version 1.1 -- 2 februari 2000 -- An NHF is a Newbieized Help File.
By Hans-Cees Speel
newbie (started with linux in october 1999)
How to make a gateway (with firewall) with a Caldera 2.3 linux machine used to share the internet with other computers with the use of a modem (modemsharing). The actual modem used in my set-up is a cable modem that runs like a regular modem through the first serial COM-port. Other words to say the same is that we do internetsharing, modemsharing, ip-chains, masquerading, nat, and what not.
Contents
0. logging
I. install Caldera (not covered)
II. setup dial-in
III. Configuring ipchains and the firewall.
IV. The setting of the firewall
Extras
I have upgraded this NHF with the colors red and blue and made it more modular. The things you have to change and type are all in red. The things you have to adjust to your computer set-up are all in blue. There is now a file with the firewall ruleset without all the explanation, for if you need a small file, like in an lrp single-disk floppy.
What is a gateway (in this case)? A machine used to share entrance to the internet. This means that all internet traffic runs through the gateway. In this case the gateway has an (external) modem connection to the internet. The modem is used to dial in with an isp that delivers dynamical ip numbers (dhcp).
The modem dials automatically to the internet when the machines behind it request so (in effect they start using a browser or try to get their mail.
With some adjustment these notes could probably work for other connection types as well (real cablemodems for instance or internal modems.
Why the choice for Caldera? It installs easy and when you try a bit it works. In my case it did not find my ethernet card though. I had to add it. It is possible that the now new corell linux will be even better. If so, I will certainly jump to that platform.
This howto shows all steps as i took them. And I have a working computer gateway now. This does not quarentee that there are no better or more clever ways. I just don't know them yet. It could be that some things are superfluous.
0.see EXTRAS at the bottom of this howto
. It explains how to see all your logging information on your prompt. It will make this whole process more easy, believe me.I. Install Caldera with all programs
. This means having about 2 gig if space on your harddrive. Make sure your ethernet card works for your internal lan first. You can check this by using the "ifconfig" command.II. If your install and ethernetcard work dial-in to your ISP should be set up
. The next part will show how to do that first.
This is what the Caldera openlinux cd says:
Take a look by putting the Caldera cd in your player and use netscape to go to this url:
file:///I|/col/doc/html/gsg/index.html
(replace the letter "I" with the letter where your cd is located).
there you are. Very handy. Pages 107 and 108 show how to configure pppd without using kppp. This is what we will do here.
This is what the Caldera files say:
=Connecting Without KPPP Although KPPP provides a convenient graphical tool for reaching the Internet, you may want to use =standard scripts to create a non-graphical connection using PPP. This section describes how to do that. NOTE: You still =need the information from your ISP described at the beginning of this chapter.
=To set up a script-based PPP connection:
=1. Log into OpenLinux as user root.
=2. To verify whether or not your system´s Linux kernel includes PPP support, type lsmod and press Enter.
=3. If the PPP module (ppp.o) doesn´t appear in the list, type modprobe ppp and press Enter to load PPP support. 4. Add your =ISP's nameserver IP addresses to the /etc/resolv.conf file (for example, nameserver 192.168.1.1).
=5. Add your system´s IP address to the /etc/hosts file (for example, 192.168.100.23 swift.Caldera.com swift). If you´re not =connected to an internal network, use “0.0.0.0” as your system´s IP address.
=6. Create a /etc/ppp/options file with the following lines:
=connect "/usr/sbin/chat -f /etc/ppp/chat-script"
=/dev/modem 38400
=modem
=crtscts
=defaultroute
=noipdefault
=user username
= The “username” in this script is the user account at your ISP. Use the number “38400” in the script for a 28.8Kbps modems; =use 115200 for 56K modems.
=NOTE: The next three steps assume your ISP uses PAP authentication. If you use manual or CHAP authentication, contact your =ISP for additional information.
=7. Create the /etc/ppp/chat-script file with the following lines: ABORT BUSY ABORT "NO DIAL TONE" "" ATDT5551212 =CONNECT "" The “5551212” in the script is the phone number to dial to connect to your ISP.
