/s -j ACCEPT
$IPTABLES -A INPUT -i $WAN_DEVICE -p icmp -m icmp \
 --icmp-type 11 -m limit --limit 3/s -j ACCEPT
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug


AltStyle によって変換されたページ (->オリジナル) /