---------- +++++ Contributed by Ross Vandegrift +++++ My firewalling script starts by classifying traffic based on incoming interface. I figure if the Linux kernel gives us rp_filter, we might as well take advantage of it. Once we know what the incoming interface is, it makes it much easer to classify the traffic - we know that incoming packets on the external interface should never be allowed to hit the NFS port, for example. I wouldn't recommend most people have telnet and tftp open, but I have an eccentric boss who is known to run DOS telnet and tftp servers to enable connectivity at odd times... Ross Vandegrift ross@willow.seitz.com #!/bin/sh DMZIP=207.106.55.128/26 MAINIP=207.106.55.64/26 FWMAINIP=207.106.55.126 IPT=/usr/local/sbin/iptables TCP_OPENPORTS=20,21,22,23,25,53,69,80,113 UDP_OPENPORTS=53,123 WORMPORTS=31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002 # Correctly configure draconian routing policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # Add the chains we need $IPT -N IN_ETH0 $IPT -N IN_TCP $IPT -N IN_UDP $IPT -N FOR_ETH0 $IPT -N FOR_ETH1 $IPT -N FOR_TCP0 $IPT -N FOR_UDP0 $IPT -N FOR_TCP1 $IPT -N FOR_UDP1 # # table: filter, chain: INPUT # # First make decisions based on the incoming interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i eth1 -j ACCEPT $IPT -A INPUT -i eth0 -j IN_ETH0 # Then look at relevant subnets $IPT -A INPUT -s 207.106.55.0/24 -j ACCEPT $IPT -A INPUT -s 63.121.145.0/24 -j ACCEPT # Should be the end for INPUT - LOG what's left #$IPT -A INPUT -m limit --limit 3/minute -j LOG # # table: filter, chain: OUTPUT # $IPT -A OUTPUT -s $DMZIP -j ACCEPT $IPT -A OUTPUT -s $FWMAINIP -j ACCEPT $IPT -A OUTPUT -o lo -d 127.0.0.0/8 -j ACCEPT $IPT -A OUTPUT -m limit --limit 3/minute -j LOG # # table: filter, chain IN_ETH0 # $IPT -A IN_ETH0 -d $DMZIP -p icmp -j ACCEPT $IPT -A IN_ETH0 -d $DMZIP -p tcp -j IN_TCP $IPT -A IN_ETH0 -d $DMZIP -p udp -j IN_UDP # # table: filter, chain: IN_TCP # # Now install our rules for tcp packets $IPT -A IN_TCP -p tcp -m multiport \ -d $DMZIP --dport $TCP_OPENPORTS -j ACCEPT -m tcp --syn $IPT -A IN_TCP -p tcp -m state --state RELATED -j ACCEPT $IPT -A IN_TCP -p tcp -m state --state ESTABLISHED -j ACCEPT # # table: filter, chain: IN_UDP # Rules for udp packets $IPT -A IN_UDP -m multiport -p udp \ -d $DMZIP --dport $UDP_OPENPORTS -j ACCEPT $IPT -A IN_UDP -m multiport -p udp \ -d $DMZIP --sport $UDP_OPENPORTS -j ACCEPT # # table: filter, chain: FORWARD # # Again, look at incoming interface $IPT -A FORWARD -i eth0 -j FOR_ETH0 $IPT -A FORWARD -i eth1 -j FOR_ETH1 # # table: filter, chain: FOR_ETH0 # $IPT -A FOR_ETH0 -p icmp -j ACCEPT $IPT -A FOR_ETH0 -p udp -j FOR_UDP0 $IPT -A FOR_ETH0 -p tcp -j FOR_TCP0 # # table: filter, chain: FOR_ETH1 # $IPT -A FOR_ETH1 -p icmp -j ACCEPT $IPT -A FOR_ETH1 -p udp -j FOR_UDP1 $IPT -A FOR_ETH1 -p tcp -j FOR_TCP1 $IPT -A FOR_ETH1 -j ACCEPT # # table: filter, chain: FOR_UDP0 # # Allow IPX over UDP tunnelling $IPT -A FOR_UDP0 -p udp -s $DMZIP -d $MAINIP -j ACCEPT $IPT -A FOR_UDP0 -p udp -s ! $DMZIP -d $MAINIP --dport 213 -j ACCEPT # # table: filter, chain: FOR_TCP0 # $IPT -A FOR_TCP0 -p tcp -m multiport \ -d $MAINIP --dport $TCP_OPENPORTS -j ACCEPT -m tcp --syn $IPT -A FOR_TCP0 -p tcp -m state --state ESTABLISHED -j ACCEPT $IPT -A FOR_TCP0 -p tcp -m state --state RELATED -j ACCEPT # # table: filter, chain: FOR_UDP1 # $IPT -A FOR_UDP1 -p udp -m multiport --dport $WORMPORTS -j DROP # # table: filter, chain FOR_TCP1 # $IPT -A FOR_TCP1 -p tcp -m multiport --dport $WORMPORTS -j DROP # # table: nat, chain: PREROUTING # # Spoof protection goes in prerouting, to stop badness # before it even his the routing tables $IPT -t nat -A PREROUTING -s 1.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 2.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 7.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 10.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 23.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 27.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 31.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 41.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 45.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 60.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 68.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 69.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 70.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 71.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 80.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 88.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 90.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 91.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 92.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 100.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 111.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 112.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -i ! lo -s 127.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 128.66.0.0/16 -j DROP $IPT -t nat -A PREROUTING -s 172.16.0.0/12 -j DROP $IPT -t nat -A PREROUTING -s 192.168.0.0/16 -j DROP $IPT -t nat -A PREROUTING -s 197.0.0.0/16 -j DROP $IPT -t nat -A PREROUTING -s 201.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 220.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 222.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 224.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 240.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 242.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 244.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 251.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 254.0.0.0/8 -j DROP $IPT -t nat -A PREROUTING -s 255.255.255.255 -j DROP