=8. Create an authentication file named /etc/ppp/pap-secrets that contains these lines: username * password
=In this file, “username” is your ISP username and “password” is your ISP account password in plaintext (for example, bob * =GfG2vhY).
=9. Make the /etc/ppp/pap-secrets file secure by executing this command: chmod 600 /etc/ppp/pap-secrets
=To start up your script-based PPP Connection:
=1. Enter this command from a terminal emulator or console: pppd
=Your modem uses the scripts you created to dial your ISP and connect.
=Depending on the speed of your ISP´s authentication process, your system will be connected to your ISP within 15–45 seconds =of hearing the dial tone.
so far what Caldera says and what we will do. Make sure you log in as root.
So do this:
a) open a terminal (you can do that by clicking on the two-computer icon in your tray) "lsmod". If there is no ppp listed you must type "modprobe ppp" (without the "", always leave out the "").
b) Find kfm (kde filemanager). I always leave one open. You can get a second window by typing cntr-n, just as with
netscape. The program is located at k>system>filemanager (superuser mode). Go to the /etc/resolv.conf file and add: "nameserver 195.96.96.97". Of course with your isp's nameserver ip.
c) Go to the /etc/hosts file and add your internal network. So for instance "192.168.0.2 mamsmachine" and the next
line "192.168.0.3 dadswindoze". And also add the gateway itself "192.168.0.1 linuxgateway".
This means of course that your windoze and other computers that use the gateway must have these names and numbers. Windows computers can be fed their name at networkneighbourhood>options>indentification and the internal ip number at networkneighbourhood>options>tcpipnetworkcard (192.168.0.1) and also the default gateway (the internal ip of the
linuxgateway for instance 192.168.0.2). The nameserver at the windoze computers can be the nameserver of your isp.
In all the configs below it is assumed that the linuxgateway is called linuxrulez and that its ip is 192.168.0.2 The default gateway is thus 192.168.0.2 for all windoze and other computers that are behind it.
d) Now the /etc/ppp/options file.
Make it to look like this:
debug
connect "/usr/sbin/chat -f /etc/ppp/chat-script"
/dev/ttyS0 115200
modem
crtscts
defaultroute
user dickhead
195.96.98.253:195.95.98.1
ipcp-accept-remote
ipcp-accept-local
demand
idle 300
This option file makes sure that when you run pppd (by typing "pppd" at the terminal) and thus run pppd, the program is started, but there is no dialing in yet. The option demand sets it so that only when traffic is seen, a connection will be made by modem. For instance if you type "ping 195.96.96.97" the link will come up. Now type cntr-c to stop the pinging.
The log will say that there two ip's have been set. These are bogus ip's. They are removed when an actual link is set up to your isp. The two ipcp statements make sure that goes ok (see "man pppd" for more info).
The idle statement makes sure your modem connection is terminated when there is no traffic for 300 seconds. The 115200 can be changed if your modem is not a 33000 modem. You can use the ip of the default gateway of your isp as the second number in the ....:..... statement.
You should make a file /var/log/debug if it is not already there.
e)now the file etc/ppp/chat-script
ABORT BUSY
It should say
ABORT "NO DIAL TONE"
CONNECT ""
It is possible that your modem needs slightly different commands!
That is all. The 4 after atdt is the number I have to dial at Casema in the hague the netherlands.
f) make the file etc/ppp/pap-secrets
Caldera comes with a file pap-secrets.sample. Use that and rename it. Add a new line:
dickhead * abacada
dickhead is your username (so change it to yours) and abacada your password.
Save as.. and save as etc/ppp/pap-secrets
type "chmod 600 /etc/ppp/pap-secrets"
You can now dial in by typing "pppd" if your modem is at the com 1 port.
If you do "ping 195.96.96.97" you should get reply. If not try another ip because it probably means my isp is down (wouldn't be the first time). control-c stops the ping. Type "ps -ax" and you can see if pppd is running. You can stop it by looking at the number in the first row and type "kill number", where number stands for the number in the first row before pppd.
At /var/log/debug you can see what went wrong.
III. Configuring ipchains and the firewall.
So now you can dial in, but you hardly have a gateway. We will make one now. After that we will make the firewall rules.
