#!/bin/sh
#
# firewall This script sets up firewall rules.
#
# chkconfig: 2345 09 91
# description: Sets up or removes firewall rules.
#
# Firewall rules for a firewall between a private internal network and the
# Internet.
#
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# Interface to Internet
EXTIF=ppp+
# Internal network address. For stand-alone machines, delete this and
# all the "forward" rules.
INTERNAL=192.168.2.0/24
# Wildcard address
ANY=0.0.0.0/0
# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
. /etc/rc.d/init.d/functions
### For details, see the man page ipchains(1) and
### /usr/doc/HOWTO/IPCHAINS-HOWTO -- David.
case "$1" in
start)
echo -n "Setting up firewall rules"
# Turn on forwarding to silence warnings...
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set default policies; clear all rules
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -F forward
ipchains -F input
ipchains -F output
### Spoof protection: Drop obviously suspect packets ###
# Drop packets claiming to be from unroutable addresses
ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY
ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY
ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY
# Drop packets wanting to go to unroutable addresses
ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY
ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY
ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY
### External access to services on this machine ###
# Reject identd packets without logging
ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT
# Allow access to sendmail -- log connection attempts
#ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT
#ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT
# Allow access to ssh -- we run ssh on port 23 because of
# a stupid client firewall at one place we work.
#ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT
#ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT
# Deny all other TCP connection attempts on the external interface
ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
### FORWARD rules only apply if you have an internal LAN gatewaying
### through this computer.
# Allow DNS queries
ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ
# Allow internal users to browse web (http and https)
ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ
# Allow internal users to read news
ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ
# Allow internal users to access POP and IMAP services on mail server
ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ
# Allow internal users to access external FTP servers
ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ
# Allow internal users to access external Telnet and SSH servers
ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ
ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ
# Allow unprivileged ports --> unprivileged ports for passive FTP
ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ
# A catch-all rule for logging purposes
ipchains -A forward -s $ANY -d $ANY -l -j DENY
# Turn on forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo_success
echo ""
;;
stop)
echo -n "Shutting down firewall rules"
# Turn off forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Set default policies; clear all rules
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -F forward
ipchains -F input
ipchains -F output
echo_success
echo ""
;;
*)
echo "Usage: firewall {start|stop}"
exit 1
esac
exit 0