<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>The Linux Cipe+Masquerading mini-HOWTO: Example masquerading firewall scripts</TITLE> <LINK HREF="Cipe+Masq-8.html" REL=next> <LINK HREF="Cipe+Masq-6.html" REL=previous> <LINK HREF="Cipe+Masq.html#toc7" REL=contents> </HEAD> <BODY> <A HREF="Cipe+Masq-8.html">Next</A> <A HREF="Cipe+Masq-6.html">Previous</A> <A HREF="Cipe+Masq.html#toc7">Contents</A> <HR> <H2><A NAME="s7">7. Example masquerading firewall scripts</A></H2> <H2><A NAME="ss7.1">7.1 Kernel 2.0, ipfwadm</A> </H2> <P> <BLOCKQUOTE><CODE> <HR> <PRE> #!/bin/sh #04/04/1999 #example rc.firewall script for the 2.0 kernels using ipfwadm #I cant take full credit for this script. I had found it a few #years ago and made slight modifications. #Send questions or comments to acj@home.com. #--------------------------------------------------------------------- #Variables #--------------------------------------------------------------------- #local ethernet interface localip= localif=eth0 #static ethernet interface staticip= staticif=eth1 PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" #--------------------------------------------------------------------- #Incoming Firewall Policies #--------------------------------------------------------------------- #flush incoming firewall policies /sbin/ipfwadm -I -f #set incoming firewall policy default to deny /sbin/ipfwadm -I -p deny #--------------------------------------------------------------------- #local interface, local machines, going anywhere is valid /sbin/ipfwadm -I -a accept -V $localip -S $localip/24 -D 0.0.0.0/0 #remote interface, claiming to be local machines (IP spoofing) deny and log /sbin/ipfwadm -I -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o #remote interface, any source, going to staticip address is valid /sbin/ipfwadm -I -a accept -V $staticip -S 0.0.0.0/0 -D $staticip/32 #loopback interface is valid /sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 #all other incoming is denied and logged /sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o #--------------------------------------------------------------------- #Outgoing Firewall Policies #--------------------------------------------------------------------- #flush outgoing firewall policies /sbin/ipfwadm -O -f #set outgoing firewall policy default to deny /sbin/ipfwadm -O -p deny #--------------------------------------------------------------------- #local interface, any source going to local net is valid /sbin/ipfwadm -O -a accept -V $localip -S 0.0.0.0/0 -D $localip/24 #outgoing to localnet on static interface, stuffed routing, deny /sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o #outgoing from localnet on static interface, stuffed masquerading, deny /sbin/ipfwadm -O -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o #outgoing to localnet on static interface, stuffed masquerading, deny /sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o #anything else outgoing on remote interface is valid /sbin/ipfwadm -O -a accept -V $staticip -S $staticip/32 -D 0.0.0.0/0 #loopback interface is valid /sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 #all other outgoing is denied and logged /sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o #-------------------------------------------------------------------------- #Forwarding firewall policies #-------------------------------------------------------------------------- #flush forwarding policies /sbin/ipfwadm -F -f #set forwarding policy default to deny /sbin/ipfwadm -F -p deny #masquerade from localnet on local interface to anywhere /sbin/ipfwadm -F -a masquerade -W $staticif -S $localip/24 -D 0.0.0.0/0 #all other forwarding is denied /sbin/ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 exit 0 </PRE> <HR> </CODE></BLOCKQUOTE> <P> <H2><A NAME="ss7.2">7.2 Kernel 2.1/2.2, ipchains</A> </H2> <P> <BLOCKQUOTE><CODE> <HR> <PRE> #!/bin/sh #04/04/1999 #example rc.firewall script for the newer 2.1/2.2 kernels using ipchains #that creates user defined chains for each interface. There are firewall #rules for spoofing protection which may be unnecessary since the newer #kernels can have kernel spoofing protection enabled. You might say it's #super paranoid checking. #Send questions or comments to acj@home.com. #--------------------------------------------------------------------- #Variables #--------------------------------------------------------------------- #local ethernet interface localip= localif=eth0 #static ethernet interface staticip= staticif=eth1 #loopback interface loopback=lo PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" #--------------------------------------------------------------------- #Flush built-in input, output, and forward ipchains; set default policy #Good policy to deny all packets especially while setting up chains #--------------------------------------------------------------------- #set incoming firewall policy default to deny ipchains -P input DENY #flush incoming firewall policies ipchains -F input #--------------------------------------------------------------------- #set outgoing firewall policy default to deny ipchains -P output DENY #flush outgoing firewall policies ipchains -F output #--------------------------------------------------------------------- #set forwarding firewall policy default to deny ipchains -P forward DENY #flush forwarding firewall policies ipchains -F forward #--------------------------------------------------------------------- #flush all policies -redundant for main policies, but also flushes user #defined policies #ipchains -F #remove all user defined policies - you may or may not want to enable this #ipchains -X #--------------------------------------------------------------------- #Incoming Firewall Policies #--------------------------------------------------------------------- #create new input chain for static ethernet interface ipchains -N $staticif"-i" #flush all rules in chain (sanity flush) ipchains -F $staticif"-i" #block incoming tcp SYN packets to all