First ip chains. Ip chains is the name of the programs that can tell the kernel to do its stuff on with incoming packets over networks. It is the same program that can forward packets, filter them (the firewall) and qork them (make them appear to come all from one computer --masquerading--).
A) go to /etc/rc.d/rc.local
etc/rc.d/rc.firewall
Save the file
add the line:
b) make a file /etc/rc.d/rc.firewall
put in it:
#!/bin/sh
#called from rc.local
logger THIS IS the rcfirewall script
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
IPFORWARDING=yes
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
logger first firewall script finished, ipchains and masquerading work now.
You may add other modprobes if you want to do quake and so on. The last rule is only needed when you do not have a fixed ip number. Almost noone has one, don't worry.
save the file and do chmod 700 /etc/rc.d/rc.firewall
The gateway should work now. There is no firewall yet! We will make one in the next step.
IV The setting of the firewall
The original firewall set of rules that I adapted comes from
TrinityOS(TM)(c) http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri
Written, Maintained, and Copyrighted by
David A. Ranch (dranch@trinnet.net)
He also helped me out getting this fixed, which took a while...
His file works with diald. I did it without diald, since I had problems with it, and ppp can do demand dialing too. The less to do the better.
The trick is that the firewall must include the new ip we get everytime we dial in again (remember we use a dynamic IP). This is more save then a fixed ip by the way. This is pulled of by using ip-up and ip-down: two scripts that are run automatically when the line goes up and down.
there we go:
A) open etc/ppp/ip-up
logger THIS IS the ip-up script running &
save it and do "chmod 700 /etc/ppp/ip-up".
add:
/etc/rc.d/rc.firewallup &
#/etc/rc.d/rc.firewallbigup &
logger this was the ip-up script &
This script is used to call a set of firewall rules that must be added to /etc/rc.d/xxxx. In this case we thus used /etc/rc.d/rc.firewallbigup
The logger lines can be traced back in the /var/log/messages. That is handy because if something goes wrong you can try to figure out where it is.
There are two links in the ip-up file: one to rc.firewallup, and one to rc.firwallbigup. The first one is to test without a lot of rules, and the second holds all the rules. Only if it works without the rules should you try all the rules and thus change the # from one link to another.
thus change
to
#/etc/rc.d/rc.firewallup &
when you are ready to try the big firewall set we will built below.
/etc/rc.d/rc.firewallup &
#/etc/rc.d/rc.firewallbigup &
/etc/rc.d/rc.firewallbigup &
B)
Now we can add the real firewall rules. First we make a small set to test. After that a big set for real.
make a file /etc/rc.d/rc.firewallup.
#!/bin/sh
logger - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security;
logger Flushing any old rulesets
So that is it. do "chmod 700 /etc/rc.d/rc.firewallup" and you are done.
add:
#!/bin/bash
do "chmod 700 etc/ppp/ip-down"
make etc/rc.d/flush
#!/bin/sh
logger Set default policies to accept
do "chmod 700 etc/rc.d/flush"
add:
logger THIS IS the rc.firewallup script to test
logger loading masq modules
modprobe ip_masq_vdolive
logger now vdolive should run, check with lsmod
great functionality)
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
logger Extending MASQ timeouts.
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
# IPCHAINS
/sbin/ipchains -M -S 7200 10 60
logger rc.firewallup done
find /etc/ppp/ip-down or make it.
#
# The pppd executes this script every time a PPP connection goes down
# and passes the following args to it:
#
# $1 device
# $2 tty
# $3 speed
# $4 local IP addr
# $5 remote IP addr
#
# You can then execute special commands (like removing routes)
# depending on the arguments passed by the pppd.
#
logger THIS IS the ipdownscript
/etc/rc.d/flush
logger ready flushing
add:
logger THIS IS flush
#
echo " - Flushing all old rules and setting all default policies to REJECT "
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
logger rulesets are flushed
done!
Now you can run pppd and ping to see if all goes well. The /var/log/messages should show the logger lines.
C)
if B works, we can do the real firewall. Make /etc/rc.d/rc/firewallbigup.
remember to change the link in /etc/ppp/ip-up by moving the #.
