[plug] IPChains and Installfest std ipchains script

Bernard Blackham dagobah at mad.scientist.com
Tue Sep 19 21:25:05 WST 2000


On the topic of the IPChains firewall for the linuxfest and in reply to
Damion, I've here my firewall script that is believed to be semi-strong
against spoofing and sorts. It also executes the commands for masquerading
of IRC, FTP, ICQ (v1.blah, 98, 99, not 2000a onwards), and several other
odd protocols. Im sure that I took it from the HOWTO or somewhere on the
net so it's probably fairly widely used anyway. It automatically detects
the IP address of a dialup connection when it's run. Just drop it on the
end of ifup.local (??? from memory) and voila... all *should* be fine...
(theoretically only, of course).

It still has some things that need fixing up... UDP security doesn't
appear to be too flash with it. It was modified by me for a couple of
things, one being DHCP which required broadcasting to 255.255.255.255 from
0.0.0.0 to receive and serve requests, and it appears to work, but whether
its done how it's supposed to be done, ill leave that to the experts to 
answer... ;P

--- CUT HERE rc.firewall ---

#!/bin/bash

#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
#

echo "Enabling IP MASQ, MASQ timeouts, and firewalling"

# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
#          are shown below but are commented from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#       RealAudio WILL function but in TCP mode.  This can cause a reduction
#       in sound quality
#
/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc

# Support masquerading of ICQ versions 99b and previous
# not needed with the advent of ICQ 2000a or the socks proxy
/sbin/modprobe ip_masq_icq log=-a +i +o +m

# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
#   for for multiple users behind the Linux MASQ server.  If you are going to play
#   Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960


# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward


# Get the dynamic IP address assigned via DHCP
#
# < DAMION... THIS IS WHERE AND HOW IT DETECTS ITS PPP ADDRESS >
#
extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
extint="ppp0"

# Assign the internal IP
intint="eth0"
intnet="192.168.0.0/24"


# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60

#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
ipchains -P input REJECT

# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT

# The following allows DHCP to work, where clients have source ip 0.0.0.0
# and broadcast to network... Added by moi (can anyone see if this
# is right/wrong/secure? makes it work for me)
ipchains -A input -i $intint -s 0.0.0.0 -d 255.255.255.255/32 -j ACCEPT

#
# Allow the services on the privileged ports you want (1-1024)
#
# ssh:
ipchains -A input -p tcp -s 0.0.0.0/0 -d $extip/32 22 -j ACCEPT

# http:
# ipchains -A input -p tcp -s 0.0.0.0/0 -d $extip/32 80 -j ACCEPT

# identd:
# ipchains -A input -p tcp -s 0.0.0.0/0 -d $extip/32 113 -j ACCEPT

#
# simply block all other privileged ports not specified above between 1 - 1024 for udp and tcp
#
ipchains -A input -p tcp -s 0.0.0.0/0 -d $extip/32 1:1024 -j REJECT
ipchains -A input -p udp -s 0.0.0.0/0 -d $extip/32 1:1024 -j REJECT

# block external access to SOCKS proxy (runs on an unprivileged port)
ipchains -A input -p tcp -s 0.0.0.0/0 -d $extip/32 1080 -j REJECT

# and squid proxy. uses tcp port 3128 and udp port 3130 for icp reqs.
ipchains -A input -p tcp -s 0.0.0.0/0 -d $extip/32 3128 -j REJECT
ipchains -A input -p udp -s 0.0.0.0/0 -d $extip/32 3130 -j REJECT

# also block port 2049 - used for nfs??? always appears to be open
ipchains -A input -p udp -s 0.0.0.0/0 -d $extip/32 2049 -j REJECT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT

# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output
ipchains -P output REJECT

# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

# local interface, for dhcp sends to 255.255.255.255 is valid
# also added by moi for dhcp to work... does this breach security? 
ipchains -A output -i $intint -s 0.0.0.0/0 -d 255.255.255.255/32 -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT

# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT

# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY

# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT


--- END CUT HERE ---

Bernard.

--
 Bernard Blackham
 dagobah at mad.scientist.com

On Mon, 18 Sep 2000, Damion Hill wrote:

> I'm hoping to get a pointer here.
> 
> I've set up a script to apply the IPChains I wish to use for my home 
> network and have them working. The one thing that needs attention 
> is the setting for the IP address. All of the details I've found in doco 
> refer to static IP or DHCP. I dial to iiNet who assign an ip 
> depending on which port you've dialed in to.
> 
> How can I automate the IP setting in my script? At present I'm 
> using ifconfig to get the address and editing a macro in the script 
> before applying the rules. There has to be an easier way!!
> 
> Cheers,
> Damion.
> --
> Damion Hill
> dhill at wantree.com.au
> 
> 




More information about the plug mailing list