ports on staticif and log #this may be a little harsh but its a nice feature #ipchains -A $staticif"-i" -j DENY -p tcp -y -i $staticif -s 0/0 \ #-d $staticip : -l #remote interface, claiming to be local machines (IP spoofing) deny and log ipchains -A $staticif"-i" -j DENY -i $staticif -s $localip/16 -d 0/0 -l #remote interface, any source, going to staticip address is valid ipchains -A $staticif"-i" -j ACCEPT -i $staticif -s 0/0 -d $staticip/32 #all other incoming is denied and logged ipchains -A $staticif"-i" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #create new input chain for local ethernet interface ipchains -N $localif"-i" #flush all rules in chain (sanity flush) ipchains -F $localif"-i" #local interface, local machines, going anywhere is valid ipchains -A $localif"-i" -j ACCEPT -i $localif -s $localip/24 -d 0/0 #all other incoming is denied and logged ipchains -A $localif"-i" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #create new input chain for loopback interface ipchains -N $loopback"-i" #flush all rules in chain (sanity flush) ipchains -F $loopback"-i" #loopback interface is valid ipchains -A $loopback"-i" -j ACCEPT -i $loopback -s 0/0 -d 0/0 #all other incoming is denied and logged ipchains -A $loopback"-i" -j DENY -s 0/0 -d 0/0 -l #-------------------------------------------------------------------------- #Forwarding firewall policies #-------------------------------------------------------------------------- #create new forward chain for static ethernet interface ipchains -N $staticif"-f" #flush all rules in chain (sanity flush) ipchains -F $staticif"-f" #masquerade from localnet on static interface to anywhere ipchains -A $staticif"-f" -j MASQ -i $staticif -s $localip/24 -d 0/0 #all other forwarding is denied and logged ipchains -A $staticif"-f" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #create new forward chain for local ethernet interface ipchains -N $localif"-f" #flush all rules in chain (sanity flush) ipchains -F $localif"-f" #all other forwarding is denied and logged ipchains -A $localif"-f" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #create new forward chain for loopback interface ipchains -N $loopback"-f" #flush all rules in chain (sanity flush) ipchains -F $loopback"-f" #all other forwarding is denied and logged ipchains -A $loopback"-f" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #Outgoing Firewall Policies #--------------------------------------------------------------------- #create new output chain for static ethernet interface ipchains -N $staticif"-o" #flush all rules in chain (sanity flush) ipchains -F $staticif"-o" #outgoing to localnet on remote interface(stuffed routing) deny & log ipchains -A $staticif"-o" -j DENY -i $staticif -s 0/0 -d $localip/24 -l #outgoing from local net on remote interface, stuffed masquerading, deny ipchains -A $staticif"-o" -j DENY -i $staticif -s $localip/24 -d 0/0 -l #anything else outgoing on remote interface is valid ipchains -A $staticif"-o" -j ACCEPT -i $staticif -s $staticip/32 -d 0/0 #all other outgoing is denied and logged ipchains -A $staticif"-o" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #create new output chain for local ethernet interface ipchains -N $localif"-o" #flush all rules in chain (sanity flush) ipchains -F $localif"-o" #local interface, any source going to local net is valid ipchains -A $localif"-o" -j ACCEPT -i $localif -s 0/0 -d $localip/24 #all other outgoing is denied and logged ipchains -A $localif"-o" -j DENY -s 0/0 -d 0/0 -l #--------------------------------------------------------------------- #create new output chain for loopback interface ipchains -N $loopback"-o" #flush all rules in chain (sanity flush) ipchains -F $loopback"-o" #loopback interface is valid ipchains -A $loopback"-o" -j ACCEPT -i $loopback -s 0/0 -d 0/0 #all other outgoing is denied and logged ipchains -A $loopback"-o" -j DENY -s 0/0 -d 0/0 -l #-------------------------------------------------------------------------- #make sure forwarding is enabled in the kernel #-------------------------------------------------------------------------- /bin/echo 1 > /proc/sys/net/ipv4/ip_forward #-------------------------------------------------------------------------- #Add pointers to built-in chains to enable user defined chains #change the order in each chain to optimize filtering for an interface #-------------------------------------------------------------------------- #add local interface input chain ipchains -A input -i $localif -j $localif"-i" #add static interface input chain ipchains -A input -i $staticif -j $staticif"-i" #add loopback interface input chain ipchains -A input -i $loopback -j $loopback"-i" #------------------------------------------------------------------------- #add local interface output chain ipchains -A output -i $localif -j $localif"-o" #add static interface output chain ipchains -A output -i $staticif -j $staticif"-o" #add loopback interface output chain ipchains -A output -i $loopback -j $loopback"-o" #------------------------------------------------------------------------- #add local interface forward chain ipchains -A forward -i $localif -j $localif"-f" #add static interface forward chain ipchains -A forward -i $staticif -j $staticif"-f" #add loopback interface forward chain ipchains -A forward -i $loopback -j $loopback"-f" #--------------------------------------------------------------------- #Super Paranoid check --- even though default policy is set for deny, #block all packets on any interface #--------------------------------------------------------------------- #all other incoming is denied and logged ipchains -A input -j DENY -s 0/0 -d 0/0 -l #all other output is denied and logged ipchains -A output -j DENY -s 0/0 -d 0/0 -l #all other forwarding is denied and logged ipchains -A forward -j DENY -s 0/0 -d 0/0 -l exit 0 </PRE> <HR> </CODE></BLOCKQUOTE> <P> <P> <HR> <A HREF="Cipe+Masq-8.html">Next</A> <A HREF="Cipe+Masq-6.html">Previous</A> <A HREF="Cipe+Masq.html#toc7">Contents</A> </BODY> </HTML>