The script is between three rows of ===. You must adjust the rules if you use a www server, and ftp server or other server that is to be accesible by the outside.
=======================================
#!/bin/sh
logger THIS IS firewallupbig
logger Setting input filters for public services all interfaces
========A small version without many comments of this rule set is here. It will not have explanations on what to do when it goes wrong however. It is exactly identical to the set below. ===============================
=======================================
# 1) The external interface is running on "ppp0"
# 2) The external IP address is dynamically assigned
# 3) The internal IP Masqueraded network interface is "eth0"
# 4) The internal network is addressed within the private
# 192.168.0.x TCP/IP addressing scheme per RFC1918
#
# ****
# NOTE: All 2.2.x Linux kernels prior to 2.2.11 have a fragmentation
# **** bug that renders all strong IPCHAINS rulesets void. It
# is CRITICAL that users upgrade the Linux kernel to 2.2.11+
# for proper firewall security.
#
#********************************************************************
# Initializing
#********************************************************************
logger Loading IPCHAINS Firewall Version 3.20
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Variables
#--------------------------------------------------------------------
# The loopback interface and address
#
LOOPBACKIF="lo"
LOOPBACKIP="127.0.0.1"
# External interface device.
#
# NOTE: PPP and SLIP users will want to replace this interface
# with the correct modem interface such as "ppp0" or "sl0"
#
echo External Interface: $EXTIF
# Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace
# the pipelines with your correct TCP/IP address, broadcast address, and
# external gateway, respectively.
#
# eg: EXTIP="100.200.0.212"
#
# IP address of the external interface
#
EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
echo External IP: $EXTIP
logger Broadcast address of the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP netmask enclosed in double
# quotes.
#
# eg: EXTBROAD="100.200.0.255"
#
EXTBROAD=`/sbin/ifconfig | grep -A 1 $EXTIF | awk '/Bcast/ { print $3 }' | sed -e s/Bcast://`
echo External broadcast: $EXTBROAD
logger Gateway for the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP default gateway or "next hop
# address".
#
# eg: DGW="100.200.0.1"
#
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
# Internal interface device.
INTIF="eth0"
# IP address on the internal interface
INTIP="192.168.0.2"
logger Internal IP: $INTIP
# IP network address of the internal network
INTLAN="192.168.0.0/24"
# IP Port Forwarded Addresses
#
# IP address of an internal host that should have external traffic forwarded to
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation.
#
# Disabled by default.
#PORTFWIP="192.168.0.20"
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# IP Mask for broadcast transmissions
BROADCAST="255.255.255.255"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINDOWS_PORTS="6000:6010"
# The TCP/IP address of your slave DNS servers (if any).
# This is OPTIONAL!
#
# Disabled by default.
#SECONDARYDNS="10.200.200.69"
# The TCP/IP addresses of a specifically allowed EXTERNAL hosts
#
# Disabled by default.
#SECUREHOST="200.244.0.40"
#SECUREHOST2="200.244.0.41"
# TCP/IP addresses of INTENRAL hosts network allowed to directly
# connect to the Linux server. All internal hosts are allowed
# per default.
#
# Disabled by default
#HOST1IP="192.168.0.10"
#HOST2IP="192.168.0.11"
# Logging state.
#
# Uncomment the " " line and comment the "-l" line if you want to
# disable logging of some of more important the IPCHAINS rulesets.
#
# The output of this logging can be found in the /var/log/messages
# file. It is recommended that you leave this setting enabled.
# If you need to reduce some of the logging, edit the rulesets and
# delete the "$LOGGING" syntax from the ruleset that you aren't
# interested in.
#
# LOGGING=" "
LOGGING="-l"
# If you are having problems with the firewall, uncomment the lines
# below and then re-run the firewall to make sure that the firewall
# is not giving any errors, etc. The output of this debugging
# script will be in a file called /tmp/rc.firewall.dump
#--------------------------------------------------------------------
#
#echo " - Debugging."
#echo Loopback IP: $LOOPBACKIP > /tmp/rc.firewall.dump
#echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump
#echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump
#echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump
#echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $EXTIF >> /tmp/rc.firewall.dump
#echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump
#echo External interface default gateway: $EXTGW >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secondary DNS: $SECONDARYDNS >> /tmp/rc.firewall.dump
#echo External secured host: $SECUREHOST >> /tmp/rc.firewall.dump
# General
#--------------------------------------------------------------------
# Performs general processing such as setting the multicast route
# and DHCP address hacking.
#
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable multicast
# on their networks, it will be very common in a few more years. Check out
# www.mbone.com for more detail.
#
# Adding this feature is OPTIONAL.
#
# Disabled by default.
#echo " - Adding multicast route."
#/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $EXTIF
# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
logger Disabling IP Spoofing attacks
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $file
done
# Comment the following out of you are not using a dynamic address
#
logger Enabling dynamic TCP/IP address hacking
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#--------------------------------------------------------------------
# Masquerading Timeouts
#--------------------------------------------------------------------
# Set timeout values for masq sessions (seconds).
#
# Item #1 - 2 hrs timeout for TCP session timeouts
# Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# Item #3 - 60 sec timeout for UDP traffic
#
logger Changing IP masquerading timeouts
/sbin/ipchains -M -S 7200 10 60
# Masq Modules
#--------------------------------------------------------------------
# Most TCP/IP-enabled applications work fine behind a Linux IP
# Masquerade server. But, some applications need a special
# module to get their traffic in and out properly.
#
# Note: Some applications do NOT work though IP Masquerade server at ALL such
# as any H.323-based program. Please the IP-MASQ HOWTO for more details.
#
# Note #2: Only uncomment the modules that you REQUIRE to be loaded.
# The FTP module is loaded by default.
#--------------------------------------------------------------------
logger Loading masquerading modules
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_vdolive
# Default Policies
#--------------------------------------------------------------------
# Set all default policies to REJECT and flush all old rules.
#--------------------------------------------------------------------
#
# We want to only EXPLICTLY allow what traffic is allowed IN and OUT of the
# firewall. All other traffic will be implicitly blocked.
#
logger Set default policies to REJECT
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
logger Flush all old rulesets
#
echo " - Flushing all old rules and setting all default policies to REJECT "
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# Input Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Input Rules:"
#--------------------------------------------------------------------
# Incoming Traffic on the Internal LAN
#--------------------------------------------------------------------
# This section controls the INPUT traffic allowed to flow within the internal
# LAN. This means that all input traffic on the local network is valid. If
# you want to change this default setting and only allow certain types of
# traffic within your internal network, you will need to comment this following
# line and configure individual ACCEPT lines for each TCP/IP address you want
# to let through. A few example ACCEPT lines are provided below for
# demonstration purposes.
#
# Sometimes it is useful to allow TCP connections in one direction but not the
# other. For example, you might want to allow connections to an external HTTP
# server but not connections from that server. The naive approach would be to
# block TCP packets coming from the server. However, the better approach is to
# use the -y flag which will block only the packets used to request a
# connection.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic on the internal LAN."
# Local interface, local machines, going anywhere is valid.
#
# Comment this line out if you want to only allow specific traffic on the
# internal network.
/sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
# Loopback interface is valid.
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# DHCP Server.
#
# If you have configured a DHCP server on the Linux machine to serve IP
# addresses to the internal network, you will need to enable this section.
#
# This is an example of how to let input traffic flow through the local
# LAN if we have rejected all prior requests above.
#
# Disabled by default
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
#--------------------------------------------------------------------
# Explicit Access from Internal LAN Hosts
#--------------------------------------------------------------------
# This section is provided as an example of how to allow only SPECIFIC hosts on
# the internal LAN to access services on the firewall server. Many people
# might feel that this is extreme but many system attacks occur from the
# INTERNAL networks.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this ruleset to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts. You will
# then need to enable the lines below to allow any access at all.
#--------------------------------------------------------------------
#echo " - Setting input filters for specific internal hosts."
# First allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
#--------------------------------------------------------------------
# Incoming Traffic from the External Interface
#--------------------------------------------------------------------
# This ruleset will control specific traffic that is allowed in from
# the external interface.
#--------------------------------------------------------------------
#
logger Setting input filters for traffic from the external interface
# Remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
# DHCP Clients.
#
logger If you get a dynamic IP address for your ADSL or Cablemodem connection you
# will need to enable these lines.
#
# Enabled by default.
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
# FTP: Allow external users to connect to the Linux server ITSELF for
# PORT-style FTP services. This will NOT work for PASV FTP transfers.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data
# HTTP: Allow external users to connect to the Linux server ITSELF for
# HTTP services.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http
logger ICMP: Allow ICMP packets from all external TCP/IP addresses
#
# NOTE: Disabling ICMP packets via the firewall ruleset can do far more than
# just stop people from pinging your machine. Many aspects of TCP/IP and its
# associated applications rely on various ICMP messages. Without ICMP, both
# your Linux server and internal Masq'ed computers might not work.
#
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# NNTP: Allow external computers to connect to the Linux server ITSELF
# for NNTP (news) services.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP nntp
# NTP: Allow external computers to connect to the Linux server ITSELF for
# NTP (time) updates
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp
# TELNET: Allow external computers to connect to the Linux server ITSELF for
# TELNET access.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet
# SSH server: Allow external computers to connect to the Linux server ITSELF
# for SSH access.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh
# Incoming Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control input traffic for all interfaces. This is
# usually used for what could be considered as public services.
#--------------------------------------------------------------------
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
logger BOOTP/DHCP: Reject all stray bootp traffic.
#
# Disabled by default.
/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc
# DNS: If you are running an authoritative DNS server, you must open
# up the DNS ports on all interfaces to allow lookups. If you are
# running a caching DNS server, you will need to at least open the DNS
# ports to internal interfaces.
#
# It is recommend to secure DNS by restricting zone transfers and split
# DNS servers as documented in Step 4.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain
#/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain
logger RIP: Reject all stray RIP traffic. Many improperly configured
# networks propagate network routing protocols to the edge of the
# network. The follow line will allow you explicitly filter it here
# without logging to SYSLOG.
#
# Disabled by default.
/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route
# SAMBA: Reject all stray SAMBA traffic. Many networks propagate the
# chatty SMB network protocols to the edge of the network. The
# following line will allow you explicitly filter it here without
# logging to SYSLOG.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE netbios-ns
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE netbios-dgm
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE netbios-ssn
# SMTP: If this server is an authoritative SMTP email server, you must
# allow SMTP traffic to all interfaces.
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $EXTIP smtp
#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# This controls external access from specific external hosts (secure hosts).
# This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a
# secure host INTO the firewall. In addition to these input rules, we must also
# explicitly allow the traffic from the remote host to get out. See the rules
# in the output section for more details
#
# Disabled as default.
#--------------------------------------------------------------------
logger - Setting input filters for explicit external hosts
# The secure host
#
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP pop-3
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP telnet
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP telnet
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp-data
#--------------------------------------------------------------------
# Port Forwarding
#--------------------------------------------------------------------
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to read the IP-MASQ-HOWTO for a full explanation.
#
# Do not use ports greater than 1023 for redirection ports.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " * Enabling Port Forwarding onto internal hosts."
#/usr/sbin/ipmasqadm portfw -f
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP 22
# HIGH PORTS:
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
# SYN bit set. In other words, this means that any traffic that is
# trying to initiate traffic to your server on a HIGH port will be
# rejected.
#
# The only HIGH port traffic that will be accepted is either return
# traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
# SYN filtering. Because of this, we must specifically allow it in.
#
logger Enabling all input REPLY TCP/UDP traffic on high ports
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
#--------------------------------------------------------------------
# Catch All INPUT Rule
#--------------------------------------------------------------------
#
logger Final input catch all rule
# All other incoming is denied and logged.
/sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Output Rules
#********************************************************************
echo "----------------------------------------------------------------------"
logger 2 Output Rules:
#--------------------------------------------------------------------
# Outgoing Traffic on the Internal LAN
#--------------------------------------------------------------------
# This ruleset provides policies for traffic that is going out on the internal
# LAN.
#
# In this example, all traffic is allowed out. Therefore there is no
# requirement to implement individual filters. However, as with the input
# section above, examples are given for demonstrative purposes. It is also
# noted that the same rules, outlined above, apply regarding the order of the
# filtering rules.
#--------------------------------------------------------------------
echo " - Setting output filters for traffic on the internal LAN."
# Local interface, any source going to local net is valid.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
# Loopback interface is valid.
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# DHCP: If you have configured a DHCP server on this Linux machine, you
# will need to enable the following ruleset.
#
# Disabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
logger HTTP The following is an example of how to allow HTTP traffic to an
# intranet WWW server without allowing access from the external
# network.
#
# Disabled by default.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN
#--------------------------------------------------------------------
# Explicit Output from Internal LAN Hosts
#--------------------------------------------------------------------
# The following rulesets only allow SPECIFIC hosts on the internal LAN to
# access services on this firewall server itself. Many people might feel that
# this is extreme but many system attacks occur from the INTERNAL network as
# well.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this ruleset to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " - Setting output filters for specific internal hosts."
# First host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
#--------------------------------------------------------------------
# Outgoing Traffic on the External Interface
#--------------------------------------------------------------------
# This ruleset will control what traffic can go out on the external interface.
#--------------------------------------------------------------------
logger 3 setting input filters for traffic to the external interface
# Reject outgoing traffic to the local net from the remote interface,
# stuffed routing; deny & log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING
# Reject outgoing traffic from the local net from the external interface,
# stuffed masquerading, deny and log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
#DHCP Client: If your Linux server is connected via DSL or a Cablemodem
# connection and you get dynamic DHCP addresses, you will need to
# enable the following rulesets.
#
# Enabled by default.
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps
# FTP: Allow FTP traffic (the Linux server is a FTP server)
#
# Disabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE
# HTTP: Allow HTTP traffic (the Linux server is a WWW server)
#
# Disabled by default
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE
# NTP: Allow NTP updates (the Linux server is a NTP server)
# Disabled by default
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE
# TELNET: Allow telnet traffic (the Linux server is a TELNET server)
#
# Disabled by default
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE
# SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server)
#
# Disabled by default
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE
#--------------------------------------------------------------------
# Outgoing Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control output traffic for all interfaces. This is
# usually used for what could be considered as public services. It
# is noted that we provide a few rejection rulesets as examples but
# these are not required due to the overall REJECT statement above.
#--------------------------------------------------------------------
logger Setting output filters for public services on all interfaces
# AUTH: Allow authentication tap indent on all interfaces (but disable it
# in /etc/inetd.conf).
#
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
# DNS: If you your Linux server is an authoritative DNS server, you must
# enable this ruleset
#
# Disabled by default
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE
# ICMP: Allow ICMP traffic out
#
# NOTE: Disabling ICMP packets via the firewall ruleset can do far
# more than just stop people from pinging your machine. Many aspects
# of TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal Masq'ed
# computers might not work.
#
/sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE
# NNTP: This allows NNTP-based news out.
#
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE
# SMTP: If the Linux servers is either an authoritative SMTP server or
# relay, you must allow this ruleset.
#
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE
#--------------------------------------------------------------------
# Specific Output Rejections
#--------------------------------------------------------------------
# These rulesets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
logger Reject specific outputs
# RPC.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING
# Mountd.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING
# PPTP.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
# Remote Winsock.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
# NFS.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
# PcAnywhere.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
# Xwindows.
#
# NOTE: See variable section above for the example range (6000:6007 by default)
# Xwindows can use far more than just ports 6000-6007.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
# NetBus.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING
# NetBus Pro.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 20034 $LOGGING
# BackOrofice
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE/0 31337 $LOGGING
# Win Crash Trojan.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 5742 $LOGGING
# Socket De Troye.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 30303 $LOGGING
# Unknown Trojan Horse (Master's Paradise [CHR])
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 40421 $LOGGING
#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
# This controls output to specific external hosts (secure hosts). This example
# implementation allows ssh and pop-3 protocols out to the secure host. In
# addition to these rules, we must also explicitly allow the traffic in from
# the remote host. See the input rules above to see this take place.
#
# Disabled by default.
#--------------------------------------------------------------------
echo " - Setting output filters for explicit external hosts."
# The secure host
#
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d $SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST $UNPRIVPORT
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST2 $UNPRIVPORT
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST2 $UNPRIVPORT
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST2 $UNPRIVPORT
logger Allow all High Ports for return traffic.
#
echo " - Enabling all output REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
#--------------------------------------------------------------------
# Catch All Rule
#--------------------------------------------------------------------
logger - Final output catch all rule.
# All other outgoing is denied and logged. This ruleset should catch
# everything including samba that hasn't already been blocked.
#
/sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Forwarding Rules
#********************************************************************
#
echo "----------------------------------------------------------------------"
logger Forwarding Rules:
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Diald Users:
#
# You need this rule to allow the sl0 SLIP interface to receive
# traffic to then bring the interface up.
#
# Disabled by default
#
#/sbin/ipchains -A forward -j MASQ -i sl0 -s $INTLAN/24 -d $UNIVERSE/0
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Turn on IP Forwarding in the Linux kernel
#
# There are TWO methods of turning on this feature. The first method is the
# Red Hat way. Edit the /etc/sysconfig/network file and change the
# "FORWARD_IPV4" line to say:
#
# FORWARD_IPV4=true
#
# The second method is shown below and can executed at any time while the
# system is running.
logger disabel ip forward because it already runs
#echo " - Enabling IP forwarding."
#echo "1" > /proc/sys/net/ipv4/ip_forward
# Masquerade from local net on local interface to anywhere.
#
echo " - Enable IP Masquerading from the internal LAN."
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
# Catch all rule, all other forwarding is denied.
#
/sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# The end
#********************************************************************
echo "----------------------------------------------------------------------"
logger Firewall implemented end of firewallbigup.
=========================================================================
=========================================================================
do "chmod 700 /etc/rc.d/rc.firewallbigup"
When a link is started from pppd to the modem you should see the logger things in var/log/messages.
Everytime the firewall filters something out this will be reported.
At last you can sit at your fireplace and rest safely....
But...you should really also update your kernel, since version 2.10 is not save and comes with Caldera. See:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri
How to do that? I will try to find out for myself....
a good place to start is howto.tucows.com and http://www.Calderasystems.com/support/resources/
What you should also do is check other things about security. You should at least disable telnet and ftp and http, use host.allow and so on. See the trinityos for all this. If you do'nt do this a hacker will find you.
EXTRAS: very handy.
VI
Automatically and transparent logging.
This comes from :
TrinityOS(TM)(c) http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri
Written, Maintained, and Copyrighted by
David A. Ranch (dranch@trinnet.net)
I copied it and added some changes:
It is very relaxed, because you see all the logger lines on your terminal, and also when the firewall refuses traffic. Especially when you are debugging this is helpful.
- Like the real-time log monitor above, its nice to be able to see errors
in real time whenever you suspect problems via a TELNET, SSH, etc. To do
this, create the file with the following:
/usr/local/sbin/logit
--
#/bin/sh
tail -f /var/log/samba.d/smb.nmb &
tail -f /var/log/samba.d/smb.smb &
tail -f /var/log/secure &
tail -f /var/log/messages &
--
Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/logit".
If you do not use samba you can cut out those lines above and below.
Now, whenever you are suspecting problems with ANYTHING on your Linux box,
just run "/root/logit" and watch the error logs go by in real-time. I
recommend to type in "clear" at the UNIX prompt now and then to clean the
screen up for readibility sake. When you are done with "logit", run the command
"killall tail" to stop all the logging. The problem with this "killall" is it
kills the TTY logging. To fix this, I recommend to use the "recycle" script"
/usr/local/sbin/recycle
--
#!/bin/sh
echo Killing all existing tails from logit, etc
killall tail
--
Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/recycle".
Now you must also make the /var/log/secure if it does not exist yet. You can also change the /etc/syslog.conf if you want. At least have a look at it. You can manage what you will get logged, and where. A good way to see if all permissions are ok, is also to log in as a normal user and to try to view and write to these files.
VII
o fix the Caldera bug about ip-compress errors in your log when a line comes up:
edit /etc/modules.conf
and include these lines at the bottom of the file:
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_defl